Hackers Expose 'Critical' Wi-Fi Driver Flaw

http://www.eweek.com/article2/0,1895...EMNL080306EOAD

LAS VEGAS-Wi-Fi-enabled computers are sitting ducks for code execution
attacks because of gaping flaws in wireless drivers shipped on both Mac and
Windows systems, security researchers warned at the Black Hat Briefings
security conference here.

A pair of hackers-David Maynor and Jon Ellch-demonstrated such a break-in on
an Apple MacBook laptop fitted with a wireless card that was broadcasting
its presence to another computer set up as an access point.

During the demonstration, the researchers were able to take complete control
of the MacBook via a specific vulnerability in the device driver code that
sits between the operating system and the wireless card.

Maynor and Ellch did not release details or exploit code for the flaw, which
affects a wide range of Wi-Fi card manufacturers. The researchers have
notified the affected companies and are working closely to identify the
vulnerable code.

"This is not a big problem today. But, it should be something to take
seriously now before it becomes a big, big problem a year or two from now,"
said Maynor, who works as a senior researcher at Atlanta-based SecureWorks.

"The OS vendors have been hardening the operating system a lot, so now
attackers have two choices. They can go up to the application level, or they
can go lower to the device driver level," Maynor said, warning that Wi-Fi
drivers present an easy-to-exploit target.

"You've got to keep in mind that [malicious] people with an unlimited amount
of time can spend a lot of time looking at these things," he added.

Ellch, a well-known security expert who uses the hacker moniker "Johnny
Cache," made it clear that the issue is not specific to Apple's Mac
computers. "This isn't an Apple problem or a Microsoft problem. This is
something that's problematic across the industry," he said.

However, Maynor said the MacBook was used in the demo as a retort to the
latest Apple commercials. "We don't want to bash Mac. I'm a big fan of Mac.
But those commercials are just [annoying]," he said.

Ellch, a creator of wireless hacking tools, also used the Black Hat stage to
discuss design flaws in the 802.11 link-layer wireless protocol. He
described 802.11 as an "overly complicated" protocol that has not been
implemented securely by many vendors.

He also showcased a new Wi-Fi fingerprinting technique that can be used by
attackers to spy on target systems.

The presentation comes just days after chip giant Intel released a trio of
security patches for critical vulnerabilities affecting its Centrino product
line.

Maynor said the Intel patches, which cover code execution holes in Centrino
drivers and Intel Pro/Wireless network connections, were not related to the
Black Hat speech. "It's pretty interesting, the timing of the [Intel]
patches, but it's not something that we were responsible for," he said.

Intel said in an alert that the most serious flaw in the Centrino wireless
driver line can be exploited to launch remote code execution attacks.
"[These flaws] could potentially be exploited by attackers within range of
the Wi-Fi station to execute arbitrary code on the target system with
kernel-level privileges. These flaws are due to a memory corruption while
parsing certain frames," Intel said.

The bugs could also lead to information disclosure and privilege escalation
attacks.


--

Who knows if this is a serious flaw or not? They used a special wireless
device (not the one internal to the MAC). They didn't disclose the type
of device used or why then needed a special device. It also appears that
they used an ad hoc connection -- something you generally shouldn't do
except in special circumstances where you know the computer you are
connecting to is trusted.

Did they break an encrypted network? Or did they just connect to an open
device?

There may well be a monster under the bed. The rational person lifts the
covers and looks.

