The Black Hat Wi-Fi Exploit

Joe Barr writes to tell us that while many have heard that an Apple was exploited in order to install a rootkit at the recent BlackHat security conference, most people don't know the details of how it works. This is no mistake, it seems that the researchers who demonstrated the flaw were intentionally vague. Some theorize that this is in response to the real or perceived threat of legal action similar to the situation with previous Blackhat presenter, Michael Lynn.

Atheros at the exploiter side?

[tuomas_kaikkonen]

Perhaps it is the exploiter who is better off with the Atheros based WLAN card? Maybe it is still possible to exploit any other WLAN card, but the attacker may benefit from using some WLAN cards over others as the attacking host platform (not the attacked target platform). Reference: http://www.ktwo.ca/security.html [www.ktwo.ca]

what a load of crap

[Anonymous Coward]

The presenters clearly got paid off by apple.. in the defcon talk they were whinging about the metasploit guys being offered $80,000 to $120,000 for unreleased exploits and they weren't prepared to release the code to the emails they got offering $10, $100, $1000 for the copies of the exploit

That's why in the video they used a "generic" wifi card when they admitted the standard apple wifi driver is broken as well

They said they haven't released the code because "they need to check all the apple platforms that are effected" IE they are waiting for apple to deliver them a whole bunch of free hardware

These guys were complete sell outs -- no live demonstration because they were afraid that the WIFI would be sniffed at DEFCON..... so coming to a full disclosure conference they are basically saying they don't trust disclosing to the attendees...

In the video they call the script "bad seed" so it's probably something to do with a PRNG in the crypto somewhere (or IV)

Can anyone confirm...

[JonJ]

If this exploit exists on other platforms? Like say, the free Unix-clones like FreeBSD or Linux?

Wifi Card used in exploit

[pele_smk]

First hand::Ellch talked a lot about the timings and the reactions of wireless cards to certain packets, as well as the need for a less fatty and feature full tcp/ip protocol. From the talk it sounded like Maynor developed the particular exploit. Ellch talked about his tool fuzze. Ellch's goal was to fingerprint particular wireless users and the driver model they were using....(to decide what Metasploit exploit you'll use this week) If I was a wireless guru, say like some of the other thousands alive, I could make a prediction. If they don't release the exploit soon, someone else will develop an equally powerful exploit into the wild. Buffer overflow the stack..... It's too fat and does more thinking than it should. I say patience is key. Even when they do develop the patch, how many coffee shop users don't apply patches? The biggest weakness in the attack is the fact that it sounds like a proximity attack. If you're not within wireless reach to the victim, you won't be able to attack them. That's just a guess since the video demo of the attack shows the attack from across a desk and not across the office. Cantenna anyone? Wifi-shootout?

Equal opportunity sploit

[wolfdvh]

I heard the presentation when it was repeated at DefCon and what was not vague was this exploit was at the card driver level below the OS, which is why it would work against any OS. They said they chose to demonstrate it on Apple rather than Windows because they thought if they'd used Windows, people would say "Of course, it's Windows, what did you expect." so by demonstrating it on a more "secure" (Mac) OS people would realize it was not just a Windows thing. Unfortunatly, now everybody just thinks its a Mac thing.

Bottom line, assuming the demo is not a hoax, it will work against *nix, Windows, and Mac equally.

Re:Flogging a dead Story

[pchan-]

Yes, you're exactly right. There's nothing to this story at all. ...Oh wait. What's this on Bugtraq? Let me paste the headline for you:

Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerabilities [securityfocus.com] . Look at that, a remotely exploitable security hole in the Wifi driver. Anyone using one of these things is vulnerable if they have not upgraded their Wifi drivers, regardless of OS. This was disclosed by the vendor (Intel).

Intel PRO/Wireless Network Connection drivers are prone to multiple remote code-execution vulnerabilities.

An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges.

A successful attack can result in a complete compromise of the affected computer.

I guess you were right. No facts, just theories.

Re:This seems a bit misleading...

[Gideon Fubar]

misleading eh?

if you were aware of the (limited) details that have been released, you'd know that while the vulnerability that the presenters (Jon Ellch and David Maynor) used was vendor specific, it still worked on the macbook's internal airport card [arstechnica.com]

The demonstration was not really intended to point out the specific problem with these mac drivers. It was more intended to highlight several industry wide problems.

I'm not about to say that letting consumers know about these problems will help or hinder them in any way.. nor will pointing out any specific company. If these problems are as prevalent as Ellch and Maynor claim, virtually no amount of consumer education would solve the problem, and pointing the finger would be the security equivalent of sweeping the problem under the rug.

"Depraved Indifference" My Ass...

[SCPRedMage]

From the article:

If any laptops are compromised as a result of the cone of silence that apparently has been slapped down on this issue, their lawyers may choose to call it something other than faux disclosure. Maybe something like depraved indifference.

I'm sorry, but I have to call bullshit on this one. The demonstration of this exploit was to bring awareness to the problem and force the companies to develop a fix. They did NOT enable anyone to perform the exploit, nor did they tell them how to do it - in fact, that's the WHOLE POINT; show there's a problem without giving away the key to the city!

If anyone is guilty of "depraved indifference", it's the people who've let this vulnerability remain unaddressed for so long, not the people who let the public know that they're at risk.

Re:Still fishy...

[gnasher719]

''This is not a simple matter of exploiting a serivce. The machine might does not even need any publicly accessible services for this attack to be effective.''
That is the claim being made, and it would be frightening if true. We have not seen any reliable evidence of this so far.

