Slashdot Mirror
"Month of Kernel Bugs" Project Head Interviewed
An anonymous reader writes "November has been labelled the 'Month of Kernel Bugs' in security circles. The Month of Kernel Bugs began on November 1, with the publication of a vulnerability in Apple's AirPort drivers. SecuriTeam blogs did an interview with LMH, who hosts the project."
Who is LMH?
This sounds useful, and it'll be interesting to see how different kernel developers respond to flaws in their kernels being published on a regular basis. I suppose some of them would prefer to just keep a private communication line with MoKB open, and some would prefer otherwise.
phailed ;)
A w idely-deployed wireless driver</a> from Broadcom was <a href="http://projects.info-pull.com/mokb/MOKB-11-1 1-2006.html">published today</a>. This is the first remote published, public exploit that abuses a driver flaw to execute arbitrary shellcode :-)
What they found was actually a general flaw in wireless drivers that comply with the Wi-Fi standard. Why do self-appointed security experts always seem to have to find something wrong with Apple (and incorrectly) to prove their mettle?
Doh, wrong button :-)
A remote exploit for a widely-deployed wireless driver from Broadcom was published today. This is the first remote public exploit that abuses a driver flaw to execute arbitrary shellcode :-)
Maybe because it gets more press?
This message was brought to you by "Lack of Sleep."
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Worse why does it get reported like its the only vulnerability? We have known the 802.11 standard was very insecure for years at this point.
"Slashdot, where telling the truth is overrated but lying is insightful."
The bug I found is not due to the card "complying with a standard", its because the first-generation Airport driver (the latest one available at that), has a bug that allows someone to run code in your kernel from a distance. Maybe I missed the "ieee80211b-pwned" spec, but this doesn't seem like good behavior.
Why is that Apple supporters are in such denial about their favorite products having security flaws? This bug was one of many in the Airport drivers and one an even bigger set of wireless exploits that we plan on releasing. A Broadcom bug was released today which likely affects more systems than Apple has ever shipped.
...who modded this funny?
*smack*
Bad mod! No cookie! (except the one from XXX-hawt-slutty-shemales-dot-com that's hacking your wireless, obv)
Care about privacy? Read this!
I have never been involved, even peripherally, in kernel development, so I thought some of LMH's comments on how security concerns are addressed there were interesting.
In particular, he remarks: "Another point, is actually that silent patches are much more popular in kernel development. Remote denial of service issues may be patched under rather fun terms like 'this may dereference a null pointer', 'foo is signed when it should be unsigned', etc. And some kernel interfaces are literally a royal pain to work with. Filesystem code itself is a rather complex part of the kernel as it deals in low-level with things we typically know 'abstracted' (ex. you copy files, you don't deal with inodes, blocks, etc)."
This seems rather contrary to the OSS development model in general, and if it's something that's happening a lot, it seems as though something's wrong, procedurally. Why is all this buggy code getting in, in the first place? While I'm aware that a lot of Linux people don't like BSD or its development methods, maybe there needs to be some sort of stricter review process for contributions.
If there was one place where transparency and accountability were most important, it seems like it would be in the Linux kernel, it being arguably one of the most important projects, or at least most visible, that the F/OSS movement has produced.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I'm not sure this is true. I don't think vulnerability was in all wireless drivers; that would just be too weird. There are hundreds of different WL chipsets and driver stacks; not all of them are written that crappily. A good many may be, but not all.
/. article for), they weren't even using Apple's wireless card or drivers, they were using a third-party one, and then just implicated Apple later.
There was apparently a problem in Apple's drivers, as well as in a lot of other closed-source drivers. In fact, when those two guys did the "Hack a MacBook's Wireless in 30 Seconds" demo (of which I am a bit ashamed to admit I submitted the
If you read a few posts up in the thread you'll see that they have now found a pretty big hole in Broadcom's (assumedly Windows) drivers for wireless cards, where transmitting a specifically crafted SSID can result in kernel-mode code execution.