riggor wrote:
> http://www.eweek.com/article2/0,1895...EMNL080306EOAD
>
> LAS VEGAS-Wi-Fi-enabled computers are sitting ducks for code execution
> attacks because of gaping flaws in wireless drivers shipped on both Mac and
> Windows systems, security researchers warned at the Black Hat Briefings
> security conference here.
>
> A pair of hackers-David Maynor and Jon Ellch-demonstrated such a break-in on
> an Apple MacBook laptop fitted with a wireless card that was broadcasting
> its presence to another computer set up as an access point.
>
> During the demonstration, the researchers were able to take complete control
> of the MacBook via a specific vulnerability in the device driver code that
> sits between the operating system and the wireless card.
>
> Maynor and Ellch did not release details or exploit code for the flaw, which
> affects a wide range of Wi-Fi card manufacturers. The researchers have
> notified the affected companies and are working closely to identify the
> vulnerable code.
>
> "This is not a big problem today. But, it should be something to take
> seriously now before it becomes a big, big problem a year or two from now,"
> said Maynor, who works as a senior researcher at Atlanta-based SecureWorks.
>
> "The OS vendors have been hardening the operating system a lot, so now
> attackers have two choices. They can go up to the application level, or they
> can go lower to the device driver level," Maynor said, warning that Wi-Fi
> drivers present an easy-to-exploit target.
>
> "You've got to keep in mind that [malicious] people with an unlimited amount
> of time can spend a lot of time looking at these things," he added.
>
> Ellch, a well-known security expert who uses the hacker moniker "Johnny
> Cache," made it clear that the issue is not specific to Apple's Mac
> computers. "This isn't an Apple problem or a Microsoft problem. This is
> something that's problematic across the industry," he said.
>
> However, Maynor said the MacBook was used in the demo as a retort to the
> latest Apple commercials. "We don't want to bash Mac. I'm a big fan of Mac.
> But those commercials are just [annoying]," he said.
>
> Ellch, a creator of wireless hacking tools, also used the Black Hat stage to
> discuss design flaws in the 802.11 link-layer wireless protocol. He
> described 802.11 as an "overly complicated" protocol that has not been
> implemented securely by many vendors.
>
> He also showcased a new Wi-Fi fingerprinting technique that can be used by
> attackers to spy on target systems.
>
> The presentation comes just days after chip giant Intel released a trio of
> security patches for critical vulnerabilities affecting its Centrino product
> line.
>
> Maynor said the Intel patches, which cover code execution holes in Centrino
> drivers and Intel Pro/Wireless network connections, were not related to the
> Black Hat speech. "It's pretty interesting, the timing of the [Intel]
> patches, but it's not something that we were responsible for," he said.
>
> Intel said in an alert that the most serious flaw in the Centrino wireless
> driver line can be exploited to launch remote code execution attacks.
> "[These flaws] could potentially be exploited by attackers within range of
> the Wi-Fi station to execute arbitrary code on the target system with
> kernel-level privileges. These flaws are due to a memory corruption while
> parsing certain frames," Intel said.
>
> The bugs could also lead to information disclosure and privilege escalation
> attacks.
>
>
>

In article <8ovAg.41749$(E-Mail Removed)>,
Jerry Park <(E-Mail Removed)> wrote:

> Who knows if this is a serious flaw or not? They used a special wireless
> device (not the one internal to the MAC). They didn't disclose the type
> of device used or why then needed a special device. It also appears that
> they used an ad hoc connection -- something you generally shouldn't do
> except in special circumstances where you know the computer you are
> connecting to is trusted.
>
> Did they break an encrypted network? Or did they just connect to an open
> device?
>
> There may well be a monster under the bed. The rational person lifts the
> covers and looks.
>
They also were silent in the stuff I read about whether this was an
exploit as they came out of the box or if there had be changes (and if
so which ones) to the system preferences. Also quiet as to whether this
was an exploit in every flavor of Mac or just the MacBook (or even just
the newer MacBook., what about the older MacBook Pros.
Many more questions asked than answered.

On Thu, 03 Aug 2006 23:23:13 GMT, Kurt Ullman <(E-Mail Removed)>
wrote in
<kurtullman-(E-Mail Removed)>:

>In article <8ovAg.41749$(E-Mail Removed)>,
> Jerry Park <(E-Mail Removed)> wrote:
>
>> Who knows if this is a serious flaw or not? They used a special wireless
>> device (not the one internal to the MAC). They didn't disclose the type
>> of device used or why then needed a special device. It also appears that
>> they used an ad hoc connection -- something you generally shouldn't do
>> except in special circumstances where you know the computer you are
>> connecting to is trusted.
>>
>> Did they break an encrypted network? Or did they just connect to an open
>> device?
>>
>> There may well be a monster under the bed. The rational person lifts the
>> covers and looks.
>>
> They also were silent in the stuff I read about whether this was an
>exploit as they came out of the box or if there had be changes (and if
>so which ones) to the system preferences. Also quiet as to whether this
>was an exploit in every flavor of Mac or just the MacBook (or even just
>the newer MacBook., what about the older MacBook Pros.
> Many more questions asked than answered.

