Slashdot Mirror

← Back to Stories (view on slashdot.org)

MacBook Wi-Fi Hijack Details Finally Released

Posted by Zonk on from the strange-tale-of-patch-10.4.8 dept.

Wick3d Gam3s writes "Hacker David Maynor attempted to put the strange tale of the Macbook Wifi hack to rest, and offered an apology for mistakes made. All this and a live demo of the takeover exploit was made at a Black Hat DC event yesterday. Maynor promised to release e-mail exchanges, crash/panic logs and exploit code in an effort to clear his tarnished name. Said Maynor: 'I screwed up a bit [at last year's Black Hat in Las Vegas]. I probably shouldn't have used an Apple machine in the video demo and I definitely should not have discussed it a journalist ahead of time ... I made mistakes, I screwed up. You can blame me for a lot of things but don't say we didn't find this and give all the information to Apple.'"

17 of 82 comments (clear)

  1. Crash? I thought the original claim was... by bluemonq · · Score: 3, Insightful

    ...that he could gain complete access over the machine? Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.

    1. Re:Crash? I thought the original claim was... by Rosyna · · Score: 4, Interesting

      Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.

      And then used his time machine to go back in time to before the bug was patched and announce the exploit?

      No, his original claim was a farce (hell, look at the video, there was only one wireless device available according to ifconfig). Apple then audited their code, found 3 bugs. He took one of the bugs mentioned, found out how to trigger it, triggered the crash and now claims he was right all along.

      The problem is that what's happening now doesn't support his original claims. The original claims were he could hijack a MacBook in under 60 seconds and gain completely control of it. Now all he's getting is a crash with no control.

    2. Re:Crash? I thought the original claim was... by AchiIIe · · Score: 5, Interesting

      That is correct, the original video was faked... They prob were close but did not want to wait.
      Here is a video I made debunking their proof: http://video.google.com/videoplay?docid=1468187717 11399295&hl=en
      My guess is that they got a buffer overflow but had not yet found the correct location in memory to write their shellcode. They still have not...

      --
      Nature journal lied in Britannica vs Wikipedia Ask to retrac
    3. Re:Crash? I thought the original claim was... by CaymanIslandCarpedie · · Score: 5, Informative

      Not taking any sides here, but here is what he has said about this (and other issues) from his blog

      I thought you said it was a hijack yet you only showed a DoS.
      Yup, I showed a crash. I didn't feel the need to do the do the entire hijack for two reasons: Apple already confirmed that this vulnerability leads to remote code execution (they said so in the advisory here). Everybody that was running a sniffer during my talk now has a copy of the DoS code. The demo had two parts. I showed the crash happening on a 10.4.6 machine since it didn't have any of the airport patches. I then rebooted into 10.4.8 and the crash no longer happened. I did this to prove that the Airport patches issued on Sept 21st, 2006 fixed the problem I was demoing. The only real change to airport code was the security fixes that were issued.

      You just reversed the patches and found what you then showed on stage.
      I find this to be a funny argument. If I have the skills to reverse the patches and do a binary difference analysis of them, why couldn't I use those same skills to find the bugs in the first place (they weren't hard to find). This argument also doesn't take into account the fact that I showed that the first crash of the exploit occurred on Jul 15th, 2006, or emails to Apple helping them build a wifi auditing box (A linux machine with madwifi patched with LORCON) and pointed them to a vulnerability that was fixed in their patches (a problem with overly long SSIDs). The picture below is from the day I bought the Macbook, July 15th 2006. This crash occurred because I was fuzzing other devices and the Macbook crashed before I got to run the initial setup.

      --
      "reality has a well-known liberal bias" - Steven Colbert
    4. Re:Crash? I thought the original claim was... by Durandal64 · · Score: 3, Insightful

      This guy just doesn't quit. He claims that Apple confirmed that the vulnerability leads to remote code execution, which is bullshit. The description says "may be able to..." There's a world of difference there. Not every buffer overflow can be exploited to inject malicious code. It takes a lot of time and effort to actually find out whether it's practical to write an exploit, a lot more time and effort than simply patching the problem and being done with it. So why bother finding out for sure when you can just patch it and be sure that it won't get exploited?

