Forgot your password?
typodupeerror
Security Businesses Wireless Networking Apple Hardware IT

Hacker Publishes Notorious Apple Wi-Fi Attack 114

Posted by Zonk
from the ponying-up dept.
inkslinger77 writes "It's been about a year since David Maynor claimed to have found a way to take over a Mac using a flaw in a Wireless driver. He's now published his work for public scrutiny. Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility."
This discussion has been archived. No new comments can be posted.

Hacker Publishes Notorious Apple Wi-Fi Attack

Comments Filter:
  • by langelgjm (860756) on Wednesday September 19, 2007 @07:51AM (#20665731) Journal

    Here's a link to the actual paper [uninformed.org].

    And here's the important part:

    Getting Code Execution

    The result of this flaw is that many things beyond the Extended Rate buffer in the ieee80211_scan_entry structure are corrupted. In a traditional stack overflow, control of execution flow is obtained directly by overwriting an important value, such as the return address. The corruption caused by the ``Extended Rate'' bug is more complicated due to the apparent lack of adjacent control structures.

    The most promising avenue for getting execution can be found in a function named ath_copy_scan_results. This function uses the fields that are overwritten to copy memory. An attacker can control the size of the copy and the source of the copy. In addition to crashing reliably on the same data, the size of the memcpy is two bytes wide meaning that up to 65535 bytes can be copied. Since the destination of the memcpy is a structure that ends with a function pointer, the hope is that enough data can written outside of the destination buffer to the point where the function pointer is overwritten. In this way, the next time the function pointer is called, the caller would instead jump to whatever address is now stored in the function pointer. In other words, this represents a two-stage overwrite. The first overwrite does not provide direct code execution, but it allows an attacker to create a second overwrite that will. The Beacon packet contains a number of buffers one can use for this second-stage overwrite. Thus, an overflow in one buffer in the packet (the Extended Rate IE) allows an attacker to control how a second buffer is copied (in this case, the Robust Security Network (RSN) IE). It is the copying of the second buffer that will permit code execution.

  • by packetmon (977047) on Wednesday September 19, 2007 @07:57AM (#20665767) Homepage
    Love him or hate him Maynor did the right thing waiting to come out with his paper. Even with an NDA, anyone can publish something anonymously which he didn't do. Its sinful that corporations don't take this into consideration when dishing out credits to security researchers. As for the NDA, I'm going to guess it was probably with Atheros. For those looking for the page with Maynor's attack, its here OS X Kernel-mode Exploitation in a Weekend [uninformed.org]... Don't know why contributor didn't link it.
  • by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Wednesday September 19, 2007 @08:03AM (#20665795)
    What gets me most of all is how the wifi stack was able to be crashed with just data.

    First he bombards the network with random packets. Then the actual packet in question may not cause a crash for up to 5 minutes. Then he tracks down which packet it was and how using the contents of that packet he can use another packet to set up a code execution exploit.

    Really good work. And no cookie for Apple whose driver choked on data.
    • by daveschroeder (516195) * on Wednesday September 19, 2007 @08:22AM (#20665925)
      This affected more than the just the chipsets and drivers in use in Apple laptops. It could be used in the same fashion on any affected chipset, potentially under various drivers on multiple OSes. The MacBook was just chosen as a point of principle to show that Macs, too, can be vulnerable to such attacks. This was noted in the initial coverage in the IT press at the time, but was quickly ignored in favor of a neverending flow of sensationalist articles claiming that any attacker could now easily take over MacBooks - and only MacBooks - at will in less than 30 seconds, and wirelessly to boot.

      Unfortunately, the opposing storm of FUD was just as bad, making it appear that the whole wireless vulnerability was a hoax, when in reality it was probably one of the more important general WiFi/driver vulnerabilities in recent memory. The choice of how to disclose was extremely poorly managed, and to make statements to the effect that you essentially wanted to stick it to Mac users when working under the guise of a supposedly professional and reputable security firm was what caused the problems. He embarrassed the hell out of SecureWorks by ending up with a firestorm of press that was massively bad PR for Apple.

