Slashdot Mirror
MacBook Wi-Fi Hijack Details Finally Released
Wick3d Gam3s writes "Hacker David Maynor attempted to put the strange tale of the Macbook Wifi hack to rest, and offered an apology for mistakes made. All this and a live demo of the takeover exploit was made at a Black Hat DC event yesterday. Maynor promised to release e-mail exchanges, crash/panic logs and exploit code in an effort to clear his tarnished name. Said Maynor: 'I screwed up a bit [at last year's Black Hat in Las Vegas]. I probably shouldn't have used an Apple machine in the video demo and I definitely should not have discussed it a journalist ahead of time ... I made mistakes, I screwed up. You can blame me for a lot of things but don't say we didn't find this and give all the information to Apple.'"
Am first to post... In an Applesky sort of way.
...that he could gain complete access over the machine? Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.
Apple came out with a patch that addresses this issue:
i jack+flaws/2100-1002_3-6118245.html
http://news.com.com/New+Apple+patch+plugs+Wi-Fi+h
The article doesn't mention if the machine he used in the demo had this patch. And if so, that may imply that the patch has holes.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
What's the point?
(1) I would and do release immediately security faults I find. (have found some).
(2) If someone says I did not find it or throws smut at me I'd sue - all the media running such articles which falsify my work or findings.
So simple.
Companies do act and correct bugs faster when security faults are released.
Apple iSucks my nuts.
This guy finds a bug, announces to the world that he found it (his mistake by not telling apple first), and then Apple threatens him legally.
Apple is a bunch of lawyer happy assholes. They haven proven it over and over.
Love the product but I fucking iDespise the company.
John Gruber is laughing his ass off.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
I await the promised publishing of the email exchanges with Apple on his blog. If he shows that he actually did provide Apple with details on the exploit, then he might restore some credibility. As it stands, however, his demo yesterday sounds like more of the same obfuscation that has characterized this whole incident.
1) In the original demo, he gained command-line access to the target machine (using a third-party wireless card). The claim was made to Brian Krebs in the Washington Post that the built-in wireless was similarly vulnerable (which would be far more relevant, since all MacBooks have built-in wireless). Yesterday's demo showed a crash of the target machine. That's bad, but he still has not demonstrated a takeover of the MacBook using the built-in wireless after all this time.
2) The fact that Apple's patch addresses the flaw that caused the crashing does not prove that Maynor engaged in responsible disclosure. Apple has said that Maynor provided them with no code or other details about the exploit, and that they did their own investigation. The investigation, according to Apple, revealed a flaw, leading to the patch. The issue is NOT whether a flaw existed. All Maynor demonstrated was that Apple's security patch works, which is really not that enlightening.
the mundane chores Nearly two years whole has lost states that there A losing b4ttle; I
Why didn't he simply show a repeat of the same thing he demonstrated before--a takeover of the machine?
Because "a magician never repeats a trick."
"How to Do Nothing," kids activities, back in print!
It was a WiFi-borne hack and he was at Black Hat. So there were lots of sniffers going and everybody gets a copy of whatever he does.
So he just demoed (and thus released) the DoS, not the root exploit - which he DID have the code to perform but didn't want to release (by demoing).
Apple admitted the vulnerability WAS a root exploit.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
No, I think the grandparent just found your 'evidence' unconvincing, to say the least, and yes, Maynor does sound like a hoax, because he talks a lot about evidence and then doesn't present any.
The Register is in no sense reliable, it's a great example of sensationalist tabloid journalism, but it's about as reliable as a Slashdot article if you're looking for facts.
No this is like someone saying "Hey I found this $10,000 rolled up in a neat little ball from Apple on my doorstep, but for security reasons I can't actually show it to you. Here are some pictures though."
Apple denies that it has anything to do with the money. Later Apple reports that during an internal audit they noticed that they lost $10,000 is that person's neighborhood.
Conclusive proof that that person found $10,000 of Apple's money, or any money for that matter? No. But it doesn't mean it didn't happen.
What little "evidence" he's provided actually seems to discredit him further.
He keeps claiming that he found an exploit and reported it to Apple, but that the emails he exchanged with them aren't his property. But why can't he finally---for once---be quite explicit about what he did and when.
He won't because it seems to support the story that came from Apple: that he found some kind of wifi vulnerability in *something* but completely and utterly failed to demonstrate how it could affect any stock Apple product. The demo last year did *not* use the MacBook's built-in wifi card or driver. And the only data that he's actually said he sent to Apple was how to set up a Linux machine to demonstrate a wifi exploit.
