BugTraq
Re: RE: Apple Safari on MacOSX may reveal user's saved passwords May 14 2007 10:35PM
poplix papuasia org (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 15 2007 10:15PM
David Cantrell (d cantrell outcometechnologies com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 05:42PM
graham coles the-logic-group com (2 replies)
I too appear to be having difficulty relating this to a vulnerability.

> It works for:
> the same user using ssh as is on the console;

If someone can remotely log in as you over ssh then they already have your
password (or worse, certificate!), so why would they try to obtain it from
a browser?

They already have total access to all your files, there would appear to be
nothing more to gain from this.

> the root user using ssh (or someone who can sudo) can inject
> Javascript into the console user's browser;

Are you even considering what you are saying?

Someone has *ROOT* access to your system REMOTELY over ssh and you're
worried that they might be able to retrieve a password from your keychain.
By this stage, your entire system and every file in it is pretty much
owned. It's time to consider a full reinstall with some new, stronger
authentication.

> a different non-root user on the console can do it too

Which again restricts this vunerability (as previously mentioned) to an
attacker who happens to be sitting in front of your machine(!)

It would be more interesting if there were a proper remote expoit (e.g.
website), but if the remote part means having to be connected to and
logged in as an individual on the computer, then it's not really a browser
exploit as all the damage has been done--they will already have full
access to your keychain and can examine it at as they please, along with
all your files.

--

Graham Coles

David Cantrell <d.cantrell (at) outcometechnologies (dot) com [email concealed]>
15/05/2007 23:15

To
bugtraq (at) securityfocus (dot) com [email concealed]
cc

Subject
Re: Apple Safari on MacOSX may reveal user's saved passwords

Injecting Javascript into a browser like this does *not* require that
the attacker be on the local console. To run Applescript while logged
inremotely using ssh, you can use the 'osascript' utility.

It works for:
the same user using ssh as is on the console;
the root user using ssh (or someone who can sudo) can inject
Javascript into the console user's browser;
a different non-root user on the console can do it too

That last one is particularly worrying, although I've not taken the time
to figure out precisely what works and what doesn't. My test was to
simply open a Terminal and 'su - foo' before using osascript, but it
might, for instance, be exploitable by a setuid application.

At first glance, Firefox doesn't seem to be vulnerable (although I'm far
from being an Applescript expert) to exactly this attack, but it does
expose at least *some* functionality to Applescript.

--

David Cantrell

The Logic Group Enterprises Limited
Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, UK
Registered in England. Registered No. 2609323

[ reply ]
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 11:47AM
David Cantrell (d cantrell outcometechnologies com) (2 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 05:50PM
graham coles the-logic-group com (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 01:23PM
poplix (poplix papuasia org) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 05:13PM
Kevin Finisterre (lists) (kf_lists digitalmunition com) (1 replies)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 18 2007 11:43PM
poplix (poplix papuasia org)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 17 2007 04:49PM
Mark Senior (senatorfrog gmail com)
Re: Apple Safari on MacOSX may reveal user's saved passwords May 16 2007 07:21PM
Ian Ward Comfort (icomfort rescomp stanford edu)


 

Privacy Statement
Copyright 2010, SecurityFocus