Slashdot Mirror
The Black Hat Wi-Fi Exploit
Joe Barr writes to tell us that while many have heard that an Apple was exploited in order to install a rootkit at the recent BlackHat security conference, most people don't know the details of how it works. This is no mistake, it seems that the researchers who demonstrated the flaw were intentionally vague. Some theorize that this is in response to the real or perceived threat of legal action similar to the situation with previous Blackhat presenter, Michael Lynn.
Perhaps it is the exploiter who is better off with the Atheros based WLAN card? Maybe it is still possible to exploit any other WLAN card, but the attacker may benefit from using some WLAN cards over others as the attacking host platform (not the attacked target platform). Reference: http://www.ktwo.ca/security.html
The current exploit was intentionally vague so that attackers would not have the upper-hand. The previous researcher mentioned was arrested for something prior to his presentation; I do not correlate the actions together.
The machine unmakes the man. Now that the machine is so perfect, the engineer is nobody. -Ralph Waldo Emerson
ScuttleMonkey writes to tell us that apparently the 'plot-thickens' as some guy somewhere emailed that some people are 'theorizing' alternate motives for the Blackhats keeping wraps on their so-called 'exploit' (that they tried unsuccessfully to smear a OSX security with).
There is no new substance. This bone has been gnawed clean already. Sounds more like some people are making excuses for something...
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
This is BlackHat, folks. They've probably hacked the water fountains to serve Bawls instead of water -- let alone installing a rootkit on a laptop.
Slow news day, I'd say.
Paleotechnologist and connoisseur of pretty shiny things.
And here I thought it was the black hat wife exploit, guess I'm not gettin' any from the missus tonight!
The presenters clearly got paid off by apple.. in the defcon talk they were whinging about the metasploit guys being offered $80,000 to $120,000 for unreleased exploits and they weren't prepared to release the code to the emails they got offering $10, $100, $1000 for the copies of the exploit
That's why in the video they used a "generic" wifi card when they admitted the standard apple wifi driver is broken as well
They said they haven't released the code because "they need to check all the apple platforms that are effected" IE they are waiting for apple to deliver them a whole bunch of free hardware
These guys were complete sell outs -- no live demonstration because they were afraid that the WIFI would be sniffed at DEFCON..... so coming to a full disclosure conference they are basically saying they don't trust disclosing to the attendees...
In the video they call the script "bad seed" so it's probably something to do with a PRNG in the crypto somewhere (or IV)
If this exploit exists on other platforms? Like say, the free Unix-clones like FreeBSD or Linux?
-- Linux user #369862
For those that couldn't make it, here is a video showing the exploit. http://video.google.com/videoplay?docid=-441573595 8080028817
First hand::Ellch talked a lot about the timings and the reactions of wireless cards to certain packets, as well as the need for a less fatty and feature full tcp/ip protocol. From the talk it sounded like Maynor developed the particular exploit. Ellch talked about his tool fuzze. Ellch's goal was to fingerprint particular wireless users and the driver model they were using....(to decide what Metasploit exploit you'll use this week) If I was a wireless guru, say like some of the other thousands alive, I could make a prediction. If they don't release the exploit soon, someone else will develop an equally powerful exploit into the wild. Buffer overflow the stack..... It's too fat and does more thinking than it should. I say patience is key. Even when they do develop the patch, how many coffee shop users don't apply patches? The biggest weakness in the attack is the fact that it sounds like a proximity attack. If you're not within wireless reach to the victim, you won't be able to attack them. That's just a guess since the video demo of the attack shows the attack from across a desk and not across the office. Cantenna anyone? Wifi-shootout?
I think the comments about Apples image are off. This was a third party card, NOT the built-in apple one. So it was probably based on a different chipset than the one Apple uses - otherwise they could just have used the built-in one.
So, which card was it? Considering that most companies only threaten legal action, and researchers usually ignore the threats, a good guess that this is a company that is known to not only threaten. One that ISS had problems with before. In short: I bet it was a Cisco card. Not an apple card but a Cisco one.
Now I'm a big fan of a policy of eventual public disclosure of exploits. The behavior of many big companies have shown that without the pressure of public knowledge of an exploit they will drag their heels about fixing the exploit. However, it is undoubtable that publicly making availible details of an exploit without giving vendors a chance to create a patch increases the number of attackers who are able to execute attacks against that vendor's customers.
Now there are reasonable people who believe this increased danger is pretty much always offset by the benefits of public knowledge of the risk, i.e., a vulnerability you know about is sufficently less risky to justify disclosure. However it is disgustingly biased and misleading to not even acknowledge that some people and companies might reasonably believe total public disclosure harms the end customers. This is especially true when we are talking about the difference between revealing the existance of the exploit and revealing info that might enable someone to copy the exploit.
