Hacker Publishes Notorious Apple Wi-Fi Attack

inkslinger77 writes "It's been about a year since David Maynor claimed to have found a way to take over a Mac using a flaw in a Wireless driver. He's now published his work for public scrutiny. Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility."

Link to the actual paper

[langelgjm]

Here's a link to the actual paper [uninformed.org].

And here's the important part:

Getting Code Execution

The result of this flaw is that many things beyond the Extended Rate buffer in the ieee80211_scan_entry structure are corrupted. In a traditional stack overflow, control of execution flow is obtained directly by overwriting an important value, such as the return address. The corruption caused by the ``Extended Rate'' bug is more complicated due to the apparent lack of adjacent control structures.

The most promising avenue for getting execution can be found in a function named ath_copy_scan_results. This function uses the fields that are overwritten to copy memory. An attacker can control the size of the copy and the source of the copy. In addition to crashing reliably on the same data, the size of the memcpy is two bytes wide meaning that up to 65535 bytes can be copied. Since the destination of the memcpy is a structure that ends with a function pointer, the hope is that enough data can written outside of the destination buffer to the point where the function pointer is overwritten. In this way, the next time the function pointer is called, the caller would instead jump to whatever address is now stored in the function pointer. In other words, this represents a two-stage overwrite. The first overwrite does not provide direct code execution, but it allows an attacker to create a second overwrite that will. The Beacon packet contains a number of buffers one can use for this second-stage overwrite. Thus, an overflow in one buffer in the packet (the Extended Rate IE) allows an attacker to control how a second buffer is copied (in this case, the Robust Security Network (RSN) IE). It is the copying of the second buffer that will permit code execution.

Responsible disclosure

[packetmon]

Love him or hate him Maynor did the right thing waiting to come out with his paper. Even with an NDA, anyone can publish something anonymously which he didn't do. Its sinful that corporations don't take this into consideration when dishing out credits to security researchers. As for the NDA, I'm going to guess it was probably with Atheros. For those looking for the page with Maynor's attack, its here OS X Kernel-mode Exploitation in a Weekend [uninformed.org]... Don't know why contributor didn't link it.

Re:NDA?

[Alphager]

Isn't it against the NDA to say that you are/were under an NDA?

Depends on the NDA.

Re:So does this mean

[Anonymous Coward]

neither, since iirc it was a hardware driver problem

Re:Really good sleuthing

[daveschroeder]

This affected more than the just the chipsets and drivers in use in Apple laptops. It could be used in the same fashion on any affected chipset, potentially under various drivers on multiple OSes. The MacBook was just chosen as a point of principle to show that Macs, too, can be vulnerable to such attacks. This was noted in the initial coverage in the IT press at the time, but was quickly ignored in favor of a neverending flow of sensationalist articles claiming that any attacker could now easily take over MacBooks - and only MacBooks - at will in less than 30 seconds, and wirelessly to boot.

Unfortunately, the opposing storm of FUD was just as bad, making it appear that the whole wireless vulnerability was a hoax, when in reality it was probably one of the more important general WiFi/driver vulnerabilities in recent memory. The choice of how to disclose was extremely poorly managed, and to make statements to the effect that you essentially wanted to stick it to Mac users when working under the guise of a supposedly professional and reputable security firm was what caused the problems. He embarrassed the hell out of SecureWorks by ending up with a firestorm of press that was massively bad PR for Apple.

So what, you say? It was bad press for Apple, and ONLY Apple. No other vendor of manufacturer got nailed by this in any substantive way. With Apple having such low marketshare, how is it fair for only Apple to be targeted in press articles about this? Not Maynor's fault? No, not exactly, but some of his initial choices for handling are absolutely what led to the situation. I'm sure he had little idea this would occur and just got caught up in the world between security research and disclosure on one side, and corporations and mainstream media on the other.

Re:NDA?

[bkr1_2k]

No. I've signed several NDAs and none of them had a stipulation that I not speak of the fact that I was bound by the NDA. It all depends upon the wording of the specific agreement.

Re:This WASN'T an "Apple WiFi hack"!

[russotto]

Does this hack indeed work in a stock Macbook, and if so why wouldn't he just use the stock Macbook WiFi card?

My cynical suspicion is that he hadn't gotten the exploit to work on the MacBook stock WiFi card at the time, and rather than wait until he could and risk being "scooped", he tried to bluff.

Even more cynically, it's possible he had nothing on Apple at the time, later reverse-engineered his exploit from Apple's patch, and the exploit on the third-party card was something else entirely.

Re:An object lesson

[TheCoelacanth]

Traditional Unix(TM) based operating systems are notorious for being highly proprietary, and their sources closely guarded secrets. Recently, of course, some unix-like vendors such as Sun have decided to open-source those OSes, but this is the exception, not the rule.

The original Unix sources were widely available. Only later did Unix and most derivatives have secret source code. I agree that it's silly to call all Unix operating systems open source though.

Re:This WASN'T an "Apple WiFi hack"!

[Anonymous Coward]

http://www.wifinetnews.com/archives/007121.html [wifinetnews.com]

Doesn't the D620 use a Broadcom card? Didn't Jon Ellch release that code?
Seems like it was demostrated on other notebook models.

Re:Really good sleuthing

[daveschroeder]

Apple denied the problem existed, and threatened them - that's why this made the news. Compare this with the well-known similar flaw in some broadcom wireless chipsets (used by many vendors, including Dell & Linksys) that came out last fall. A fix came out, and the problem was solved.