      The fact that he will only demonstrate a crasher just seals the deal that he's full of shit. If he's had a working AirPort exploit for all this time, why not just demo it and put this issue to rest? That's what any sane person would do. But instead he's carefully misrepresenting Apple's release notes to make them seem as if they support his claim, further destroying his credibility.

      I think the most likely scenario here is that he originally found exploits for various third-party wireless drivers and saw an opportunity. With a cursory look at the AirPort drivers, he figured, "Yeah, I could write an exploit for them too". So he made a big announcement. He hated the "smug" Mac users, so now he could really stick it to them. But there was a problem. For whatever reason, he couldn't get his code to inject into the AirPort drivers. All he could do was KP the box. Well this wasn't what he initially promised. So when it came time to put-up or shut-up, he used a third-party card with drivers that he had been able to exploit. And of course, he knew that people would ask questions. Questions like, "Who cares? That card doesn't ship with Macs, and Macs have built-in wireless, so why would any Mac user ever need to buy this card?"

      Ah, but clever him. He knew that Apple had a reputation for being secretive and releasing the legal hounds. So he could just say, "Apple threatened me with legal action if I demoed the exploit on their drivers" and voila! He's now a victim of The Evil Corporation! The Slashdot crowd would definitely believe him. After all, geeks don't like Apple because they're secretive, and this would be just another validation for them. They'd buy it without question. Even if Apple issued a statement saying that Maynor was lying, that wouldn't matter, because Apple is the one who tried to muzzle Maynor in the first place! See how the logic goes round and round?

  2. Re:Just an observation..... by donicer · · Score: 4, Informative

    There were two demos:
    One on 10.4.6 showing that it was vulnerable (crash achieved and remote code execution is possible).
    The second demo showed no crash on 10.4.8 showing that the patches Apple released did indeed fix the problem he pointed to.

  3. Proof in the pudding by Thrudheim · · Score: 4, Insightful

    I await the promised publishing of the email exchanges with Apple on his blog. If he shows that he actually did provide Apple with details on the exploit, then he might restore some credibility. As it stands, however, his demo yesterday sounds like more of the same obfuscation that has characterized this whole incident.

    1) In the original demo, he gained command-line access to the target machine (using a third-party wireless card). The claim was made to Brian Krebs in the Washington Post that the built-in wireless was similarly vulnerable (which would be far more relevant, since all MacBooks have built-in wireless). Yesterday's demo showed a crash of the target machine. That's bad, but he still has not demonstrated a takeover of the MacBook using the built-in wireless after all this time.

    2) The fact that Apple's patch addresses the flaw that caused the crashing does not prove that Maynor engaged in responsible disclosure. Apple has said that Maynor provided them with no code or other details about the exploit, and that they did their own investigation. The investigation, according to Apple, revealed a flaw, leading to the patch. The issue is NOT whether a flaw existed. All Maynor demonstrated was that Apple's security patch works, which is really not that enlightening.

    1. Re:Proof in the pudding by TPIRman · · Score: 5, Insightful

      This is the same bullshit please-connect-the-dots-for-me reasoning that Maynor has come up with all along. The question at issue is not whether there was a bug that allowed remote code execution. Yes, Apple has said as much. The question is whether Maynor had actually discovered such a bug. So far he has done nothing to dissuade objective observers that he's anything but an attention-grabbing fraud.

      Doesn't it strike you as the least bit shifty that Maynor, eager to clear his name and prove that he was right, suddenly doesn't "feel the need" to demo the hijack he originally claimed? Oh, but don't worry, he could hijack the MacBook if he really wanted to! According to Maynor, Apple has been lying and covering up through this whole ordeal, but now we are supposed to essentially take Apple's word for it that his crash demo = hijack. Please.

