Forgot your password?
typodupeerror

The Black Hat Wi-Fi Exploit 129

Posted by ScuttleMonkey
from the plot-thickens dept.
Joe Barr writes to tell us that while many have heard that an Apple was exploited in order to install a rootkit at the recent BlackHat security conference, most people don't know the details of how it works. This is no mistake, it seems that the researchers who demonstrated the flaw were intentionally vague. Some theorize that this is in response to the real or perceived threat of legal action similar to the situation with previous Blackhat presenter, Michael Lynn.
This discussion has been archived. No new comments can be posted.

The Black Hat Wi-Fi Exploit

Comments Filter:
  • by tuomas_kaikkonen (843958) * on Wednesday August 09, 2006 @01:33AM (#15871767) Homepage
    Perhaps it is the exploiter who is better off with the Atheros based WLAN card? Maybe it is still possible to exploit any other WLAN card, but the attacker may benefit from using some WLAN cards over others as the attacking host platform (not the attacked target platform). Reference: http://www.ktwo.ca/security.html [www.ktwo.ca]
  • by DarkShadeChaos (954173) on Wednesday August 09, 2006 @01:43AM (#15871792)
    The current exploit was intentionally vague so that attackers would not have the upper-hand. The previous researcher mentioned was arrested for something prior to his presentation; I do not correlate the actions together.
    • by Anonymous Coward on Wednesday August 09, 2006 @02:28AM (#15871894)
      The current exploit was intentionally vague so that attackers would not have the upper-hand.

      Making the details vague, especially by not telling which card to avoid using, makes the users unable to do anything to prevent being victims. That very much GIVES the attackers the upper hand.

      Without knowledge, the users are defenseless. Heck, I have a laptop here with a built in wifi-card. So does everyone else in the office. If I knew the card was a risk, putting in a different card would make me safe. But as it is, the built in one could be safe and the one I would put in instead could be the risk. Heck, I don't even know if disabling the card through software solves anything. If the exploit really works on any OS, it doesn't sound like a software problem, but a hardware/firmware problem.

      The only thing being protected by not informing the users is the image of the manufacturer.
      • misleading eh?

        if you were aware of the (limited) details that have been released, you'd know that while the vulnerability that the presenters (Jon Ellch and David Maynor) used was vendor specific, it still worked on the macbook's internal airport card [arstechnica.com]

        The demonstration was not really intended to point out the specific problem with these mac drivers. It was more intended to highlight several industry wide problems.

        I'm not about to say that letting consumers know about these problems will help or hinde
        • Your post is very misleading. You write that "it still worked on the macbook's internal airport card" with a reference to the highly respected arstechnica.com. However, if you read the arstechnica article, all it contains is that a reader told them that the hackers claimed that it works with an airport card. So the only evidence that we actually have for this is an article claiming hearsay about an unsubstantiated claim. Bollocks to that.
          • very well, i grant you that.. if you'd done more than just read the ars technica article, you'd know what i was saying isn't [washingtonpost.com] bollocks [zdnet.com].
            More information on the demonstrators can be found here [11mercenary.net] and here [amazon.com]. Apologies for the Amazon link, but David is a hard man to pin down and i'm busy. ;)
            • Still bollocks. The articles that you quote are again just repeating the same stuff, from the same source, without any attempt of verification. It doesn't matter how many publications repeat it, all we have is an unverified claim.
      • by Aladrin (926209) on Wednesday August 09, 2006 @06:34AM (#15872373)
        Actually, you WERE told how to prevent an attack. Maybe not outright, but it was there. The original slashdot report http://it.slashdot.org/article.pl?sid=06/08/03/129 234 [slashdot.org] said that "Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network". This is enough information to secure your system. Simply tell it not to connect to any available wireless network. Only allow it to connect networks you have specified. Tada. No cash needed for this fix.

        You can throw money at me instead, if you feel the need.
        • by Anonymous Coward
          Actually the researchers explicitly mentioned that the card does not need to associate with an access point to be exploited.
          • by Anonymous Coward
            Correct. I was at the talk, and they stated that they used these settings in order to gain a remote shell and show off the exploit. The exploit could easily just drop a keysniffer or some other malicious payload which would only contact the attacker once a legitimate connection was established.
      • Making the details vague, especially by not telling which card to avoid using, makes the users unable to do anything to prevent being victims. That very much GIVES the attackers the upper hand.

        For those attackers that can replicate the exploit, yes, it does. However, in some cases, it can be considered ethical to not release the information.

