SecurityFocus

Re: Hijacking a Macbook in 60 Seconds or Less Aug 10 2006 11:50AM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 10 2006 03:11PM
Howard Oakley (h oakley btconnect com) (4 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 12:23PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 03:22PM
Roy Atkinson (roy atkinson jax org) (2 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 06:51PM
Chris Pepper (pepper reppep com) (1 replies)

RE: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 08:10PM
Todd Woodward (todd_woodward symantec com) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 09:31PM
Sam Pierson (samuel pierson gmail com) (2 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 10:05PM
Howard Oakley (h oakley btconnect com)

RE: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 09:50PM
Todd Woodward (todd_woodward symantec com) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 12 2006 09:12PM
Bill Weiss houdini+focus-apple (at) clanspum (dot) net [email concealed] (houdini+focus-apple clanspum net) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 14 2006 07:04AM
fwa266m mac com (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 14 2006 01:36PM
David Maynor (dmaynor gmail com) (1 replies)

To address your statement that we refused to show the demo in a controlled
environment is incorrect as the demo was actually shown live to 3 people at
Blackhat. There were people speculating we wouldn't show it in a controlled
environment, but they were wrong as we did. There were also the people that
offered us money for live demos as long as the could sniff the connection
and get a copy of the exploit code. They didn't want a demo, they wanted the
exploit code.

There are several GLARING errors in that post on smallworks.com.

Our comment that the machine does not need to be associated to an access
seems to be a sticking point for these "experts." They kind of get something
right with the management frames and such but then use that as a reason
there is something wrong. Any wireless expert should know how Probe
Requests/Probe Responses work. This is how wireless cards find APs they will
join automatically. Although you don't have to be connected/associated to an
access point, I can impersonate on of the APs you would autojoin, then
attack you. I did not come up with the way to do this BTW, you can read more
about it here: http://www.theta44.org/software/karma.README Or you can just
go google "K2 Karma Wifi" and find it all yourself. This technique was also
rediscovered by Simple Nomad of the NMRC:
http://www.nmrc.org/pub/advise/20060114.txt

Before somebody jumps to the conclusion this only affects Windows, it
affects Mac as well.

So just doing a Google search debunked half of his post. And now my favorite
part:

"More likely: it doesn't. In the presentation, Maynor uses a "third-party
wireless card". It looks like a ExpressCard/34 802.11 card, but the
non-'Pro' Macbook doesn't have Express Card slots, and the card they hold is
too big to be a USB device, yet the Macbook they use is definitely *black*."

It was a USB device wrapped in paper but he goes off on a tangent about how
it had to be an ExpressCard and other such nonsense while assuming the
attack is specific to a default Mac. He does not leave this idea alone
either, he keeps coming back to the ExpressCard idea, as to be honest most
of his argument is based on this and would crumple like a house of cards if
he was found to be incorrect. We stated at Blackhat and Defcon it was a USB
device. To be fair he did later post an update that debunked most of his own
posting, although I am still accused of pretending it's a ExpressCard
despite the many public claims its a USB device.

http://www.smallworks.com/archives/00000456.htm

And last but not least he says we wrote our own driver. In hindsight for our
purpose of showing the attack is possible and not singling out any vendor,
that would have been a great idea. However drivers are so full of bugs
writing our own driver is not required.

He then goes on to incorrectly interpret the Intel Driver problems and
patches. He focuses on the privilege escalation and does not address that
clearly in the Intel advisory it states remote code execution is possible.

Beware of technical posts that use the terms like presume and post many
excerpts from technical articles to support his claims. He chooses things to
support his argument and dismissed things that didn't. It's amazing he spent
a lot of time theorizing about this but never once contacted Jon or I. He
also seems to have forgotten to mention that a few months ago there was a
remote overflow in the net80211 layer of FreeBSD:

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211
.asc

But then again that's not worth mentioning because it doesn't support his
argument.

On 8/14/06, fwa266m (at) mac (dot) com [email concealed] <fwa266m (at) mac (dot) com [email concealed]> wrote:
>
> http://www.smallworks.com/archives/00000455.htm
>
> Any comment on the above article. I am not expert on IEEE 802.11
> standard requirements but it seems - at first look - a first possible
> debunk.
>
> I am very sorry I can't find the link where I read it, but apparently
> Ellch and Maynor refused to show the hack with a third party MacBook
> in controlled environment - whatever that means - raising the
> suspicion they need to have physical access to the machine before hand.
>
> Cheers
>
> M
>
To address your statement that we refused to show the demo in a controlled environment is incorrect as the demo was actually shown live to 3 people at Blackhat. There were people speculating we wouldn't show it in a controlled environment, but they were wrong as we did. There were also the people that offered us money for live demos as long as the could sniff the connection and get a copy of the exploit code. They didn't want a demo, they wanted the exploit code.