      Let's apply Occam's Razor here. Did Maynor fail to demo a hijack -- despite the fact that it would restore at least some his credibility -- because he thought it was just as convincing to piece together circumstantial evidence from Apple press releases? Or did he fail to demo a hijack because he can't? Are we supposed to believe that after all this time and humiliation, Maynor really doesn't "feel the need" to back up his inflammatory words? I don't buy it, and I don't see how any rational observer can.

      As the GP said, the proof is in the pudding -- all we've got here is a box that says "pudding mix, really!" and a promise from Maynor. Same as before. The guy is a charlatan.

    2. Re:Proof in the pudding by mjeffers · · Score: 3, Insightful

      Let's apply Occam's Razor here. Did Maynor fail to demo a hijack -- despite the fact that it would restore at least some his credibility -- because he thought it was just as convincing to piece together circumstantial evidence from Apple press releases? Or did he fail to demo a hijack because he can't? Are we supposed to believe that after all this time and humiliation, Maynor really doesn't "feel the need" to back up his inflammatory words? I don't buy it, and I don't see how any rational observer can.


      This is really the key point. To believe Maynor at this point you need to believe that someone who is concerned about repairing a tarnished reputation is so worried about people figuring out how he could exploit an already patched vulnerability that he decides to only show the crash rather than the take-over exploit. Maynor has a bone to pick with Apple/Apple users and managed to find a bug he couldn't find last year with the help of Apple's patch notes.

      If you need a security consultant to analyze your patch notes and find known vulnerabilities he's your man. Otherwise, he's a joke.
    3. Re:Proof in the pudding by TPIRman · · Score: 4, Insightful

      If the bug allows remote code execution, which Apple plainly states is possible, the difference in a crash and a hijack is only a matter of a few bytes of shell code.

      You are buying into Maynor's fundamental misdirection here. He wants you to assume that the bug he is exploiting is the same as the bug that Apple says could allow remote code execution. But there is no evidence to support this assumption. Apple has fixed multiple AirPort bugs since 10.4.6. There is no way of knowing that Maynor is exploiting an AirPort bug that allowed a hijack rather than a crash.

      If it would only take "a few bytes of shell code" and the "easiest 1%" to make this exploit into a hijack, why not do it? His original claim was that he could hijack a MacBook, period. Now, supposedly given the chance to prove it, he just couldn't be bothered to slap together some shell code? Really? It's hard to believe that you don't find Maynor's "I can do that, I just don't feel like it" argument fishy at all.

    4. Re:Proof in the pudding by TPIRman · · Score: 4, Insightful

      Whether or not he can do it is not the issue!

      As I said above, that is, in fact, the issue. Nobody is disputing that a remote AirPort exploit was possible; that matter has been settled by Apple. You can be as sarcastic and triumphant as you want, but I already agree that there were documented remote-exploit bugs in Apple's code. Everybody does.

      The issue here is Maynor's reputation. A responsible security researcher has to be able to back up his claims. Maynor said he could hijack a MacBook. He never provided evidence that he could. Now he says, "Look, they fixed this AirPort bug, so I was telling the truth!" But he still doesn't demo the hijack, even on an unpatched machine.

      The debate over whether there were serious AirPort bugs has been settled. But Maynor has never demonstrated that he had the goods. He has left it to insinuation and sleight-of-hand. You have bought into his misdirection, and you still haven't answered the central question: If, as you claim, a remote takeover required only a bit of shell code, why not just do it?

      (Boldface added to that last bit purely out of love.)

  4. The reason he didn't actually show a takeover... by dpbsmith · · Score: 4, Funny

    Why didn't he simply show a repeat of the same thing he demonstrated before--a takeover of the machine?

    Because "a magician never repeats a trick."

    --

    "How to Do Nothing," kids activities, back in print!

  5. Re:apple can iFuck off by Space+cowboy · · Score: 4, Insightful

    So, let me get this straight

    1) he finds a bug, but he can't quite manage to exploit it. He can crash the machine (and that's a bad thing) but it doesn't *necessarily* mean he can exploit it.