I think Apple got hit because it was a big target; since Microsoft doesn't specifically (to my knowledge) make WL drivers, and Apple being bigger than any single third-party WL-card vendor, when people found a vulnerability affecting many drivers and chipsets, they went for the one that would get them the most press coverage. While I can't condone this (since I think it involves fear-mongering and pandering to the knee-jerk Apple-haters), it's not hard to understand.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Who's LMH? The article just assumes you know who that is!
umm maybe because it is not just an 'APPLE' flaw. It is the attempt to hide this that is the problem. Look at it this way.
THE BATTERIES IN APPLE COMPUTERS ARE ALL GOING TO BURN (and all other computers using batteries from the same plant in china will do the same thing.)
Yes, apple products have their 'issues' - but FUD is FUD. Good you found a bug. Next time do your homework and figure out where the bug is really from.
Go ahead and mod this as flamebait - it is - but it is also the truth.
It was the nearest they could get to +1 Phunny, I'm guessing...
If you're after more info on the Month of Kernel Bugs, check out the blog
No, this isn't my blog, and I've got nothing to do with it, it's just that it's not linked to or mentioned in the main story...
Specialist Mac support for creative pros, Melbourne
I probably should have been more clear -- I wasn't implying that OpenBSD or any other kernel has less bugs than Linux; I haven't reviewed the code so I can't say that. However, regardless of which OS or kernel we're talking about, if people are recognizing and fixing bugs silently, and disguising or obscuring their patches, then it makes it very hard to get an idea of how many bugs are actually there, and at what rate they're being fixed.
It was more the practice of silently or clandestinely fixing bugs, without pointing out that the bug was there even after it's fixed, that seems like it's a problem. It means that contributions are going into the kernel tree that aren't well understood except by the person who's submitting them, or at least that's the impression that I get.
It's really that -- not-well-understood patches being submitted and accepted -- which I think is an issue. The relative merits of Linux vs OpenBSD isn't a can of worms I wanted to open up, except in how their processes for reviewing and accepting code differ.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I believe your answer is that Apple apologists thrive on the perfection of their system in comparison to others. Within their circle, they bitch about things like how the Finder sucks, but comparison to outsiders is a united front. Things like rooting their box remotely are a sore spot, because that's their best argument against Windows. These kinds of bugs give the Windows people a chance to respond, whereas the Apple apologists would prefer them in stunned silence.
-A faithful, but realistic Apple user/developer
Maybe it has something doing with this quote: 'One rotten (or bad) apple spoils the barrel.'
I don't think they are; in fact, I think most, myself included, are pleased that there are people working to improve the security of Apple's systems and who call them out when they get it wrong.
The entire problem with the Ellch & Maynor Black Hat affair is that there's been *absolutely no proof* presented of an exploit to Apple's Airport Express drivers, for whatever reason. To do a demo with an Apple laptop, 3rd party card and drivers AND only provide a videotape? That's not the recipe for a great presentation, by a long way. Still, I must admit to being conflicted about the whole thing. I've read the Daring Fireball/Jon Gruber coverage, which provides the more popular angle that Ellch and Maynor are full shit and did the whole thing purely for the publicity of hacking Apple hardware, and generally have a lot of respect for Gruber's journalism: he usually "hits the nail on the head", so to speak, providing an insightful angle more often than not. On the other hand, I broadly understand how buffer overflows work (thanks to the seminal Phrack article "Smashing the Stack for Fun and Profit" by Aleph One), have read some of Ellch's papers (such as the SecurityFocus article on Wireless fuzzing and his discussion of a Centrino Wi-Fi bug/race condition) and he does seem to know what he's talking about. But why no proof? That's the central issue. As a responsible security professional he/they may be withholding information until a fix is provided, but there should be -- in my opinion, HAS to be -- limits to this. I've read many discussions on the issue of disclosure and think it's perfectly