According to The Register
<http://www.theregister.com/2006/08/03/wifi_driver_hack/>:

In all cases the attack only requires that a wireless device is
switched on. A user need not be connected to a wireless network for
the attack to succeed because drivers are commonly configured by
default to continuously seek out available wireless networks. Maynor
said that acute time pressures on driver developers contributed to
the underlying vulnerabilities exploited by the attack.

See also "Hijacking a Macbook in 60 Seconds or Less - Security Fix"
<http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco_1.html>

One of the dangers of this type of attack is that a machine running a
vulnerable wireless device driver could be subverted just by being
turned on. The wireless devices in most laptops -- and indeed the
Macbook targeted in this example -- are by default constantly
broadcasting their presence to any network within range, and most are
configured to automatically connect to any available wireless
network.

But according to Maynor and Ellch, this attack can be carried out
whether or not a vulnerable targeted laptop connects with a local
wireless network. It is, they said, enough for a vulnerable machine
to have its wireless card active for such an attack to be successful.
That's a trivial demand, given that most wireless devices embedded in
laptops these days are switched on by default and are configured to
continuously seek out available wireless networks.

Because the software that powers these wireless devices operates at
such a fundamentally low level of the operating system, traditional
system safeguards like firewalls and anti-virus software most likely
will not stop the operating system from accepting a maliciously
crafted network probe from an attacker seeking to exploit device
driver-specific flaws. The result, said Maynor, is that a system
using poorly designed device drivers is vulnerable to compromise just
by doing what it was programmed to do.

But that explanation eclipses the larger point that Maynor and Ellch
said they are trying to get across: Namely, that wireless device
drivers are largely developed and written by an odd mix of hardware
and software developers in an environment where time-to-market often
trumps any thorough code review for potential security flaws.

Apple -- like many computer manufacturers -- outsources the
development of its wireless device drivers to third parties. In
Apple's case, the developer in question is Atheros, a company that
devises drivers for a number of different wireless cards, each
designed with drivers specific to the operating systems on which they
will be used.

Maynor and Ellch also found two different device driver flaws for
wireless products aimed at Windows systems. This is notable because
it points out a security loophole in the way that Microsoft has
traditionally processed device drivers. Any time a Windows XP user
tries to install a device driver, the system checks whether that
driver has been "signed" or approved by Microsoft so as not to cause
system stability problems. Many third-party wireless cards designed
for Windows systems are not signed by Microsoft, and the system will
throw up a warning to that effect any time a user tries to install an
unsigned device driver.

But according to Maynor and others, Microsoft only recently began
testing whether its approved or "signed" device drivers introduced
unforeseen security weaknesses into the system. Microsoft is trying
to rectify that problem with Windows Vista -- the next version of its
operating system by only allowing the installation of device drivers
that have met the company's security testing procedures.

[MORE]

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Jerry Park <(E-Mail Removed)> wrote:

> Who knows if this is a serious flaw or not? They used a special wireless
> device (not the one internal to the MAC). They didn't disclose the type
> of device used or why then needed a special device. It also appears that
> they used an ad hoc connection -- something you generally shouldn't do
> except in special circumstances where you know the computer you are
> connecting to is trusted.
>
> Did they break an encrypted network? Or did they just connect to an open
> device?

They did not break wireless encryption. Ellch and Maynor claim that this
exploit works at the device driver level even if the target computer
does not connect to a wireless network, but that was not what they
demonstrated. They had an Apple MacBook, using an unnamed USB wireless
adapter with an unnamed device driver, deliberately connect to an
infrastructure network created by a Dell laptop. In the video, Maynor
claims this was done "for the ease of this demo". The video is available
at <http://news.com.com/1606-2_3-6101573.html>.


> There may well be a monster under the bed. The rational person lifts the
> covers and looks.

