Re: Apple Safari on MacOSX may reveal user's saved passwords
I too appear to be having difficulty relating this to a vulnerability.
> It works for:
> the same user using ssh as is on the console;
If someone can remotely log in as you over ssh then they already have your
password (or worse, certificate!), so why would they try to obtain it from
a browser?
They already have total access to all your files, there would appear to be
nothing more to gain from this.
> the root user using ssh (or someone who can sudo) can inject
> Javascript into the console user's browser;
Are you even considering what you are saying?
Someone has *ROOT* access to your system REMOTELY over ssh and you're
worried that they might be able to retrieve a password from your keychain.
By this stage, your entire system and every file in it is pretty much
owned. It's time to consider a full reinstall with some new, stronger
authentication.
> a different non-root user on the console can do it too
Which again restricts this vunerability (as previously mentioned) to an
attacker who happens to be sitting in front of your machine(!)
It would be more interesting if there were a proper remote expoit (e.g.
website), but if the remote part means having to be connected to and
logged in as an individual on the computer, then it's not really a browser
exploit as all the damage has been done--they will already have full
access to your keychain and can examine it at as they please, along with
all your files.
--
Graham Coles
David Cantrell <d.cantrell@xxxxxxxxxxxxxxxxxxxxxxx>
15/05/2007 23:15
To
bugtraq@xxxxxxxxxxxxxxxxx
cc
Subject
Re: Apple Safari on MacOSX may reveal user's saved passwords
Injecting Javascript into a browser like this does *not* require that
the attacker be on the local console. To run Applescript while logged
inremotely using ssh, you can use the 'osascript' utility.
It works for:
the same user using ssh as is on the console;
the root user using ssh (or someone who can sudo) can inject
Javascript into the console user's browser;
a different non-root user on the console can do it too
That last one is particularly worrying, although I've not taken the time
to figure out precisely what works and what doesn't. My test was to
simply open a Terminal and 'su - foo' before using osascript, but it
might, for instance, be exploitable by a setuid application.
At first glance, Firefox doesn't seem to be vulnerable (although I'm far
from being an Applescript expert) to exactly this attack, but it does
expose at least *some* functionality to Applescript.
--
David Cantrell
The Logic Group Enterprises Limited
Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB,
UK
Registered in England. Registered No. 2609323