lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 17 May 2007 12:47:24 +0100
From: David Cantrell <d.cantrell@...cometechnologies.com>
To: graham.coles@...-logic-group.com, bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords

graham.coles@...-logic-group.com wrote:

>> It works for:
>> the same user using ssh as is on the console;
> If someone can remotely log in as you over ssh then they already have your 
> password (or worse, certificate!), so why would they try to obtain it from 
> a browser?

They can obtain other stuff that I type in the browser, such as 
passwords etc that I might use for online banking and which I don't 
store in Keychain.  Personally, I don't think that the Keychain bit is 
particularly important.

> They already have total access to all your files, there would appear to be 
> nothing more to gain from this.

Perhaps you do (in which case I recommend you stop), but I don't store 
all my information in files, and of that which I do, not all those files 
are merely protected by my standard login and password.  Some, such as 
how I authenticate to my bank, are stored in a gpg-encrypted file in 
case I ever forget.  Others, such as my gpg passphrase, live only in my 
head.  Trust me, merely logging in as me won't help anyone get at those 
data.

>>  the root user using ssh (or someone who can sudo) can inject
>>  Javascript into the console user's browser;
> Are you even considering what you are saying?

Yes.  Are you?

> Someone has *ROOT* access to your system REMOTELY over ssh and you're 
> worried that they might be able to retrieve a password from your keychain.

Yes, it would be annoying if someone rooted my laptop.  It would be a 
lot more annoying if they not only rooted my laptop but also cleaned out 
my bank account via my browser.

It *is* somewhat disturbing that root can so trivially interfere with 
the guts of someone else's processes.  Normally, root has to do a lot of 
work to do that.

>>  a different non-root user on the console can do it too
> Which again restricts this vunerability (as previously mentioned) to an 
> attacker who happens to be sitting in front of your machine(!)

Did you read the bit where I speculated about setuid applications?

-- 
David Cantrell

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