Moreover, I didn't see the slightest evidence that it was outside pressure that caused this pair not to reveal the details. The tone of this cnet article seems to imply they made the choice themselves to be responsible which seems totally reasonable.
Also I don't understand who would put this pressure on them unless it is the network card manufacturer. Macs, linux and windows machines are supposedly all affected so no one company would take a PR hit relative to others. Unlike the case with the cisco vulnerability.
Yes it's true that vendors tend to be biased toward maintaining their good name. Just like real people they tend to be biased toward the answers that help them out but this is hardly dastardly. True I think they sometimes go to far and chill free speech and harm security research but this seems fairly rare and I see no reason to believe it is happening here.
If you liked this thought maybe you would find my blog nice too:
Bottom line, assuming the demo is not a hoax, it will work against *nix, Windows, and Mac equally.
A lot of people have posted so far saying, "It's OK that they didn't reveal the exploit, because it protects people from hackers until the fix is out." Which is probably true for the most part.
However, these guys have given almost no information about the hack, making it impossible to protect yourself. Does your wireless card have problems? Do all wireless cards have problems? What can you do to protect yourself? Should you avoid using wireless at all? Is it a remote hack that can actually somehow enable the wireless card (through a secret back door or something)? We don't know. And by keeping these details secret, companies are hurting end users.
It is good to let the company create a fix before the exploit is released, but it is also good to give the user enough information to defend himself.
Qxe4
From the presentation... it seems that he didn't have a root shell, but only a user shell on Apple. Why just play on the user's Desktop? He should of edited some serious files like /etc/shadow, /etc/password or /usr/local/etc/sudoers. He could of at least used the "say" command in the demo to have the Mac say that it had been owned by Johnny Cache. That would of been a nice touch.
My main reason for believing that he had the logged in user's access is due to the fact that wireless is not system wide on Apple, but is started when a user logs in. If you change users(fast user switching etc...) then all your network connections drop as the wireless is restarted with the new user.
This is not a simple matter of exploiting a serivce. The machine might does not even need any publicly accessible services for this attack to be effective.
We all know that wireless cards require soft firmware and drivers in the OS these days. The point is that it's possible to exploit the drivers with specially crafted packets and make the OS run arbitrary code that it thinks is the Wireless driver.
Running code at the level of the OS brings with it full control over the machine. The OS trusts the drivers 100% on almost every system I've used. This means your newly running code can take full control of the machine, and probably even download more code, sniff on you, etc.
It should be possible to exploit this attack even if the machine is connected to a trusted network. All you need to do is send it packets on that network (or pretend to be on that network).
The demo might have been vague, but it still points out some serious flaws with wireless systems on modern operating systems - anyone can send you packets and the OS trusts the software processing those packets 100%...
I drink to make other people interesting!
Some have theorized that if you don't quote your sources, then you're just full of shit.
If you were blocking sigs, you wouldn't have to read this.
What is more likely: (A) A vulnerability exists in at least two WiFi implementations (some external card, and Apple's internal Airport), which allows to compromise systems independent of which operating system is running, or (B) two guys who want their fifteen minutes of fame doctor a video, claiming that they can crack any Mac with WiFi within 60 seconds, conveniently being so vague that nobody can verify or refute their claim, adding in a bit of conspiracy theory (pressure from Apple) on top of it?
''This is not a simple matter of exploiting a serivce. The machine might does not even need any publicly accessible services for this attack to be effective.''
That is the claim being made, and it would be frightening if true. We have not seen any reliable evidence of this so far.
''We all know that wireless cards require soft firmware and drivers in the OS these days. The point is that it's possible to exploit the drivers with specially crafted packets and make the OS run arbitrary code that it thinks is the Wireless driver.''
That is the claim that has been made. We have not seen any reliable evidence of this so far. I think it would be quite easy to own a Macintosh running MacOS X if you use an external card needing a driver, and you install your own, specially crafted driver on the machine that will do exactly what you want. We have no evidence that this works when using the preinstalled Apple driver or the manufacturer's driver for the card.
''Running code at the level of the OS brings with it full control over the machine. The OS trusts the drivers 100% on almost every system I've used. This means your newly running code can take full control of the machine, and probably even download more code, sniff on you, etc. ''
May be true, but there is no evidence that you can take control of a driver as it was claimed.
''It should be possible to exploit this attack even if the machine is connected to a trusted network. All you need to do is send it packets on that network (or pretend to be on that network).''
And possibly go to the machine you want to exploit first with a CD in your hand, and install your replacement drivers.
''The demo might have been vague, but it still points out some serious flaws with wireless systems on modern operating systems - anyone can send you packets and the OS trusts the software processing those packets 100%...''
The demo may have been vague because it was a hoax. So far this seems much more probable to me.
I think a security expert needing some attention mentions Apple. I think being vague is probably motivated by some dishonesty.