        For example, I took a wireless security class led by Joshua Wright, who some may know as the creator of several wireless attack tools such as asleap and lorcon (the lat

      • Which attackers? So far the only attackers are Dave Maynor and Jon Ellch.

        And the fact that you know nothing about the exploit tells a lot.

  • by bananaendian (928499) on Wednesday August 09, 2006 @01:44AM (#15871797) Homepage Journal

    ScuttleMonkey writes to tell us that apparently the 'plot-thickens' as some guy somewhere emailed that some people are 'theorizing' alternate motives for the Blackhats keeping wraps on their so-called 'exploit' (that they tried unsuccessfully to smear a OSX security with).

    There is no new substance. This bone [slashdot.org] has been gnawed clean already. Sounds more like some people are making excuses for something...

    • by ErikTheRed (162431) on Wednesday August 09, 2006 @01:46AM (#15871802) Homepage
      Exactly. Let's see: lots of invective, mix in some conspiracy theories, and season with exactly zero facts. The article is nothing but a troll.
      • by pchan- (118053) on Wednesday August 09, 2006 @03:51AM (#15872027) Journal
        Yes, you're exactly right. There's nothing to this story at all. ...Oh wait. What's this on Bugtraq? Let me paste the headline for you:

        Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerabilities [securityfocus.com] . Look at that, a remotely exploitable security hole in the Wifi driver. Anyone using one of these things is vulnerable if they have not upgraded their Wifi drivers, regardless of OS. This was disclosed by the vendor (Intel).

        Intel PRO/Wireless Network Connection drivers are prone to multiple remote code-execution vulnerabilities.

        An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges.

        A successful attack can result in a complete compromise of the affected computer.


        I guess you were right. No facts, just theories.
        • by und0 (928711)
          I don't understand, in the advisor and Intel page they talk about drivers, specifically windos drivers. I've looked around but found nothing about updated firmware, so could this still be really used as a cross platform exploit?
        • Yes, you're exactly right. There's nothing to this story at all. ...Oh wait. What's this on Bugtraq? Let me paste the headline for you:

          Dude, you didn't RTFA. Nobody's denying the WiFi driver hacks exist or that vendors haven't been hideously irresponsible in their development efforts, considering the implications. That's not what TFA is about - it's an Oliver-Stone-on-Crack conspiracy ... rant (theory would be entirely too kind a word) suggesting that the presenters at BlackHat were being extorted into

    • Right now Flogging a dead Story has been modded down to -1 Troll, which seems absurd to me. He points out that the story is thin and links to a prior article which already covered this topic. Trolls make wild accusations without anything to back them up. This wasn't a troll. Wish I had moderator points.

    • Actually the plot does thicken: "NewsForge now officially in the Troll for add-hits business".
  • by Anonymous Coward
    I don't get it...

    If they really cared one way or another about seeing the issue fixed, why not show up at WWDC, meet w/ some of the Apple engineers onsite, demo the issue, and work with Apple towards a resolution?

    Why the cloak and dagger BS? "We're afraid.." Meh.

    Never-mind using a 3rd party Wifi device and not demoing the built-in hardware being exploited.. never-mind covering up the USB device w/paper for some unknown reason.. If it's so easy to do with the built-in hardware, why not do that in the demo? W
    • Re:Still fishy... (Score:1, Flamebait)

      by Ash-Fox (726320)
      Why the cloak and dagger BS? "We're afraid.." Meh.
      Because Apple love to sue people, even if they have no legal standing.
      • Re:Still fishy... (Score:2, Informative)

        by EvanED (569694)
        Flamebait? Maybe, but the [macrumors.com] parent [thecrimson.com] is [theregister.co.uk] right [theregister.co.uk]. (Especially the second to last one is egregiously bad, and Apple easily should have had to pay court costs to Something Awful.)
    • Re:Still fishy... (Score:5, Insightful)

      by thegrassyknowl (762218) on Wednesday August 09, 2006 @04:22AM (#15872087)
      And, one thing I still miss out of this.. What sharing service needs to be active? It's one thing to connect to the WiFi on a computer.. But some service has to be active for file system access.. SMB? AFP? SSH?? Given the use of 3rd party WiFi hardware, and the default config of MacOS X to have all sharing services turned off.. Does this work when a Laptop is already connected to a network? Um, what are we really looking at here? Allot of questions, with very little info..

      This is not a simple matter of exploiting a serivce. The machine might does not even need any publicly accessible services for this attack to be effective.

      We all know that wireless cards require soft firmware and drivers in the OS these days. The point is that it's possible to exploit the drivers with specially crafted packets and make the OS run arbitrary code that it thinks is the Wireless driver.