      So what, you say? It was bad press for Apple, and ONLY Apple. No other vendor of manufacturer got nailed by this in any substantive way. With Apple having such low marketshare, how is it fair for only Apple to be targeted in press articles about this? Not Maynor's fault? No, not exactly, but some of his initial choices for handling are absolutely what led to the situation. I'm sure he had little idea this would occur and just got caught up in the world between security research and disclosure on one side, and corporations and mainstream media on the other.
      • Re: (Score:1, Insightful)

        by Anonymous Coward
        The MacBook was just chosen as a point of principle to show that Macs, too, can be vulnerable to such attacks.

        But that's unpossible! Macs have cool ads, and they make fun of that PC guy who is always crashing with security problems.

        So what, you say? It was bad press for Apple, and ONLY Apple. No other vendor of manufacturer got nailed by this in any substantive way. With Apple having such low marketshare, how is it fair for only Apple to be targeted in press articles about this?

        Apple denied the problem exi
        • Re: (Score:2, Informative)

          by daveschroeder (516195) *
          Apple denied the problem existed, and threatened them - that's why this made the news. Compare this with the well-known similar flaw in some broadcom wireless chipsets (used by many vendors, including Dell & Linksys) that came out last fall. A fix came out, and the problem was solved.

          Apple denied the problem existed because - and I'm not saying this can be proven, but it's what was said at the time - Maynor couldn't show Apple engineers who were at the conference how the exploit worked with the MacBook'
      • by himself (66589)
        Dave wrote, in part:
        >
        > This affected more than the just the chipsets and drivers in use in Apple laptops. It could be used in the same fashion on any affected chipset,
        > potentially under various drivers on multiple OSes. The MacBook was just chosen as a point of principle to show that Macs, too, can be
        > vulnerable to such attacks. This was noted in the initial coverage in the IT press at the time, but was quickly ignored in favor of a neverending
        > flow of sensationalist articles claiming that
        • I am reminded of the story about "iPhones kill WLANs" some time ago, featuring Cisco & Apple gear, which ultimately turned out to be more along the lines of "Interference From Devices On Unregulated Bands Interferes!" But you know, tht's not qute as sexy, is it?

          That was an interesting story. Actually, the headline would have been "Bug In Cisco's Own Wireless Hardware Brings Down Same". It turned out that it wasn't an iPhone issue at all, and was a bug in Cisco's code [cisco.com]. Unfortunately, the story had alread
    • Re: (Score:3, Insightful)

      by Tim Browse (9263)

      What gets me most of all is how the wifi stack was able to be crashed with just data.

      As opposed to..?

      I don't know if you've been keeping up, but an awful lot of vulnerabilities are triggered by providing 'just data' to the target.

  • by 10Ghz (453478)
    Isn't it against the NDA to say that you are/were under an NDA?
    • Re:NDA? (Score:5, Informative)

      by Alphager (957739) <florian@haas.gmail@com> on Wednesday September 19, 2007 @08:08AM (#20665823) Homepage Journal

      Isn't it against the NDA to say that you are/were under an NDA?
      Depends on the NDA.
      • Re:NDA? (Score:5, Funny)

        by StarfishOne (756076) on Wednesday September 19, 2007 @08:29AM (#20665985)
        The first rule about and NDA: "You don't talk about an NDA". The second rule about an NDA is: " You don't talk about an NDA".
        • It's more fun if you substitute the word "wank" for "fight". "The first rule of Wank Club is - you do not talk about Wank Club. The second rule of Wank Club is you DO NOT talk about Wank Club. Third rule of Wank Club, someone yells 'stop', goes limp, taps out, the wank is over. Fourth rule, only two guys to a wank. Fifth rule, one wank at a time, fellas. Sixth rule, no shirts, no shoes. Seventh rule, wanks will go on as long as they have to. And the eighth and final rule, if this is your first night at Wan
        • Ah yes, but which NDA? He could always claim, (if sued under NDA 1) that he actually was talking about (non-existant) 'NDA 2' under the terms of which he could talk about the NDA restrictions but nothing else...

