I too appear to be having difficulty relating this to a vulnerability. > It works for: > the same user using ssh as is on the console; If someone can remotely log in as you over ssh then they already have your password (or worse, certificate!), so why would they try to obtain it from a browser? They already have total access to all your files, there would appear to be nothing more to gain from this. > the root user using ssh (or someone who can sudo) can inject > Javascript into the console user's browser; Are you even considering what you are saying? Someone has *ROOT* access to your system REMOTELY over ssh and you're worried that they might be able to retrieve a password from your keychain. By this stage, your entire system and every file in it is pretty much owned. It's time to consider a full reinstall with some new, stronger authentication. > a different non-root user on the console can do it too Which again restricts this vunerability (as previously mentioned) to an attacker who happens to be sitting in front of your machine(!) It would be more interesting if there were a proper remote expoit (e.g. website), but if the remote part means having to be connected to and logged in as an individual on the computer, then it's not really a browser exploit as all the damage has been done--they will already have full access to your keychain and can examine it at as they please, along with all your files. -- Graham Coles David Cantrell <d.cantrell@xxxxxxxxxxxxxxxxxxxxxxx> 15/05/2007 23:15 To bugtraq@xxxxxxxxxxxxxxxxx cc Subject Re: Apple Safari on MacOSX may reveal user's saved passwords Injecting Javascript into a browser like this does *not* require that the attacker be on the local console. To run Applescript while logged inremotely using ssh, you can use the 'osascript' utility. It works for: the same user using ssh as is on the console; the root user using ssh (or someone who can sudo) can inject Javascript into the console user's browser; a different non-root user on the console can do it too That last one is particularly worrying, although I've not taken the time to figure out precisely what works and what doesn't. My test was to simply open a Terminal and 'su - foo' before using osascript, but it might, for instance, be exploitable by a setuid application. At first glance, Firefox doesn't seem to be vulnerable (although I'm far from being an Applescript expert) to exactly this attack, but it does expose at least *some* functionality to Applescript. -- David Cantrell The Logic Group Enterprises Limited Logic House, Waterfront Business Park, Fleet Road, Fleet, Hampshire, GU51 3SB, UK Registered in England. Registered No. 2609323