Apple denied the problem existed because - and I'm not saying this can be proven, but it's what was said at the time - Maynor couldn't show Apple engineers who were at the conference how the exploit worked with the MacBook's integrated wireless; certainly not in any practical way. The fix Apple ended up deploying was essentially, from what I can tell, by applying Maynor's theoretical claims about the vulnerability and then independently discovering the vulnerability in their own code. Some might say that is enough. I'd argue that when you are a security researcher working under the guise of responsible disclosure for a reputable enterprise security research firm and telling the Washington Post directly and explicitly that the MacBook was vulnerable as-is with the stock integrated wireless, today, you have an OBLIGATION to give the vendor the information to solve the problem.

I take very serious exception to the "threat" issue. It was insinuated and implied that Apple "threatened" them. There is NO PROOF that ever occurred, and, on top of that, threatened them how? Legally? Physically? I mean, come on. An Apple engineer saying, "Uh, I don't think you should frame your demo this way...it could be bad news," if something like that occurred, isn't a "threat". And if Apple substantively threatened them in any other way, there will be proof...a letter, an email, a voicemail, anything. If someone is going to claim that Apple threatened them in any meaningful way "off the record", I'm sorry, but that's bullshit.

How Apple handled the problem is the issue. Similar to Oracle claiming that their database is "unbreakable". Oracle is a solid product, but certainly not unreakable.

No, nothing is unbreakable and Macs are vulnerable just like anything else.

Don't whitewash Maynor

[argent]

the Mac community spent an enormous amount of time trying to destroy Maynor's credibility

Maynor did everything he could to destroy his own credibility.

He misrepresented the nature of the vulnerability. Not because he was under an NDA, mind you, but because

[OSX was promoted as] being free of the viruses and malware that plague Windows,

It still is. Because it still is free of them. Not because it's "invulnerable" (people who talk about it being invulnerable - pro or con - shouldn't be trusted... and that includes you), but because it's a competently designed UNIX based OS that takes advantage of layered security. There's some aggravating design flaws that are bigger problems than a fixable bug in Wifi (yes, really), but the bottom line is that it's got a fundamentally more secure design than Windows in many areas that really matter, and THAT has a huge effect.

and even GNU/Linux doesn't have a reputation for being invulnerable

Wrong. Linux has been promoted as being a virus free haven for Windows users for at least as long as OS X has, and it's been pushed harder. And, yes, it ALSO has the advantage of a good traditional UNIX design.

But if Maynor REALLY wanted to show off, he'd have attacked OpenBSD.

and suddenly Maynor found there was a massive hole in that

So? People find holes in OSX regularly. And I mean ACTUAL holes unique to OS X, not holes shared by a lot of common devices. ACTUAL cases of the SAME KIND of hole (buffer overrun), even. This is not a "massive hole in OS X" at all, and if he hadn't turned around and (a) attacked Apple specifically, and (b) refused to disclose the bug itself (and I don't believe in an NDA that would have kept him from telling Apple about a buffer overflow in a Wifi driver), nobody would have said boo to him.

But he didn't act responsibly. He wanted to grandstand and he wanted to hurt Apple, specifically. I mean, he said he had a grudge against Apple right there on his web page. That's not responsible, and has nothing to do with any NDA. Even it's not actually lying and even arguably not honest, it sure ain't honorable.

So here we have someone who's acting irresponsibly, and implying he's being paid to find security holes he's not allowed to talk about (and he still hasn't explained that bit), and who's specifically targeting one company... what kind of reaction should he expect?

Correct me if I'm wrong..

[stewbacca]

If you click the link to the original story, it clearly indicates that this guy hacked a third party wireless card. If you click on the link to this story, however, the story claims that he found a way to hack the built-in AirPort wireless adapter. Shoddy journalism?

So what happened? The original story was a lie? The new story doesn't have their facts straight? IF this guy hacked an AirPort driver, like the NEWEST link claims, then this is a story. However, since the past year has been filled with nothing but discrediting proof that he hacked a third-party adapter, and his video shows him inserting a third party wireless USB adapter, then I would have to guess that the Apple AirPort wireless adapter was never, and still isn't, threatened by hacking.

Re:Mods on crack

[Anonymous Coward]

The parent (GP to this post) is informative, asshat, because it actually contains factual, informative information, and started out at +2 because it wasn't an AC.

The GP (GGP to this post) is at 0 as it deserves to be because it has no meaningful content, and accuses Apple of things that didn't occur, like ignoring a legitimate bug when the discoverer himself couldn't show Apple it worked with the MacBook integrated wireless at the conference, or of "threatening" them, when if there had been any meaningful "threat" (e.g., legal), there would be some proof or substantiation.

So if you're saying Apple will "lose you" as a customer, dickwad, because a post with actual correct information got modded up on slashdot, and isn't a "fanboi" (anyone who uses that term is the biggest fucking faggot ever) post in any sense of the term, then good riddance, cocksucker.

Apple's track record is contradictory to the lie..

[gsfprez]

i'm sorry, but this WHOLE THING became a kerfuffle when Maynor stated that Apple threatened him... and not a second before that.

And i have a very very hard time believing that Maynor is telling the truth about that because Apple has an incredible track record on not only accepting information, but giving credit where credit is due to people that find problems and exploits

Here are 28 examples between 10.4.1-10.4.3 [blogspot.com] where Apple gave credit to security researchers, organizations, and individuals.

So, Maynor found something, acted very suspiciously, made lame comments, hid information, and blamed Apple for all of it.

He's a choad.