''We all know that wireless cards require soft firmware and drivers in the OS these days. The point is that it's possible to exploit the drivers with specially crafted packets and make the OS run arbitrary code that it thinks is the Wireless driver.''
That is the claim that has been made. We have not seen any reliable evidence of this so far. I think it would be quite easy to own a Macintosh running MacOS X if you use an external card needing a driver, and you install your own, specially crafted driver on the machine that will do exactly what you want. We have no evidence that this works when using the preinstalled Apple driver or the manufacturer's driver for the card.

''Running code at the level of the OS brings with it full control over the machine. The OS trusts the drivers 100% on almost every system I've used. This means your newly running code can take full control of the machine, and probably even download more code, sniff on you, etc. ''
May be true, but there is no evidence that you can take control of a driver as it was claimed.

''It should be possible to exploit this attack even if the machine is connected to a trusted network. All you need to do is send it packets on that network (or pretend to be on that network).''
And possibly go to the machine you want to exploit first with a CD in your hand, and install your replacement drivers.

''The demo might have been vague, but it still points out some serious flaws with wireless systems on modern operating systems - anyone can send you packets and the OS trusts the software processing those packets 100%...''
The demo may have been vague because it was a hoax. So far this seems much more probable to me.

Re:Was it root

[LexNaturalis]

You're right, it wasn't discussed on Slashdot so if you weren't at BlackHat or DefCon I suppose it's fair that you might not have heard the discussion.

In essence, based on my understanding of the exploit and the way the 802.11 device drivers work, the shellcode exploit is actually executing in the kernel. It's executing below the point (On the OSI model) where a root v non-root account would make any difference. I'll grant that a demo of root activities would be more visual, but I believe that academically it can be said that they're neither root nor non-root. They're actually "kernel."

Exploit was faked!

[Anonymous Coward]

In the video, David Maynor says they will be hacking a 3rd party wireless card and holds up a PCMCIA wirless card. He the procedes to "insert" this card into the left side of a black MacBook. You never actually see him put the card in the machine.

There are no black MacBooks that have a expansion slot for 3rd party wireless cards. Let me repeat that. There are no black MacBooks that have a expansion slot for 3rd party wireless cards. The closest thing to a PCMCIA slot in the MacBook is the new ExpressCard/34 slot which is only available on the MacBook Pro and are not available in black.

Maynor faked the whole thing.

Re:Atheros at the exploiter side?

[grub]

The Atheros exploit shores up OpenBSD's [openbsd.org] stance on binary "blob" drivers perfectly. EVERY OS using these binary drivers are vulnerable. OpenBSD refused to include blob, reverse engineered the drivers and wrote their own secure drivers.

End result? OpenBSD is secure while most other OSs out there are at the mercy of Atheros.

Re:This seems a bit misleading...

[gnasher719]

Still bollocks. The articles that you quote are again just repeating the same stuff, from the same source, without any attempt of verification. It doesn't matter how many publications repeat it, all we have is an unverified claim.

don't be so sure

[r00t]

If the bug is in the firmware, you'll be the last to get a fix.

If I can take over the card's internal CPU (probably running a tiny real-time OS) then I can use that to write anywhere in memory. I can patch any part of your kernel I like. It doesn't matter if your driver is good or not.

Re:Well That's a Biased Article

[CryBaby]

Those are good points, but the presentation is still highly problematic. Your conclusion is that it was their choice not to disclose details.

That's as reasonable as any other theory, but then why do something so thoroughly confusing and potentially misleading as to prominently feature a MacBook in the video presentation but then use the 3rd-party card? Furthermore, in the video, Maynor says "Don't think, however, just because we're attacking an Apple [that] the flaw itself is in an Apple. We're actually using a 3rd-party wireless card." I don't detect any ambiquity in that statement. He's clearly stating that the flaw does *not* apply to Apple hardware and that's why he must use a 3rd-party card.

Later he apparently said that the flaw *does* apply to Apple hardware. So which is it? There is no way to know. It is a direct contradiction.

Furthermore, Maynor was quoted as saying something about wanting to stick a lit cigarette in the eye of Apple *users*, because he doesn't like the Mac ads(?!). This brings his motivations into question, and I think reasonably so. It's certainly not the comment of a professional researcher, whom one would hope would be above that kind of petty fanboyism.

Anyway, I'm not defending the article here and I'm not defending Apple or claiming to have any specific knowledge about the situation. I'm just pointing out that the only words we have from Maynor himself about Apple's vulnerability to this attack is what I quoted above: that Apple hardware does not have this flaw. I think Maynor and/or his company end up looking like publicity whores with questionable credibility no matter how this ends up. Unfortunately, that only distracts people from the actual security issue at hand, whatever it may be.

Disk Drivers | OpenFirmware | Bios & "HW Amnes

[not_hylas( )]

Some Crackers have been doing this for a while, (we are way behind) look within your disk formats and OpenFirmware/Mac, Bios/PC, crack once - stay forever.
Time to start really paying attention, look for "bad boot blocks" for pre boot networking prefs.

This guy's got a clue:

http://www.securityfocus.com/columnists/402 [securityfocus.com]

Check the comments too.
Think about an intentional miconfig of your monitor settings (UNIX) now.

Required reading:
Reflections on Trusting Trust
Ken Thompson

http://www.acm.org/classics/sep95/ [acm.org]