No information was provided about the configuration of the target
machine, nor was a satisfactory explanation given for having the target
machine connect to the network. Without that information, the dog and
pony show of creating, opening, and deleting files on the target
machine, as well as the "look no wires!" finale, are largely
meaningless. Until Ellch and Maynor come across with more information,
they should be regarded as the Pons and Fleischmann of wireless
security.

Jerry Park <(E-Mail Removed)> wrote:
> Who knows if this is a serious flaw or not? They used a special wireless
> device (not the one internal to the MAC). They didn't disclose the type
> of device used or why then needed a special device. It also appears that
> they used an ad hoc connection -- something you generally shouldn't do
> except in special circumstances where you know the computer you are
> connecting to is trusted.

"another computer set up as an access point"

This wasn't adhoc, their computer was advertising itself as an access
point. Not unlike a wardriver honeypot.

Presumably they added a nominal WiFi card so they could prove their point.
Or, maybe, it was a staged presentation altogether.

--
---
Clarence A Dold - Hidden Valley Lake, CA, USA GPS: 38.8,-122.5

On Fri, 4 Aug 2006 00:20:49 +0000 (UTC), (E-Mail Removed)
wrote in <eau3t1$mo8$(E-Mail Removed)>:

>Jerry Park <(E-Mail Removed)> wrote:
>> Who knows if this is a serious flaw or not? They used a special wireless
>> device (not the one internal to the MAC). They didn't disclose the type
>> of device used or why then needed a special device. It also appears that
>> they used an ad hoc connection -- something you generally shouldn't do
>> except in special circumstances where you know the computer you are
>> connecting to is trusted.
>
>"another computer set up as an access point"
>
>This wasn't adhoc, their computer was advertising itself as an access
>point. Not unlike a wardriver honeypot.
>
>Presumably they added a nominal WiFi card so they could prove their point.
>Or, maybe, it was a staged presentation altogether.

Doubtful, given their reputations, and not terribly surprising, given
Intel's recent massive security patches for Centrino, which won't get
installed by many victims ... er ... users. [sigh]

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

Kurt Ullman <(E-Mail Removed)> wrote:

> They also were silent in the stuff I read about whether this was an
> exploit as they came out of the box or if there had be changes (and if
> so which ones) to the system preferences. Also quiet as to whether this
> was an exploit in every flavor of Mac or just the MacBook (or even just
> the newer MacBook., what about the older MacBook Pros.

The only apparent reason for using a Mac at all was that Ellch and
Maynor were peeved at Apple's advertising and at Mac users' supposedly
smug attitude toward security.

On Fri, 04 Aug 2006 01:03:22 GMT, (E-Mail Removed) (Neill
Massello) wrote in
<1hjic0u.12s2zgq1i2q9jqN%(E-Mail Removed) et>:

>Kurt Ullman <(E-Mail Removed)> wrote:
>
>> They also were silent in the stuff I read about whether this was an
>> exploit as they came out of the box or if there had be changes (and if
>> so which ones) to the system preferences. Also quiet as to whether this
>> was an exploit in every flavor of Mac or just the MacBook (or even just
>> the newer MacBook., what about the older MacBook Pros.
>
>The only apparent reason for using a Mac at all was that Ellch and
>Maynor were peeved at Apple's advertising and at Mac users' supposedly
>smug attitude toward security.

Yep, but it seems to have backfired -- they probably should have shown a
Windows exploit as well.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On Thu, 3 Aug 2006 18:14:36 -0600, (E-Mail Removed) (Neill Massello)
wrote in <1hji9oy.1gssc3k1xfd159N%(E-Mail Removed)>:

>No information was provided about the configuration of the target
>machine, nor was a satisfactory explanation given for having the target
>machine connect to the network. Without that information, the dog and
>pony show of creating, opening, and deleting files on the target
>machine, as well as the "look no wires!" finale, are largely
>meaningless. Until Ellch and Maynor come across with more information,
>they should be regarded as the Pons and Fleischmann of wireless
>security.

With all due respect, they have considerably more credibility than Pons
and Fleischmann, particularly given the recent massive Intel patch for
Centrino. I think keeping details from the general public until vendors
have a chance to respond was the responsible and reasonable thing to do.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>