Without any detailed disclosure, sure, the craftiest people will determine how to perform said exploits. However, there are very, very few of these compared to the script kiddies that will show up if you hand out the source and/or a road map to every Tom, Dick, and Harry. At least they're giving Apple (and others) a chance to address the problem by pointing out that there IS a problem.
I'm not buying the people who are upset at a lack of full disclosure because they are "unable to protect themselves". If there was a way to protect yourself, sure, perhaps you could tell people how to do it. However, judging from the presentation itself (at Defcon), there really IS no way other than mutilation of the driver itself (see the slide with the nintendo DS) to quickly defend one's system. Not only would this significantly break a lot of things, most users wouldn't know the first thing about doing it.
The root causes as outlined in the presentation were a combination of a poorly planned and thought out protocol (802.11) and a quick-to-market rash of sloppy driver implementations, and it's going to take nothing less than at least a driver patch (or in a fantasy world, an overhaul of existing wireless protcools...802.11 lite if you will).
So quit accusing the presenters of being motivated by greed, stupidity, or other such notions - the best way to secure users at this point is to speak with the manufacturers directly and attempt to achieve a patch, not to detail how to break in to every last miscreant on the planet. The authors are starting to do this by their dealings with Apple.
Oh, and for those of you that missed the FAQ at the end of the presentation:
-Yes, it affects the kernel, which means it's >= root/Administrator on any system
-It's a driver/spec implementation issue, which means it's not an OS-specific problem. The use of an Apple machine in order to show that "any" platform is at risk was meant to illustrate this.
-The money slide was a joke meant to show how lightly many people were taking this issue. I have no way of proving the intentions of the presenters, of course, but I believe this was the case - they stated their intention was to get this problem addressed through discussion, not money.
All in all, easily my favorite defcon session (unless you count the shots of 151 distilled through peppers). Thanks, guys!
The presenters were very specific. The security hole discovered is below the OS level and is in the drivers. Drivers are written by multiple parties and have always been a vunerable part of the system. However, before you had to be physically connected to the system to exploit a driver hack. That itself made drivers pretty secure. After all, not too many people install hard disk drivers they get in random emails. With WiFi, you no longer need a physical connection, and therefore the danger. Mac, Linux, Unix, BSD, and even (gasp!) MS-Windows are all exploitable to this hack.
This exploit was kept underwraps to allow vendors to release security fixes before the exploit spreads to every two-bit kiddy scripter around. It doesn't make much sense releasing information on how to implement this exploit when there really isn't too much you can do to stop it. It's the reason why the presentation was done on video and not live.
Of course, once the exploit is known to exist, it is only a matter of time before someone else finds it and implements it. I already know at least one person who is on his way to duplicate it, so the vendors better hurry up and fix the security hole. Apple and Microsoft can't take their merry ol' time fixing this one.
They specifically said it was exploitable on Linux and Windows. They chose Mac OS X because they said that Mac users had a "smug" attitude about security and wanted to show something like this could be done on Mac OS X as well.
So no, it's not speculation that exploitable on other platforms, because the presenters themselves said it was, and specifically said they ultimately chose to demo it on the Apple platform for the reason stated above.
On that note, though, I do agree that the reasoning to use a third-party wireless card in the MacBook was shaky. They said they used it so as not to draw attention to the fact that the internal wireless card in the MacBook is vulnerable, even though they specifically state that the internal card is vulnerable. So how does this do anything to not draw attention to that, given that now, everyone thinks this is an exploit affecting only MacBooks, and not even any other Apple products with the Atheros card, much less any other platform under the sun?
John Gruber has a very good writeup on this issue here: http://daringfireball.net/2006/08/krebs_followup
As for "why not demo it on multiple platforms", it sounds like this little exploit is not nearly as easy to set up and take advantage of as they imply. The above writeup also touches on the motives of the presenters as well ("if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something"). Yeah, no bias there!
If the bug is in the firmware, you'll be the last to get a fix.
If I can take over the card's internal CPU (probably running a tiny real-time OS) then I can use that to write anywhere in memory. I can patch any part of your kernel I like. It doesn't matter if your driver is good or not.
Why is this conference still being held in the United States? To me, it would make much more sense to host it somwhere where law enforcement is less likely to hassle people.
Some Crackers have been doing this for a while, (we are way behind) look within your disk formats and OpenFirmware/Mac, Bios/PC, crack once - stay forever.
Time to start really paying attention, look for "bad boot blocks" for pre boot networking prefs.
This guy's got a clue:
http://www.securityfocus.com/columnists/402
Check the comments too.
Think about an intentional miconfig of your monitor settings (UNIX) now.
Required reading:
Reflections on Trusting Trust
Ken Thompson
http://www.acm.org/classics/sep95/
~hylas