    2) There's a big conference coming up, and he knows he'll get the headlines if he announces anything bad about Apple. That's just the way of the world. Dammit, he *still* can't find the exploit.

    3) The deadline arrives, he can't exploit the machine, but he goes ahead and gives the demo (faking the evidence with a different machine), confident that he'll get there eventually.

    4) He hides behind "legal issues" (even now, he won't reveal emails) to prevent himself from being exposed as the liar he appears to be.

    This series of events is just about the worst thing a researcher can do. It's like an athlete taking steroids - there will be no forgiveness, no olive-branch will be offered; his reputation is irredeemably tarnished, because he lied for personal gain. We *need* to be able to trust people publishing exploits, and if this means his career is in ruins, I say "Hurrah!" The less people like this around in the business, the better.

    I just want to also point out that I don't recall any lawyers being involved at any time in this dispute - neither party claimed lawyers were involved (he said Apple "leaned on" his employers, whatever that means, but lawyers were never mentioned.)

    Apple claim he released insufficient technical details to them to help them in their investigation, so they had to go to the trouble of doing a full internal audit of a large source tree (and all the time, he's spreading disinformation and tarnishing their name). They find and fix some bugs, and now he's in an even worse position - his crash "exploit" won't work.

    So, now, he releases the "details" - he's given up trying to exploit the original OS, and brushes that small point aside in the "details". He tries to save as much face as possible instead of admitting he was just plain wrong - he's basically covering his ass. Does anyone else think "details" ought to actually show the information he claimed to have (like being able to take control of a Mac in 60 seconds) ?

    In science, there are two fundamental maxims

          1) Don't falsify the data.
          2) Extraordinary claims require extraordinary evidence. (*)

    He failed, on both of these, as far as the world can tell.

    (*) "Extraordinary" here means in the technical sense - the first exploit of any kind requires unequivocal proof. I don't care if it's OSX, Windows XP, or Linux - show the data. Prove the case. Don't wave your hands around and babble.

    Simon.

    --
    Physicists get Hadrons!
  6. Re:The important point: by Rosyna · · Score: 3, Insightful

    Apple admitted the vulnerability WAS a root exploit.

    No, Apple said it could be used to run arbitrary code with system privileges.

    Just like I could step outside my door and find $10,000 rolled up in a neat little ball. Doesn't mean it is likely to happen, but it could.

    Theory and practice are two completely different things.

  7. Re:apple can iFuck off by Fahrenheit+450 · · Score: 4, Insightful

    No. That is a link to a story with a great lack of details and a number of still unsubstantiated claims.
    There is still no public supporting evidence for his clams -- he hasn't even posted his personal correspondence with Apple yet, something he'd been free to do since day one.

    Maybe he'll get around to it someday... who knows. But for now it's still just a lot of words with no support.

    --
    -30-
  8. Re:The important point: by veganboyjosh · · Score: 5, Funny

    Theory and practice are two completely different things.


    not in theory.

  9. Re:Yes it does! by Space+cowboy · · Score: 3, Insightful

    When it's due to memory corruption and when you can overwrite certain registers, it DOES mean that arbitrary code execution is possible. It may be pretty damn difficult to get just the right values in there, but this is one case where you can be 99.999% certain that it really is exploitable.

    If you don't believe me, please give a non-contrived example where you can do something like overwrite the EIP with an arbitrary value and still not be able to execute arbitrary code :P


    I refer the honourable gentleman to the reply I gave some moments ago - if he can do it, he ought to do it. Until he does it, I don't believe he can do it.

    So, here's your example: the exact "exploit" he's claiming to be able to perform.

    Lastly, the "extraordinary" in "extraordinary evidence" is a purely subjective matter


    No, it's not. Which is why I used "in the technical sense" in the original comment. "Extraordinary" means "out-of-the-ordinary" - the claim is not run-of-the-mill, it's the first remote exploit of an Apple laptop. The proof should also be bulletproof (actually, right now I'd settle for just proof, not incontrovertible evidence!) At the moment, all we have is a load of hot air and bluster.

    Simon.
    --
    Physicists get Hadrons!