Apple dashboard widget vulnerability published
An article (republished by the author here) in the Autumn 2008 issue of 2600 Magazine details a pretty serious vulnerability with Apple's dashboard widgets that could allow access to data on the user's hard drive.
Since we may access the system with user privileges, we may edit/remove/create files within the user's home directory (this includes such sensitive data as ~/.gnupg/secring.gpg [the place where the PGP private key is stored if the users uses PGP] and other such things, be creative).
The vulnerability exploits the fact that dashboard widgets are easily installed by a user and aren't generally thought of as a security threat. The problem stems from the fact that the user has to trust the widget's developer to set the proper access permissions for the widget.
The following scenario might be possible:
An attacker creates a widgets which is as simple as counting down the days until the olympic games in China start. The widget is small and downloaded by thousands of sports enthusiasts from around the world. The widget is always opened in the dashboard because it is so small and looks so innocent. In reality however, the attacker has granted the widget network access, file access and system access. Periodically (e.g. every time the widget updates the days until the event starts, or every time the user opens dashboard) the widget connects to a central or even distributed command and control server that sends new instructions to the widget which are downloaded and stored on the filesystem (maybe in the /tmp directory with some obscure name) and executed. In these instructions there may be anything, ranging from a local root exploit to really gain access to the system, or the instructions say that the system should forward any mail that the user has received to another account, or delete the content of the user's documents directory (see below for more ideas).
The article goes on to detail a proof of concept for the vulnerability in which a dashboard widget takes a screenshot of the active screen and uploads it to a server. But the author notes that the file could contain any type of commands.
Scary stuff, let's hope that Apple addresses this in their next round of security updates.
[poll id=161]