      Running code at the level of the OS brings with it full control over the machine. The OS trusts the drivers 100% on almost every system I've used. This means your newly running code can take full control of the machine, and probably even download more code, sniff on you, etc.

      It should be possible to exploit this attack even if the machine is connected to a trusted network. All you need to do is send it packets on that network (or pretend to be on that network).

      The demo might have been vague, but it still points out some serious flaws with wireless systems on modern operating systems - anyone can send you packets and the OS trusts the software processing those packets 100%...

      • Re:Still fishy... (Score:4, Interesting)

        by gnasher719 (869701) on Wednesday August 09, 2006 @05:39AM (#15872260)
        ''This is not a simple matter of exploiting a serivce. The machine might does not even need any publicly accessible services for this attack to be effective.''
        That is the claim being made, and it would be frightening if true. We have not seen any reliable evidence of this so far.

        ''We all know that wireless cards require soft firmware and drivers in the OS these days. The point is that it's possible to exploit the drivers with specially crafted packets and make the OS run arbitrary code that it thinks is the Wireless driver.''
        That is the claim that has been made. We have not seen any reliable evidence of this so far. I think it would be quite easy to own a Macintosh running MacOS X if you use an external card needing a driver, and you install your own, specially crafted driver on the machine that will do exactly what you want. We have no evidence that this works when using the preinstalled Apple driver or the manufacturer's driver for the card.

        ''Running code at the level of the OS brings with it full control over the machine. The OS trusts the drivers 100% on almost every system I've used. This means your newly running code can take full control of the machine, and probably even download more code, sniff on you, etc. ''
        May be true, but there is no evidence that you can take control of a driver as it was claimed.

        ''It should be possible to exploit this attack even if the machine is connected to a trusted network. All you need to do is send it packets on that network (or pretend to be on that network).''
        And possibly go to the machine you want to exploit first with a CD in your hand, and install your replacement drivers.

        ''The demo might have been vague, but it still points out some serious flaws with wireless systems on modern operating systems - anyone can send you packets and the OS trusts the software processing those packets 100%...''
        The demo may have been vague because it was a hoax. So far this seems much more probable to me.

    • If they really cared one way or another about seeing the issue fixed, why not show up at WWDC, meet w/ some of the Apple engineers onsite, demo the issue, and work with Apple towards a resolution?

      I saw the same presentation at DefCon (I wasn't at BlackHat), and they did mention explicitly that they had been in contact with Apple about this and were not revealing the details until Apple was able to make some headway towards a resolution. TFA fails to mention this, conveniently.
  • by FlyByPC (841016) on Wednesday August 09, 2006 @01:57AM (#15871830) Homepage
    This is BlackHat, folks. They've probably hacked the water fountains to serve Bawls instead of water -- let alone installing a rootkit on a laptop.

    Slow news day, I'd say.
  • by Anonymous Coward
    Well,

    I don't see that post as flamebait so much as a user looking for facts.

    I agree. We're still low on facts about this. More questions than answers...

    What about full disclosure? Contacting the hardware and software vendors affected?

    Cloak and Dagger BS sums it up nicely actually.....

    meh
  • dang! (Score:4, Funny)

    by DrKyle (818035) on Wednesday August 09, 2006 @02:11AM (#15871861)
    And here I thought it was the black hat wife exploit, guess I'm not gettin' any from the missus tonight!
  • Somewhere, a person is gaining unauthorised access to network or computing resources that they are not supposed to have.
    We will report further details as they happen (...happen to get cleared by our legal department, that is!)
  • what a load of crap (Score:3, Interesting)

    by Anonymous Coward on Wednesday August 09, 2006 @02:21AM (#15871879)
    The presenters clearly got paid off by apple.. in the defcon talk they were whinging about the metasploit guys being offered $80,000 to $120,000 for unreleased exploits and they weren't prepared to release the code to the emails they got offering $10, $100, $1000 for the copies of the exploit

    That's why in the video they used a "generic" wifi card when they admitted the standard apple wifi driver is broken as well

    They said they haven't released the code because "they need to check all the apple platforms that are effected" IE they are waiting for apple to deliver them a whole bunch of free hardware

    These guys were complete sell outs -- no live demonstration because they were afraid that the WIFI would be sniffed at DEFCON..... so coming to a full disclosure conference they are basically saying they don't trust disclosing to the attendees...

    In the video they call the script "bad seed" so it's probably something to do with a PRNG in the crypto somewhere (or IV)
    • I don't think this security thing has "anything" to do with Apple.