reasonable to put a timeframe on such information i.e. you've got, say, 50 days to fix this bug before I go public, otherwise companies may well do nothing to fix the problem. Pressure from Apple's legal department? I don't buy it, surely they'd have a decent lawyer who would be able to back up their side of things and allow them to release details with confidence? After all, similar situations have happened before with other companies and the researchers haven't been pressured into silence. I'm also not convinced that Apple's subsequent fix/update of the drivers was due to information provided by Ellch/Maynor because if it was, how come they've not published the exploit? But still, I'm not sure either way. Does the proof exist? I don't know. Like I said, I'm fairly conflicted about the entire thing! :)
The other problem I have is that, following on from the above media frenzy, the Airport exploit (your one? Presumably found by fuzzying?) is for the older generation of Apple hardware. It's NOT for *Airport Express* (802.11G) drivers, it's for the older 802.11B-only class of hardware. Apple haven't shipped these machines in what, two years? Frankly I find it hard to swallow all the hype of the media reports when it's for a previous generation of hardware, and find the whole media coverage disingenuous at best and deliberately misleading sensationalism at worst. Please don't take this as a criticism of your work, I find the exploit and the issues it raises interesting -- it proves that Apple's driver code wasn't (and therefore, may still not be) flawless, for one -- my problem is with the quality of the reporting, not the exploit itself. This type of journalism doesn't help anyone, it merely polarises both camps into "Apple is invulnerable" vs. "Mac users have their heads firmly in the sand", neither of which is particularly true.
What we need is more informed, insightful commentary... preferably along with some proof-of-concept Metasploit shellcode ;)
Try putting a fresh 10.4.8 install on an Intel Mac and running the new Broadcom exploit against it. Now try it with the patch Apple released a month after the Black Hat presentation. Is this the same bug? Did they reverse engineer Apple's patches to find this? Why are they NOT claiming that this is the infamous bug? Why would they bother faking an exploit in the first place? Why isn't Apple listed as a vulnerable vendor in the MoKB advisory? My opinion is that the rabid response the Gruber's fans have turned them off from ever "addressing" the Mac community with any "proof" they have to offer. Regarding the old Airport bug I found -- its the hardware I happened to have. If you want to send me a shiny new Intel Mac, I would be more than happy to start dumping wireless driver bugs for that platform as well. Hardware hacking is expensive dammit :-)
Thanks for the reply. Those are some interesting questions, indeed; I would love to try that out -- for instance, does this (on OS X) cause a kernel panic or can arbitrary code be executed? -- if I could afford an Intel Mac myself ;) (It'd also be handy to do an Intel build of MPlayer for OS X as the official site's Mac binaries are still out of date, I've done a PPC build which I'll distribute unofficially once I'm back home and off the slow-as-molasses GPRS.)
Speaking of which, while I definitely can't buy you an Intel Mac outright I certainly would donate some money. If you set up an official Metasploit-sponsored "get us an Intel Mac so we can fuzz it" site with a Paypal account and aim for a common model, say, a current Intel Mac Mini or entry MacBook, then I'd gladly throw you $20USD and I'm sure plenty of other people would, too. After all, I want as secure a machine as possible and would be happy for more security researchers to target the platform. (Though I do suspect that the Airport Express drivers may now be a significantly harder target than they were a few months ago. Perhaps focussing in a different direction would be more successful, e.g. the Bluetooth drivers?)
It'd be a real shame that Ellch and Maynor, if they truly did find a kernel exploit in the Apple Wi-Fi drivers as you imply, left the situation as it currently stands, their reputations to many have been severely tarnished. The handling of events on both sides has been poor and the truth, whatever it is, hidden under a big pile of spin. I'd like some straight answers, specifically to my previous questions and to the points and inferences you raise in your post, devoid of anger or resentment towards any particular party, and if the above donation would help me get that then it'd be money well spent.
2006-11-01 20:15:43 Month of Kernel Bugs (IT,Security) (rejected)
oh wait