          *brain explodes*
    • I'd tell you the answer to that, but I'm under and NDA.
    • Re: (Score:3, Informative)

      by bkr1_2k (237627)
      No. I've signed several NDAs and none of them had a stipulation that I not speak of the fact that I was bound by the NDA. It all depends upon the wording of the specific agreement.
    • Re:NDA? (Score:5, Funny)

      by Nazlfrag (1035012) on Wednesday September 19, 2007 @11:19AM (#20668063) Journal
      I'd tell you, but I'd have to NDA you first.
    • by mollymoo (202721)

      Isn't it against the NDA to say that you are/were under an NDA?

      I can neither confirm nor deny that.

  • by daveschroeder (516195) * on Wednesday September 19, 2007 @08:14AM (#20665861)
    Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux!

    That's the whole point of why people took issue with this, and it's still being perpetuated here!

    The way it was presented, even if Maynor didn't intend it as such, especially in all of the press coverage - first IT press, then mainstream, CNN, hundreds of local papers via AP, you name it - was that it was an "Apple" WiFi hack only, and that anyone could easily and quickly completely take over your MacBook remotely.

    The stories just got repeated and regurgitated over and over, even though it was a flaw that affected a lot more than Apple; indeed, the most interesting thing about the vulnerability was its universal nature and applications!

    Also, in the initial reports, Maynor and Ellch hid the brand and vendor of external wireless adapter they used for the demo because of, according to them, "responsible disclosure", but then had no problems saying the exploit worked identically on a stock MacBook. So if it was important to hide the brand of the wireless adapter they used for the demo, why was it not equally important to hide the fact that the chipset in a MacBook was vulnerable? How is it fair for this to appear as an exploit affecting only Apple, appearing under headlines like "MacBook hacked in 30 seconds - remotely via wireless!"

    Given that Mac users apparently needed to have "lit cigarettes stuck in their eyes" - and whether that was a joke or not, I don't see how that's professional coming from someone who is a "security researcher" presenting findings under the guise of what purports to be a professional security outfit - it appeared that the choice to use a MacBook for the demo and the ensuing firestorm of publicity was done exactly for that reason.

    Would this have been news if they had used a Dell or Lenovo laptop running Windows or Linux, even if they also still said that this affected multiple platforms, including Mac OS X?
    • by pla (258480)
      Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux! That's the whole point of why people took issue with this, and it's still being perpetuated here!

      Linux folks readily admit when kernel modules have bugs in serious need of repair. Windows users pretty much accept poor security as a fact of daily life.

      But Mac users... They would call a dead pixel a "feature intended to relieve eye-strain from prolon
      • by shinma (106792) on Wednesday September 19, 2007 @09:53AM (#20666825) Homepage
        You don't hang out on mac boards much, do you?

        The whining over how "awful" the black level on the new iPod Touch is, the "I'm unimpressed," attitude every time Apple releases something, simply because the mac rumors community builds every announcement up to be the second coming... Much of the Apple Faithful are disappointed when it's only revolutionary.

        Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.
        • Hey, now. If YOU knew how delicious gods were, you'd not blame us for gorging ourselves.

          Nummy gods.
        • Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.

          Best single line on Slashdot today. It almost sounds like some kind of ancient Greek myth, or a line from a particularly good Penny Arcade comic.
        • by martinX (672498)

          Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.

          Fantastic imagery. Love it. And I say that as an Apple fan, though not quite a fanatic.