Best case: he found some kind of bug which was common in wifi drivers, acted incredibly unprofessionally in the way he reported it (prefering FUD to concrete warnings), and tried as hard as he could to get publicity by pretending it had anything to do with Apple.
Worse case (that I think is still quite likely): he never really found anything, and has been working his ass off the last six months trying to find any kind of wifi bug that Apple fixed between 10.4.6 and 10.4.8 that he can claim was the basis for his original exploit. The argument "if I could find a bug based on a path, then I could have found the bug without the patch" is absurdly disingenuous: more information can only help you. Throw in an extra six months to work on the problem, and a demo now is quite a different achievement than it would have been when he claimed he did it.
All we know is that there used to be some kind of bug in 10.4.6 which was fixed in 10.4.8 (which is exactly what Apple said in the release notes)---there is zero new evidence that any exploit existed six months ago, and there is zero evidence that Maynor/Ellch provided any technical assistance to Apple in finding this bug.
Maynor still hasn't actually posted the data he has promised (and hasn't said exactly what this data is), he's not giving straightfoward answers to simple questions, and he's refusing any critical comments on his blog.
This is a long way from a vindication for him...
> 1) he finds a bug, but he can't quite manage to exploit it. He can crash the machine (and that's a bad thing) but it doesn't *necessarily* mean he can exploit it.
:P
When it's due to memory corruption and when you can overwrite certain registers, it DOES mean that arbitrary code execution is possible. It may be pretty damn difficult to get just the right values in there, but this is one case where you can be 99.999% certain that it really is exploitable.
If you don't believe me, please give a non-contrived example where you can do something like overwrite the EIP with an arbitrary value and still not be able to execute arbitrary code
Sorry, but sometimes you really *can* know that crash == remote code execution, even if getting exactly the values you want to make the exploit work is hard.
Lastly, the "extraordinary" in "extraordinary evidence" is a purely subjective matter. It has no place in what should be an objective pursuit. If you don't believe me, please provide "extraordinary" evidence of it, because I don't believe you.
I'm still waiting for a demo of this phantom exploit on a Windows machine:
"Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said." -- Hijacking a Macbook in 60 Seconds or Less
Actually, what I'm really waiting for is for Maynor to stop opening his mouth.
Don't become a regular here -- you will become retarded.
Watch the video linked in the message above
It is obvious he faked the exploit, the video clearly shows the Mac WAS NOT running the wireless card he showed and claimed to be using. The MAC address was visible, the first half of which indicates the vendor.
David Maynor is a fraud and a liar. The demo in the original video was faked. How do I know? Let's think about this...David Maynor had no driver sources...maybe even no x86 Darwin sources (I believe those were posted later). This sort of elaborate hack could take a really really really good programmer weeks and weeks on a completely open source system. Why? Because there are many non-trivial problems to solve. How do I figure out exactly what fields in the wireless frame cause an overflow in the driver and, how can I prevent that overflow from causing a panic? How do I take over the instruction pointer? How and at what address do I inject my object code? How do I jump to the object code, execute enough instructions to manipulate a process (likely requiring many jumps around the kernel) to connect back to me with a shell, and do it without panicing the kernel? How do I include all the object code necessary to do this in either one (the easiest) wireless frame or a series (much harder) of frames? If I recall correctly, David Maynor started rambling about this hack almost a month before Black Hat Las Vegas. That gives him a little over a month from the release of original MacBook to have developed this exploit. Is David Maynor an x86 assembly expert? Is David Maynor an xnu kernel master? Is David Maynor a Darwin kernel extension reverse engineering rockstar? He would have to be in order to accomplish such a feat. In fact, if that were the case, I would go as far as say that David Maynor is wasting his life giving worthless lectures on how anyone can sniff your pop3 email password if you check your mail on an open wireless network. Someone should really be paying him a lot of money to write code...but nobody is. Why? Because David Maynor has no hack.
From the looks of it...all this joker did was run an off the shelf "phishing", or whatever the kids call it, tool that threw a bunch of garbage wireless frames at the MacBook. Yea he made it panic, but so what. That's not sensational enough to sell books and speaking engagements, so he made up a dramatic video that the press ate up.
I would love for Maynor, or his sidekick Johhny "the boy wonder" Ellch, to prove me wrong and give us all the nitty gritty technical details of how they actually gained control of the MacBook. Unfortunately, that will never happen. Not because of any legal problems or whatever Maynor is crying about this week, but because he has no hack...and he is a liar..and a fraud...and we should all do the legitimate security community a favor and stop giving this guy the kind of attention he craves.
I don't know the history, but evidently he claims to be able to hack the built-in wireless too? Then why doesn't this video show that? For all I can tell, he setup some code that lets the too machines talk to each other. Whoopdy doo.