      They use an EXTERNAL wifi card, in a computer which has BUILT-IN wifi. So this card uses a DRIVER given by the manufacturer.. Chances are that the bug is in THIS driver. Chances are that THIS driver has the same bug in the windows/linux version. I suspect the classical buffer-overflow thing :) I don't believe Apple driver is able to use other cards...

      Why would someone install an EXTERNAL card on a computer which already HAS INTERNAL WIFI anyw
      • The Apple driver can make any card who's chipset is know to work.

        I've got a Sonnet PCMCIA card in my PB400Mhz who's chipset is the same as the Apple Extreme Card, when I plug it in, it's found as an AirPort card and I had nothing to install to make it work!

        Sad thing is, it's supposed to work on Windows 98/ME/2K/XP, but I did'nt manage to do so yet!
  • by JonJ (907502) <jon.jahren@gmail.com> on Wednesday August 09, 2006 @02:24AM (#15871882)
    If this exploit exists on other platforms? Like say, the free Unix-clones like FreeBSD or Linux?
  • Video of the exploit (Score:2, Informative)

    by AcgiGlyph (668545)
    For those that couldn't make it, here is a video showing the exploit. http://video.google.com/videoplay?docid=-441573595 8080028817 [google.com]
  • Michael Lynn? As long as these guys didn't decompile proprietary software and put the source code in a power point presentation, I think that there's not much of a comparison.
  • by pele_smk (839310) on Wednesday August 09, 2006 @02:46AM (#15871917)
    First hand::Ellch talked a lot about the timings and the reactions of wireless cards to certain packets, as well as the need for a less fatty and feature full tcp/ip protocol. From the talk it sounded like Maynor developed the particular exploit. Ellch talked about his tool fuzze. Ellch's goal was to fingerprint particular wireless users and the driver model they were using....(to decide what Metasploit exploit you'll use this week) If I was a wireless guru, say like some of the other thousands alive, I could make a prediction. If they don't release the exploit soon, someone else will develop an equally powerful exploit into the wild. Buffer overflow the stack..... It's too fat and does more thinking than it should. I say patience is key. Even when they do develop the patch, how many coffee shop users don't apply patches? The biggest weakness in the attack is the fact that it sounds like a proximity attack. If you're not within wireless reach to the victim, you won't be able to attack them. That's just a guess since the video demo of the attack shows the attack from across a desk and not across the office. Cantenna anyone? Wifi-shootout?
  • by Anonymous Coward
    I think the comments about Apples image are off. This was a third party card, NOT the built-in apple one. So it was probably based on a different chipset than the one Apple uses - otherwise they could just have used the built-in one.

    So, which card was it? Considering that most companies only threaten legal action, and researchers usually ignore the threats, a good guess that this is a company that is known to not only threaten. One that ISS had problems with before. In short: I bet it was a Cisco card. Not
    • oh contrare, read the previous articles more, apple cards are vulnernable to the exploit, although pressure from apple to not display it using the original cards was too much and they caved. It's a bit hard to say no to a company of which you have exploits of their hardware, and who's known for previously sueing anyone left/right/center for touching anything of theirs.
      • And all this has no other source than the word of the so-called hackers involved. There is no evidence whatsoever that they ever talked to Apple except that they claim they did. There is no evidence whatsoever that Airport is vulnerable except that they claim it is.
        • http://blog.washingtonpost.com/securityfix/2006/08 /followup_to_macbook_post.html [washingtonpost.com]

          so what if a vendor for once supplied a default driver for standard hardware with a possible exploit, surely that doesn't bring the world to an end? point.

          nothings perfect, don't expect it to be, and if it was indeed a completely bogus hack, I highly doubt they'd of been allowed to present it at the conference without prior being shown to some people in the know.
        • As a Mac user I don't trust to Symantec etc whining but I don't trust to zealot/cult level Mac people too. The wrong reaction of Mac community to every security report may have already make companies hesitate to publicly disclose their findings.

          Whoever says something about security gets blame for "snake oil", "paid by micro$oft" and other things. Even poor BBC blogger guy got shocked by the response he had from Mac users not so long ago.
        • If this were a Windows PC, everyone of you would be jumping all over this... But it's an Apple, so let's make every POSSIBLE excuse as to why the it can't be Apple's fault, that Apple is such a GREAT company...blah blah blah... I'm sure I'll be modded to Troll, but this had to be said.
      • That could very well be. Maybe that's why Maynor only pretended to stick an external card in. Let's look at the video more closely (http://news.com.com/1606-2_3-6101573.html?tag=ne . vid [com.com]). He holds up an external card, and slides it into the slot on the left side of the laptop.