      • You are rubbing salt into the wrong wound. You need to find out what third pary wireless adapter he used, and rub salt into their wounds. Find me 5 Mac users who use that specific wireless adapter...no wait, find me 5 Mac users who use ANY wireless adapter other than the one that ships preinstalled, or find me somebody who can hack the Apple wireless adapter and I slit a big wound for you anywhere on my body, and you can pour as much salt in as you like.
    • Re: (Score:2, Insightful)

      by squiggleslash (241428) *

      You know Dave, I'm really disappointed in this reaction and the reaction of most others in the Mac community on this news.

      To address your point first: The hack was an Apple WiFi hack. It was presented that way because that was the news. The fact one could use the same exploit as a basis of a means to hack other operating systems was really not news - Windows is hackable, everyone knows that, and even GNU/Linux doesn't have a reputation for being invulnerable. Meanwhile Mac OS X, the operating system with

      • by daveschroeder (516195) * on Wednesday September 19, 2007 @09:35AM (#20666605)
        squigglesquash,

        I'm not apologizing for the behavior of the Mac fanboys afterward, and I already said that [slashdot.org] in one of my other posts.

        But the very initial coverage stated that other WiFi drivers for similar chipsets on other platforms were already proven vulnerable. This wasn't some pie-in-the-sky theoretical claim; it was specifically stated that drivers Linux and Windows WERE vulnerable to the SAME exploit mechanism, and that the MacBook was chosen to just show that "Macs can be vulnerable too".

        FUDing the story they way they did was wrong, but the damage was already done. If this were on Windows or Linux, this NEVER would have gotten picked up in the mainstream press. I say "mainstream" because that is an important distinction. The story was covered with none of the technical nuance or accuracy required, and left MILLIONS more people with the impression, even if only in passing, that "MacBooks" could be owned wirelessly in 30 seconds. Not any laptop. Not Windows. Not Linux. Just MacBooks.

        If you can tell me how that's fair to Apple or how that helps Apple users, I'd appreciate it.

        Also, I will say that the FUD reaction from the fanboy crowd did NOT help Apple users, and in fact did lasting damage to the Mac security situation. But if you can explain to me how the coverage, or saying that smug Mac users need lit cigarettes jammed in their eyes, or making it appear that the vulnerability ONLY affected MacBooks, or hiding the third party wireless card they used in the initial demo because of "responsible disclosure", but then immediately turning around and saying the integrated wireless in a MacBook was identically vulnerable - if you can explain to me how any of those "helped" the Mac community, I'd appreciate it.
      • What I'm still wondering about was Maynor's video where he plugged in the disguised USB stick, then claimed to hack it...even though the MAC address he hacked was registered to Apple. Why not just say he was hacking the Airport? And why not demonstrate this hack when he had the chance instead of just KPing the machine remotely? It almost sounds like he never had the hack and had to dig for it for a while to make it work. Maybe I'm wrong. Can anyone clarify?
      • Your post sounds convincing enough, but please correct my memory, in case I've forgotten something. He hacked a third party wireless adapter. EVERY Mac sold comes preinstalled with their own flavor of wireless adapter. This guy couldn't (or at least didn't) hack the Mac's built in wireless, he hacked a third party. Since nobody that uses a Mac buys third party wireless adapters, then this hack is no threat and is not Apple specific. What am I missing here?
      • by argent (18001) <peter AT slashdo ... taronga DOT com> on Wednesday September 19, 2007 @10:33AM (#20667379) Homepage Journal
        the Mac community spent an enormous amount of time trying to destroy Maynor's credibility

        Maynor did everything he could to destroy his own credibility.

        He misrepresented the nature of the vulnerability. Not because he was under an NDA, mind you, but because

        [OSX was promoted as] being free of the viruses and malware that plague Windows,

        It still is. Because it still is free of them. Not because it's "invulnerable" (people who talk about it being invulnerable - pro or con - shouldn't be trusted... and that includes you), but because it's a competently designed UNIX based OS that takes advantage of layered security. There's some aggravating design flaws that are bigger problems than a fixable bug in Wifi (yes, really), but the bottom line is that it's got a fundamentally more secure design than Windows in many areas that really matter, and THAT has a huge effect.

        and even GNU/Linux doesn't have a reputation for being invulnerable

        Wrong. Linux has been promoted as being a virus free haven for Windows users for at least as long as OS X has, and it's been pushed harder. And, yes, it ALSO has the advantage of a good traditional UNIX design.

