Todd Woodward(todd_woodward (at) symantec (dot) com [email concealed])@Fri, Aug 11, 2006 at 02:50:28PM -0700:
> Sam Pierson wrote:
>
> > First, one should assume that root-level tasks are likely, because the
> > exploited software is running in the context of the *kernel*. Just
> > because they moved some files around doesn't imply that other tasks
> > aren't possible. If someone has an Apple document describing how
> > device drivers don't operate in kernel space, I'd really like to read
> > it. I don't see how the shell could be anything other than root.
> >
> > Also, I'm not convinced the above fix would help anything at all. The
> > exploit lives in the device driver and happens as the driver reads the
> > packet. As far as I know, those "preferred networks" live in higher
> > layers (I'll let you know when I get to this part in OS X Internals).
> > How can they decide to drop packets based on AP identification without
> > first passing that packet through the driver? The device would have
> > already been exploited just by reading the packet! What network
> > you're on, in theory, has nothing to do with it.
> >
> > I wouldn't trust any source claiming to mitigate this threat without
> > knowing that they've tested it against the original proof of
> > concept... everything else is just theoretical.
>
> Unfortunately, due to the method and manner this potential exploit was
> revealed, there exists a dearth of empirical data to better understand
> it.
>
> Until Apple or other security researchers study this potential issue and
> publish their findings and/or produce a fix, everything about this
> potential issue is theoretical.
>
> We can only suggest mitigation using general security practices, or pass
> on any trusted information we have available.

I talked to Johnny Cache at DefCon after his talk a bit. I hope that
what I remember from that discussion can help here:

* The exploit is running in kernel space and can do _anything_ it wants.
It's not running as root because that would involve running under the
kernel. In Intel terms, this is ring 0 stuff.

* Firewalls, "preferred networks" and other OS-level mitigation is
worthless. The packets don't have to contain any IP data, they are
pure 802.11{b|g} frames. The OS doesn't see the packet because it
would have to get past the (exploited) device driver.

* The exploit doesn't require associating to an AP, being associated to
an AP, anything. It just requires the wireless device to be on.

--
Bill Weiss

Quidquid latine dictum sit, altum viditur.

(Whatever is said in Latin sounds profound.)

[ reply ]