The Black Hat Wi-Fi Exploit

Joe Barr writes to tell us that while many have heard that an Apple was exploited in order to install a rootkit at the recent BlackHat security conference, most people don't know the details of how it works. This is no mistake, it seems that the researchers who demonstrated the flaw were intentionally vague. Some theorize that this is in response to the real or perceived threat of legal action similar to the situation with previous Blackhat presenter, Michael Lynn.

Atheros at the exploiter side?

[tuomas_kaikkonen]

Perhaps it is the exploiter who is better off with the Atheros based WLAN card? Maybe it is still possible to exploit any other WLAN card, but the attacker may benefit from using some WLAN cards over others as the attacking host platform (not the attacked target platform). Reference: http://www.ktwo.ca/security.html

Re:Atheros at the exploiter side?

[grub]

The Atheros exploit shores up OpenBSD's stance on binary "blob" drivers perfectly. EVERY OS using these binary drivers are vulnerable. OpenBSD refused to include blob, reverse engineered the drivers and wrote their own secure drivers.

End result? OpenBSD is secure while most other OSs out there are at the mercy of Atheros.

Wifi Card used in exploit

[pele_smk]

First hand::Ellch talked a lot about the timings and the reactions of wireless cards to certain packets, as well as the need for a less fatty and feature full tcp/ip protocol. From the talk it sounded like Maynor developed the particular exploit. Ellch talked about his tool fuzze. Ellch's goal was to fingerprint particular wireless users and the driver model they were using....(to decide what Metasploit exploit you'll use this week) If I was a wireless guru, say like some of the other thousands alive, I could make a prediction. If they don't release the exploit soon, someone else will develop an equally powerful exploit into the wild. Buffer overflow the stack..... It's too fat and does more thinking than it should. I say patience is key. Even when they do develop the patch, how many coffee shop users don't apply patches? The biggest weakness in the attack is the fact that it sounds like a proximity attack. If you're not within wireless reach to the victim, you won't be able to attack them. That's just a guess since the video demo of the attack shows the attack from across a desk and not across the office. Cantenna anyone? Wifi-shootout?

Equal opportunity sploit

[wolfdvh]

I heard the presentation when it was repeated at DefCon and what was not vague was this exploit was at the card driver level below the OS, which is why it would work against any OS. They said they chose to demonstrate it on Apple rather than Windows because they thought if they'd used Windows, people would say "Of course, it's Windows, what did you expect." so by demonstrating it on a more "secure" (Mac) OS people would realize it was not just a Windows thing. Unfortunatly, now everybody just thinks its a Mac thing.

Bottom line, assuming the demo is not a hoax, it will work against *nix, Windows, and Mac equally.

Re:Flogging a dead Story

[pchan-]

Yes, you're exactly right. There's nothing to this story at all. ...Oh wait. What's this on Bugtraq? Let me paste the headline for you:

Intel PRO/Wireless Network Connection Drivers Remote Code Execution Vulnerabilities . Look at that, a remotely exploitable security hole in the Wifi driver. Anyone using one of these things is vulnerable if they have not upgraded their Wifi drivers, regardless of OS. This was disclosed by the vendor (Intel).

Intel PRO/Wireless Network Connection drivers are prone to multiple remote code-execution vulnerabilities.

An attacker within range of a vulnerable Wi-Fi station can trigger these issues to corrupt memory to execute code with kernel-level privileges.

A successful attack can result in a complete compromise of the affected computer.

I guess you were right. No facts, just theories.