        But if Maynor REALLY wanted to show off, he'd have attacked OpenBSD.

        and suddenly Maynor found there was a massive hole in that

        So? People find holes in OSX regularly. And I mean ACTUAL holes unique to OS X, not holes shared by a lot of common devices. ACTUAL cases of the SAME KIND of hole (buffer overrun), even. This is not a "massive hole in OS X" at all, and if he hadn't turned around and (a) attacked Apple specifically, and (b) refused to disclose the bug itself (and I don't believe in an NDA that would have kept him from telling Apple about a buffer overflow in a Wifi driver), nobody would have said boo to him.

        But he didn't act responsibly. He wanted to grandstand and he wanted to hurt Apple, specifically. I mean, he said he had a grudge against Apple right there on his web page. That's not responsible, and has nothing to do with any NDA. Even it's not actually lying and even arguably not honest, it sure ain't honorable.

        So here we have someone who's acting irresponsibly, and implying he's being paid to find security holes he's not allowed to talk about (and he still hasn't explained that bit), and who's specifically targeting one company... what kind of reaction should he expect?
      • If he's not ready to disclose responsibly (or at least without talk of lit cigarettes in eyes), maybe he should wait.

        That much of the Macintosh user community responded poorly to him shouldn't be surprising - sensationalist ass-hattery usually does not go over well.

        Also, if his NDA is such an issue then maybe he shouldn't have jeopordized his professional reputation by not being able to ... well, disclose ... what he's claiming.

        He just came out as exceptionally immature and unprofessional. (And having Krebs
    • Re: (Score:3, Interesting)

      by stewbacca (1033764)

      Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux!

      Considering it was a third party wireless device, it would only be logical that Macs would be the least affected by this hack, because very few Mac users (less than 1%?) would ever bypass the built in wireless for a third party solution. So this hack is more of a danger to Windows machines, which are far more likely to be sold without built-in wireless,

    • by curty (42764)
      I'm not familiar with the background to this story, but his paper [uninformed.org] suggests to me that it was Apple specific, viz:

      Apple based their driver on [the Madwifi and net80211] open-source projects.

      All research to this point showed that the Extended Rate buffer [overflowing] was the culprit but the madwifi source code had a check for a maximum length before the copy happened.

      The code found within the driver shows that although there is a length check in the open source driver, it's not actually present in the OS X binary driver.

      Have I missed something?

      • Yes...this Apple WiFi hack IS Apple specific, because, well, it has to be.

        But the vulnerability they discovered was a general one, and they explicitly stated that it could be applied to affected WiFi drivers and chipsets under other OSes, including Windows and Linux. Their discovery resulted in patches for this flaw in various WiFi drivers on various OSes. They picked Apple to make the point that "Macs can also be vulnerable" to such things.

        So while the Apple exploit is specific to Apple, it is an applicati
    • Did you hurt yourself with the elaborate contortions and twists you'd made to somehow justify the flaying Maynor took at the hands of the Mac Fanbois?

      It's very simple. Maynor said there was a direct wifi hack on Macs, he was right, the Apple cultists were wrong.

      All the FUD then or now doesn't change that fact.
    • The hack only affected MacBooks with specific third-party wireless hardware attached -- something almost no-one would be affected by, since MacBooks come with wireless that wasn't vulnerable.

      So it was especially bad that Apple got all the bad press.
  • "Great! Send it to last year, when I might have cared."

    Okay, I changed "week" to "year."
  • by stewbacca (1033764) on Wednesday September 19, 2007 @10:36AM (#20667427)
    If you click the link to the original story, it clearly indicates that this guy hacked a third party wireless card. If you click on the link to this story, however, the story claims that he found a way to hack the built-in AirPort wireless adapter. Shoddy journalism?