        The left side of which laptop?

        Oh, the black mac book. What? What's that you say?

        The black mac book doesn't have any slot that would fit an external wireless card on the left side?

        Well what do you know, you're right (se

        • He claimed it was a USB wireless card in the Defcon talk. He was definitely lying about what exactly he used. I figure he either faked using an external card, or it was a new expresscard.

          I did see a wired gigabit expresscard at Fry's the other day. So expresscards are out already.
  • by logicnazi (169418) <logicnazi@NosPam.gmail.com> on Wednesday August 09, 2006 @02:58AM (#15871934) Homepage
    Now I'm a big fan of a policy of eventual public disclosure of exploits. The behavior of many big companies have shown that without the pressure of public knowledge of an exploit they will drag their heels about fixing the exploit. However, it is undoubtable that publicly making availible details of an exploit without giving vendors a chance to create a patch increases the number of attackers who are able to execute attacks against that vendor's customers.

    Now there are reasonable people who believe this increased danger is pretty much always offset by the benefits of public knowledge of the risk, i.e., a vulnerability you know about is sufficently less risky to justify disclosure. However it is disgustingly biased and misleading to not even acknowledge that some people and companies might reasonably believe total public disclosure harms the end customers. This is especially true when we are talking about the difference between revealing the existance of the exploit and revealing info that might enable someone to copy the exploit.

    Moreover, I didn't see the slightest evidence that it was outside pressure that caused this pair not to reveal the details. The tone of this [com.com] cnet article seems to imply they made the choice themselves to be responsible which seems totally reasonable.

    Also I don't understand who would put this pressure on them unless it is the network card manufacturer. Macs, linux and windows machines are supposedly all affected so no one company would take a PR hit relative to others. Unlike the case with the cisco vulnerability.

    Yes it's true that vendors tend to be biased toward maintaining their good name. Just like real people they tend to be biased toward the answers that help them out but this is hardly dastardly. True I think they sometimes go to far and chill free speech and harm security research but this seems fairly rare and I see no reason to believe it is happening here.
    • Those are good points, but the presentation is still highly problematic. Your conclusion is that it was their choice not to disclose details.

      That's as reasonable as any other theory, but then why do something so thoroughly confusing and potentially misleading as to prominently feature a MacBook in the video presentation but then use the 3rd-party card? Furthermore, in the video, Maynor says "Don't think, however, just because we're attacking an Apple [that] the flaw itself is in an Apple. We're actually usi
    • Also I don't understand who would put this pressure on them unless it is the network card manufacturer. Macs, linux and windows machines are supposedly all affected so no one company would take a PR hit relative to others.

      What??? I've seen a number of news articles on this, and every one of them has described it as a Mac vulnerability. Not one has mentioned that it effects Windows. (I did see one that mentioned that it also effected linux).

      This /. discussion is the first I've read that mentions that it's
  • by wolfdvh (700954) on Wednesday August 09, 2006 @03:24AM (#15871975)
    I heard the presentation when it was repeated at DefCon and what was not vague was this exploit was at the card driver level below the OS, which is why it would work against any OS. They said they chose to demonstrate it on Apple rather than Windows because they thought if they'd used Windows, people would say "Of course, it's Windows, what did you expect." so by demonstrating it on a more "secure" (Mac) OS people would realize it was not just a Windows thing. Unfortunatly, now everybody just thinks its a Mac thing.

    Bottom line, assuming the demo is not a hoax, it will work against *nix, Windows, and Mac equally.

    • by k2r (255754)
      > exploit was at the card driver level

      Yep, and we still haven't been told which card driver they installed.

      That it wasn't the one Apple provided should be obvious - they would have used the buildin Apple Wireless, then.

      k2r
      • If they found a vulnerability in a common firmware used by more than 1 manufacturer (Proxim, Atheros, whatever), they could get any model wireless card to tattoo all over the host memory using DMA. Drivers have nothing to do with it.
        The vulnerability might be OS specific in that the payload and where it needs to go to exploit the system will vary from host OS to host OS.
        • It may not be a firmware bug even, but an 802.11 _implementation_ bug that every vendor they've tried (thus far) seems to have included. Some kind of unhandled condition.
          And since nearly every wireless card out there is an ARM7 running some kind of firmware attached to a radio, all they need to do is leverage the implementation bug into a stack smashing exploit that works ON EVERY ARM EMBEDDED WIRELESS CARD. It is likely that there is a recursive function with a similar structure for multple firmwares (sinc
          • You have interesting ideas so I'll go back into my corner and take with me your wonderful phrase "to tattoo all over the host memory using DMA. "