 
There are several GLARING errors in that post on <a href="http://smallworks.com">smallworks.com</a>.
 
Our comment that the machine does not need to be associated to an access seems to be a sticking point for these "experts." They kind of get something right with the management frames and such but then use that as a reason there is something wrong. Any wireless expert should know how Probe Requests/Probe Responses work. This is how wireless cards find APs they will join automatically. Although you don't have to be connected/associated to an access point, I can impersonate on of the APs you would autojoin, then attack you. I did not come up with the way to do this BTW, you can read more about it here:
<a href="http://www.theta44.org/software/karma.README">http://www.theta44.org/software/karma.README</a> Or you can just go google "K2 Karma Wifi" and find it all yourself. This technique was also rediscovered by Simple Nomad of the NMRC:
<a href="http://www.nmrc.org/pub/advise/20060114.txt">http://www.nmrc.org/pub/advise/20060114.txt</a>
Before somebody jumps to the conclusion this only affects Windows, it affects Mac as well. 
 
So just doing a Google search debunked half of his post. And now my favorite part: 
"More likely: it doesn't. In the presentation, Maynor uses a "third-party wireless card". It looks like a ExpressCard/34
802.11 card, but the non-'Pro' Macbook doesn't have Express Card slots, and the card they hold is too big to be a USB device, yet the Macbook they use is definitely black."
 
It was a USB device wrapped in paper but he goes off on a tangent about how it had to be an ExpressCard and other such nonsense while assuming the attack is specific to a default Mac. He does not leave this idea alone either, he keeps coming back to the ExpressCard idea, as to be honest most of his argument is based on this and would crumple like a house of cards if he was found to be incorrect. We stated at Blackhat and Defcon it was a USB device. To be fair he did later post an update that debunked most of his own posting, although I am still accused of pretending it's a ExpressCard despite the many public claims its a USB device.

<a href="http://www.smallworks.com/archives/00000456.htm">http://www.smallw
orks.com/archives/00000456.htm</a>
 
And last but not least he says we wrote our own driver. In hindsight for our purpose of showing the attack is possible and not singling out any vendor, that would have been a great idea. However drivers are so full of bugs writing our own driver is not required.

 
He then goes on to incorrectly interpret the Intel Driver problems and patches. He focuses on the privilege escalation and does not address that clearly in the Intel advisory it states remote code execution is possible.

 
Beware of technical posts that use the terms like presume and post many excerpts from technical articles to support his claims. He chooses things to support his argument and dismissed things that didn't. It's amazing he spent a lot of time theorizing about this but never once contacted Jon or I. He also seems to have forgotten to mention that a few months ago there was a remote overflow in the net80211 layer of FreeBSD:

<a href="ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05
.80211.asc">ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBS
D-SA-06:05.80211.asc
</a>
 
But then again that's not worth mentioning because it doesn't support his argument. 
<div>On 8/14/06, <a href="mailto:fwa266m (at) mac (dot) com [email concealed]">fwa266m (at) mac (dot) com [email concealed]</a> <<a href="mailto:fwa266m (at) mac (dot) com [email concealed]">fwa266m (at) mac (dot) com [email concealed]</a>> wrote:
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><a href="http://www.smallworks.com/archives/00000455.htm">http://www.smallw
orks.com/archives/00000455.htm</a>
 Any comment on the above article. I am not expert on IEEE 802.11 standard requirements but it seems - at first look - a first possible debunk. I am very sorry I can't find the link where I read it, but apparently
 Ellch and Maynor refused to show the hack with a third party MacBook in controlled environment - whatever that means - raising the suspicion they need to have physical access to the machine before hand. Cheers
 M </blockquote></div> 

[ reply ]

Re: Hijacking a Macbook in 60 Seconds or Less Aug 14 2006 01:59PM
Massimo Marino (fwa266m mac com) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 14 2006 03:08PM
David Maynor (dmaynor gmail com) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 15 2006 08:51AM
Nicolas RUFF (nicolas ruff gmail com) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 15 2006 01:01PM
David Maynor (dmaynor gmail com) (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 20 2006 07:21AM
Nicolas RUFF (nicolas ruff gmail com)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 11 2006 05:36PM
Sam Pierson (samuel pierson gmail com)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 10 2006 06:42PM
Paul Schmehl (pauls utdallas edu)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 10 2006 05:38PM
Michael Edwards (medwards digital-legal com) (1 replies)

How to persuade someone to switch off wireless Aug 11 2006 12:11PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 10 2006 04:42PM
mfossi securityfocus com (1 replies)

Re: Hijacking a Macbook in 60 Seconds or Less Aug 10 2006 05:55PM
Howard Oakley (h oakley btconnect com)