    So what happened? The original story was a lie? The new story doesn't have their facts straight? IF this guy hacked an AirPort driver, like the NEWEST link claims, then this is a story. However, since the past year has been filled with nothing but discrediting proof that he hacked a third-party adapter, and his video shows him inserting a third party wireless USB adapter, then I would have to guess that the Apple AirPort wireless adapter was never, and still isn't, threatened by hacking.

    • Re: (Score:2, Interesting)

      by Clirion (720337)
      Actually, it looks like it was the Atheros chipset he hit. So any card that uses this chipset is at risk. MacBooks use Atheros wireless chipset. So the same exploit that works on the third party card (presumably using the Atheros chipset) works on the Macbook (using the Atheros Chipset).
      • Then why didn't he conduct the hack without the third party USB adapter? I can take your word that it is technically feasible, but as a non-technical person, I'd rather see it in action rather than taking a technical person's theoretical explaination of how it "would" work had we used the stock wireless. It's kind of the staple of good research to make the assumption that it would work because it is the same chipset, but you still have to test those assumptions. Anything short makes the work biased. Aft
  • by Argyle (25623) on Wednesday September 19, 2007 @11:43AM (#20668401) Homepage Journal
    Apple cultist Jon Gruber offered a MacBook to David Maynor and Jon Ellch if the wifi hack was true [daringfireball.net].

    It was true. He owes them a laptop...
    • Re: (Score:3, Insightful)

      by JoshNorton (528856)
      I see no evidence that they have fufilled any of the terms of the challenge as yet.
      In any case, he set a time frame for taking the challenge that ended just over a year ago at this point.

      No, this really doesn't earn them any apology from him.
    • So when, exactly did they meet to accomplish this challenge? Nice try, but still wrong.
    • A. he will get 2 macs :
      http://daringfireball.net/2006/09/challenge_update [daringfireball.net]


      And B, he would lose since it's not out of the box hack, since it has to contains a specific 3rd party drivers.
    • The offer expired in September 2006. Besides, if they did it today, Apple has patched the vulnerability.
    • If you had read the page you linked to, you would have seen that Gruber offered them a week's time just to agree to the challenge ... and they failed to take him up on it. Inasmuch as
      1. they failed (for a year) to demonstrate the hack they originally claimed to be able to do at the conference, and
      2. they were unable to explain the hack to Apple engineers in anything but the theoretical sense (as proved by Apple having to resolve the issue themselves - which Apple's developers rapidly did), and
      3. claimed repe
    • by not_anne (203907)
      He has no reason to apologize to them. This was a challenge, not an "if it's true you get a free laptop" contest.

      The challenge was for Maynor and Ellch to hack a fresh out of the box MacBook using their wifi exploit a year ago. They didn't accept the challenge and so they don't deserve a laptop.

  • by gsfprez (27403) on Wednesday September 19, 2007 @01:05PM (#20669575)
    i'm sorry, but this WHOLE THING became a kerfuffle when Maynor stated that Apple threatened him... and not a second before that.

    And i have a very very hard time believing that Maynor is telling the truth about that because Apple has an incredible track record on not only accepting information, but giving credit where credit is due to people that find problems and exploits

    Here are 28 examples between 10.4.1-10.4.3 [blogspot.com] where Apple gave credit to security researchers, organizations, and individuals.

    So, Maynor found something, acted very suspiciously, made lame comments, hid information, and blamed Apple for all of it.

    He's a choad.
    • by makomk (752139)
      Of course, I bet all of those 28 kept the existence of the vulnerability hush-hush until Apple got around to releasing a fix. This means that they are basically irrelevant when it comes to the question of whether or not Apple threatened him because he was publicising the vulnerability.
  • 1. somehow find out someone's password. 2. SSH in.

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater

Working...