            k2r
            • I stole the "tattoo" bit from a term used to describe how NT4.0 group policy used to work.
              Your Administrator would put registry settings in the NETLOGON share it would "tattoo" all over your host's settings, erasing whatever was there.
              You could go back in and undo the changes if you wanted to (they aren't persistant like Group Policy Objects) but it was as painful as getting "old ink" removed.
              The new GPOs are much better, they don't muck up your registry, they just overlay it. So it's like getting Henna or
              • > The new GPOs are much better, they don't muck up your registry, they just overlay it.
                > So it's like getting Henna or a press-on.

                That doesn't make GPOs sound very attractive, does it?
                Glad you don't work in marketing :)

                k2r

    • Bottom line, assuming the demo is not a hoax, it will work against *nix, Windows, and Mac equally.

      The easiest way to show that would have been to demo it on more than one platform. It would have been more work for them, but not much more. Going from OS X to Linux or BSD should be easy compared to the effort of doing the exploit the first time.

      At the moment, if the demo can be trusted, we know the exploit works against OS X with a third-party card installed. Everything else is speculation.
      • They specifically said it was exploitable on Linux and Windows. They chose Mac OS X because they said that Mac users had a "smug" attitude about security and wanted to show something like this could be done on Mac OS X as well.

        So no, it's not speculation that exploitable on other platforms, because the presenters themselves said it was, and specifically said they ultimately chose to demo it on the Apple platform for the reason stated above.

        On that note, though, I do agree that the reasoning to use a third-p
        • So no, it's not speculation that exploitable on other platforms, because the presenters themselves said it was, and specifically said they ultimately chose to demo it on the Apple platform for the reason stated above.

          Oh then it must be true!

          Until they, or someone else, demos it on Windows or Linux, it is just speculation.

          SteveM

  • The real problem (Score:3, Insightful)

    by phantomfive (622387) on Wednesday August 09, 2006 @03:41AM (#15872012) Journal
    A lot of people have posted so far saying, "It's OK that they didn't reveal the exploit, because it protects people from hackers until the fix is out." Which is probably true for the most part.

    However, these guys have given almost no information about the hack, making it impossible to protect yourself. Does your wireless card have problems? Do all wireless cards have problems? What can you do to protect yourself? Should you avoid using wireless at all? Is it a remote hack that can actually somehow enable the wireless card (through a secret back door or something)? We don't know. And by keeping these details secret, companies are hurting end users.

    It is good to let the company create a fix before the exploit is released, but it is also good to give the user enough information to defend himself.
  • Was it root (Score:3, Informative)

    by INeededALogin (771371) on Wednesday August 09, 2006 @03:52AM (#15872031) Journal
    From the presentation... it seems that he didn't have a root shell, but only a user shell on Apple. Why just play on the user's Desktop? He should of edited some serious files like /etc/shadow, /etc/password or /usr/local/etc/sudoers. He could of at least used the "say" command in the demo to have the Mac say that it had been owned by Johnny Cache. That would of been a nice touch.

    My main reason for believing that he had the logged in user's access is due to the fact that wireless is not system wide on Apple, but is started when a user logs in. If you change users(fast user switching etc...) then all your network connections drop as the wireless is restarted with the new user.
    • I will second my not root guess with evidence

      #ps -auxwwwww
      ...
      <loggedinuser> 2499 0.0 0.1 28336 568 ?? Ss 7:56PM 0:00.16 /System/Library/SystemConfiguration/EAPOLControlle r.bundle/Resources/eapolclient -i en1 -u 501 -g 501
      ...
      #ifconfig en1
      en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULT ICAST> mtu 1500
      inet6 fe80::203:93ff:feec:da27%en1 prefixlen 64 scopeid 0x5
      inet 192.168.103.57 netmask 0xffffff00 broadcast 192.168.103.255
      ether 00:03:93:ec:da:27
      media: autoselect sta

      • Actually, from the IPs listed, I'm wanting to know how you got on MY network... ;)
      • Re:Was it root (Score:1, Informative)

        by Anonymous Coward
        The exploit owns kernel since this driver runs in kernel; and owning kernel is even better than root.
      • I left my real IP above... so feel free to try an hack me:-P

        OK:

        : ping !$
        ping 192.168.103.57
        PING 192.168.103.57 (192.168.103.57): 56 data bytes
        ping: sendto: Host is down
        ping: sendto: Host is down
        ping: sendto: Host is down
        ping: sendto: Host is down
        ^C
        --- 192.168.103.57 ping statistics ---
        4 packets transmitted, 0 packets received, 100% packet loss
        :

        Hey, how can I hack your machine when it's down? ;-)

        (Musta been slashdotted ...)

    • Re:Was it root (Score:3, Informative)

      by LexNaturalis (895838)
      They discussed why your comment is completely baseless while at DefCon. This was a kernel-level (as it was driver-based) exploit so asking if they had "root" is to demonstrate a fundamental lack of knowledge of the OSI model. The driver itself is what was being exploited which is being run by the kernel. There is absolutely no root v user shell debate in this exploit.
      • They discussed why your comment is completely baseless while at DefCon.

        So discuss it at DefCon but not on Slashdot?

        This was a kernel-level (as it was driver-based)

        This is a microkernel which places lots of drivers in the user-space. I still believe it is valid to ask for a demonstration of touching something of real value on a system.

        There is absolutely no root v user shell debate in this exploit.

        Show me a demo of them doing root activities... until then I give you nothing.
        • Re:Was it root (Score:3, Interesting)

          by LexNaturalis (895838)
          You're right, it wasn't discussed on Slashdot so if you weren't at BlackHat or DefCon I suppose it's fair that you might not have heard the discussion.

          In essence, based on my understanding of the exploit and the way the 802.11 device drivers work, the shellcode exploit is actually executing in the kernel. It's executing below the point (On the OSI model) where a root v non-root account would make any difference. I'll grant that a demo of root activities would be more visual, but I believe that academicall
    • Re:Was it root (Score:3, Insightful)

      by dodobh (65811)
      A driver level exploit gives you ring 0. Who cares abot shells when you 0wn the kernel itself?
  • WHO has theorized? (Score:4, Insightful)

    by Rogerborg (306625) on Wednesday August 09, 2006 @04:38AM (#15872120) Homepage
    Some have theorized that if you don't quote your sources, then you're just full of shit.
  • Occam's razor (Score:5, Insightful)

    by gnasher719 (869701) on Wednesday August 09, 2006 @05:01AM (#15872175)
    What is more likely: (A) A vulnerability exists in at least two WiFi implementations (some external card, and Apple's internal Airport), which allows to compromise systems independent of which operating system is running, or (B) two guys who want their fifteen minutes of fame doctor a video, claiming that they can crack any Mac with WiFi within 60 seconds, conveniently being so vague that nobody can verify or refute their claim, adding in a bit of conspiracy theory (pressure from Apple) on top of it?
    • Considering that Intel released a security report for their drivers in recent times that a malicous attacker being able to have this exploit available to them, I'd say the odds are good that Occam's Razor cuts the other way. One must consider that there's another CPU running in there (or more...) doing the actual work of the WiFi device- it can be exploited too if there's a design flaw in it's firmware or in the hooks the OS uses to talk to it.

      If that's the case, there's nothing you can do to protect yours
  • From the article:

    If any laptops are compromised as a result of the cone of silence that apparently has been slapped down on this issue, their lawyers may choose to call it something other than faux disclosure. Maybe something like depraved indifference.

    I'm sorry, but I have to call bullshit on this one. The demonstration of this exploit was to bring awareness to the problem and force the companies to develop a fix. They did NOT enable anyone to perform the exploit, nor did they tell them how to do it -

  • I think a security expert needing some attention mentions Apple. I think being vague is probably motivated by some dishonesty.
  • by Ravenium (73022) on Wednesday August 09, 2006 @06:37AM (#15872379) Homepage Journal
    Without any detailed disclosure, sure, the craftiest people will determine how to perform said exploits. However, there are very, very few of these compared to the script kiddies that will show up if you hand out the source and/or a road map to every Tom, Dick, and Harry. At least they're giving Apple (and others) a chance to address the problem by pointing out that there IS a problem.

    I'm not buying the people who are upset at a lack of full disclosure because they are "unable to protect themselves". If there was a way to protect yourself, sure, perhaps you could tell people how to do it. However, judging from the presentation itself (at Defcon), there really IS no way other than mutilation of the driver itself (see the slide with the nintendo DS) to quickly defend one's system. Not only would this significantly break a lot of things, most users wouldn't know the first thing about doing it.

    The root causes as outlined in the presentation were a combination of a poorly planned and thought out protocol (802.11) and a quick-to-market rash of sloppy driver implementations, and it's going to take nothing less than at least a driver patch (or in a fantasy world, an overhaul of existing wireless protcools...802.11 lite if you will).

    So quit accusing the presenters of being motivated by greed, stupidity, or other such notions - the best way to secure users at this point is to speak with the manufacturers directly and attempt to achieve a patch, not to detail how to break in to every last miscreant on the planet. The authors are starting to do this by their dealings with Apple.

    Oh, and for those of you that missed the FAQ at the end of the presentation:

    -Yes, it affects the kernel, which means it's >= root/Administrator on any system

    -It's a driver/spec implementation issue, which means it's not an OS-specific problem. The use of an Apple machine in order to show that "any" platform is at risk was meant to illustrate this.

    -The money slide was a joke meant to show how lightly many people were taking this issue. I have no way of proving the intentions of the presenters, of course, but I believe this was the case - they stated their intention was to get this problem addressed through discussion, not money.

    All in all, easily my favorite defcon session (unless you count the shots of 151 distilled through peppers). Thanks, guys!
  • by qazwart (261667) on Wednesday August 09, 2006 @08:54AM (#15872799) Homepage
    The presenters were very specific. The security hole discovered is below the OS level and is in the drivers. Drivers are written by multiple parties and have always been a vunerable part of the system. However, before you had to be physically connected to the system to exploit a driver hack. That itself made drivers pretty secure. After all, not too many people install hard disk drivers they get in random emails. With WiFi, you no longer need a physical connection, and therefore the danger. Mac, Linux, Unix, BSD, and even (gasp!) MS-Windows are all exploitable to this hack.

    This exploit was kept underwraps to allow vendors to release security fixes before the exploit spreads to every two-bit kiddy scripter around. It doesn't make much sense releasing information on how to implement this exploit when there really isn't too much you can do to stop it. It's the reason why the presentation was done on video and not live.

    Of course, once the exploit is known to exist, it is only a matter of time before someone else finds it and implements it. I already know at least one person who is on his way to duplicate it, so the vendors better hurry up and fix the security hole. Apple and Microsoft can't take their merry ol' time fixing this one.
  • Really, look we know how to make a bomb...

    See, you take some playdough and mash it up until you have this nice grey colour, and then you poke some wires it in and add batteries.

    See? Watch this video and you'll see it go boom.

    (Show video with big explosion).

    See? We have to ban playdough as it's dangerous.

    That is about the credibility of using an add-on card to prove that there is an available exploit in a particular laptop that has built in wireless. It doesn't matter if it's true or not, they presented it i
  • Exploit was faked! (Score:1, Interesting)

    by Anonymous Coward
    In the video, David Maynor says they will be hacking a 3rd party wireless card and holds up a PCMCIA wirless card. He the procedes to "insert" this card into the left side of a black MacBook. You never actually see him put the card in the machine.

    There are no black MacBooks that have a expansion slot for 3rd party wireless cards. Let me repeat that. There are no black MacBooks that have a expansion slot for 3rd party wireless cards. The closest thing to a PCMCIA slot in the MacBook is the new ExpressCard/34
  • I was at the presentations, and the stated reason why details were omitted was that Apple was being given time to fix the problem and release a patch. This is current practice for responsible disclosure.

    The demonstration was done via a video, not live, because if it were done live the audience members would have sniffed the traffic and figured out the methodology.

    There was no mention of not disclosing because of possible prosecution or arrest.

  • http://www.technewsworld.com/story/52254.html [technewsworld.com]

    Why no attention to Microsoft's most secure OS ever getting hacked at the same conference?
  • Why is this conference still being held in the United States? To me, it would make much more sense to host it somwhere where law enforcement is less likely to hassle people.
  • --"Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network". This is enough information to secure your system. Simply tell it not to connect to any available wireless network. Only allow it to connect networks you have specified. Tada. No cash needed for this fix.-- This is wrong. The exploit is designed to attack any wireless card that is actively scanning. It does not matter if you are on a trusted or untrusted wireless network. According to the r
  • Some Crackers have been doing this for a while, (we are way behind) look within your disk formats and OpenFirmware/Mac, Bios/PC, crack once - stay forever.
    Time to start really paying attention, look for "bad boot blocks" for pre boot networking prefs.

    This guy's got a clue:

    http://www.securityfocus.com/columnists/402 [securityfocus.com]

    Check the comments too.
    Think about an intentional miconfig of your monitor settings (UNIX) now.

    Required reading:
    Reflections on Trusting Trust
    Ken Thompson

    http://www.acm.org/classics/sep95/ [acm.org]

"If there isn't a population problem, why is the government putting cancer in the cigarettes?" -- the elder Steptoe, c. 1970

Working...