Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

MacBook Wi-Fi Hijack Details Finally Released

Zonk posted more than 7 years ago | from the strange-tale-of-patch-10.4.8 dept.

Security 82

Wick3d Gam3s writes "Hacker David Maynor attempted to put the strange tale of the Macbook Wifi hack to rest, and offered an apology for mistakes made. All this and a live demo of the takeover exploit was made at a Black Hat DC event yesterday. Maynor promised to release e-mail exchanges, crash/panic logs and exploit code in an effort to clear his tarnished name. Said Maynor: 'I screwed up a bit [at last year's Black Hat in Las Vegas]. I probably shouldn't have used an Apple machine in the video demo and I definitely should not have discussed it a journalist ahead of time ... I made mistakes, I screwed up. You can blame me for a lot of things but don't say we didn't find this and give all the information to Apple.'"

cancel ×

82 comments

I for one (-1, Offtopic)

GregPK (991973) | more than 7 years ago | (#18207222)

Am first to post... In an Applesky sort of way.

Crash? I thought the original claim was... (3, Insightful)

bluemonq (812827) | more than 7 years ago | (#18207252)

...that he could gain complete access over the machine? Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.

Re:Crash? I thought the original claim was... (1)

donicer (256075) | more than 7 years ago | (#18207296)

Maybe, but that doesn't explain the emails that were shown between him and Apple engineers pointing to problems in Mac products in early August of last year.

Re:Crash? I thought the original claim was... (1)

bluemonq (812827) | more than 7 years ago | (#18207570)

From the way you phrased it, pointing out problems and being able to exploit them are two different things. And again, why the sudden change in the scope of the vulnerability? Didn't he say that he already had the exploit ready to go, and that he was simply bullied into not presenting it? I just find that suspicious.

Re:Crash? I thought the original claim was... (1)

donicer (256075) | more than 7 years ago | (#18207772)

The important point: (0)

Ungrounded Lightning (62228) | more than 7 years ago | (#18208496)

It was a WiFi-borne hack and he was at Black Hat. So there were lots of sniffers going and everybody gets a copy of whatever he does.

So he just demoed (and thus released) the DoS, not the root exploit - which he DID have the code to perform but didn't want to release (by demoing).

Apple admitted the vulnerability WAS a root exploit.

Re:The important point: (3, Insightful)

Rosyna (80334) | more than 7 years ago | (#18208686)

Apple admitted the vulnerability WAS a root exploit.

No, Apple said it could be used to run arbitrary code with system privileges.

Just like I could step outside my door and find $10,000 rolled up in a neat little ball. Doesn't mean it is likely to happen, but it could.

Theory and practice are two completely different things.

Re:The important point: (5, Funny)

veganboyjosh (896761) | more than 7 years ago | (#18209612)

Theory and practice are two completely different things.


not in theory.

I see your crappy analogy and raise a better one (0)

Anonymous Coward | more than 7 years ago | (#18210102)

Just like I could step outside my door and find $10,000 rolled up in a neat little ball. Doesn't mean it is likely to happen, but it could.

Theory and practice are two completely different things.


No this is like someone saying "Hey I found this $10,000 rolled up in a neat little ball from Apple on my doorstep, but for security reasons I can't actually show it to you. Here are some pictures though."

Apple denies that it has anything to do with the money. Later Apple reports that during an internal audit they noticed that they lost $10,000 is that person's neighborhood.

Conclusive proof that that person found $10,000 of Apple's money, or any money for that matter? No. But it doesn't mean it didn't happen.

Re:The important point: (0)

Anonymous Coward | more than 7 years ago | (#18210156)

You don't work in computer security do you? How much would you bet that this vulnerability can't be used to run arbitrary code with system priveleges? You compare it to finding $10,000 rolled up in a neat little ball outside your door. That is an exceedingly improbable thing to have happen, so I'm guessing that you would bet a rather large sum. So, how much?

Re:The important point: (2, Insightful)

MasterVidBoi (267096) | more than 7 years ago | (#18208736)

It was a WiFi-borne hack and he was at Black Hat. So there were lots of sniffers going and everybody gets a copy of whatever he does.

So he just demoed (and thus released) the DoS, not the root exploit - which he DID have the code to perform but didn't want to release (by demoing).
Except that the patch for this vunerability was released months ago. Yet that didn't stop him from (trying) to do the demo at Black Hat 2006, when there would have been just as many sniffers in the audience.

From someone who already threw out their credibility, that really doesn't inspire confidence.

Re:The important point: (2, Informative)

Sancho (17056) | more than 7 years ago | (#18209136)

I was at that Black Hat talk in Vegas. They didn't do the demo--they showed a video of it. They did it this way PRECISELY because there were sniffers in the audience.

Re:The important point: (1)

Wabin (600045) | more than 7 years ago | (#18212572)

Or so they claim. If they had an exploit, this would be true. If they didn't, it will cover that minor detail. A kind of nice little benefit of wireless exploit claims

Re:Crash? I thought the original claim was... (2, Informative)

DJCacophony (832334) | more than 7 years ago | (#18207352)

Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.

And then used his time machine to go back in time to before the bug was patched and announce the exploit?
The guy informed the world about the bug, then Apple fixed it, but refused to credit him for it.

Re:Crash? I thought the original claim was... (0, Troll)

Rakshasa Taisab (244699) | more than 7 years ago | (#18207528)

He informed the world about the bug in the same way as SCO informed the world about copyright and patent infringement by the Linux kernel.

Re:Crash? I thought the original claim was... (4, Interesting)

Rosyna (80334) | more than 7 years ago | (#18207540)

Frankly, I wouldn't even be surprised if he did some old-fashioned reverse-engineering of the patch to create the exploit for the older boxes.

And then used his time machine to go back in time to before the bug was patched and announce the exploit?


No, his original claim was a farce (hell, look at the video, there was only one wireless device available according to ifconfig). Apple then audited their code, found 3 bugs. He took one of the bugs mentioned, found out how to trigger it, triggered the crash and now claims he was right all along.

The problem is that what's happening now doesn't support his original claims. The original claims were he could hijack a MacBook in under 60 seconds and gain completely control of it. Now all he's getting is a crash with no control.

Re:Crash? I thought the original claim was... (5, Informative)

CaymanIslandCarpedie (868408) | more than 7 years ago | (#18207914)

Not taking any sides here, but here is what he has said about this (and other issues) from his blog [blogspot.com]

I thought you said it was a hijack yet you only showed a DoS.
Yup, I showed a crash. I didn't feel the need to do the do the entire hijack for two reasons: Apple already confirmed that this vulnerability leads to remote code execution (they said so in the advisory here). Everybody that was running a sniffer during my talk now has a copy of the DoS code. The demo had two parts. I showed the crash happening on a 10.4.6 machine since it didn't have any of the airport patches. I then rebooted into 10.4.8 and the crash no longer happened. I did this to prove that the Airport patches issued on Sept 21st, 2006 fixed the problem I was demoing. The only real change to airport code was the security fixes that were issued.


You just reversed the patches and found what you then showed on stage.
I find this to be a funny argument. If I have the skills to reverse the patches and do a binary difference analysis of them, why couldn't I use those same skills to find the bugs in the first place (they weren't hard to find). This argument also doesn't take into account the fact that I showed that the first crash of the exploit occurred on Jul 15th, 2006, or emails to Apple helping them build a wifi auditing box (A linux machine with madwifi patched with LORCON) and pointed them to a vulnerability that was fixed in their patches (a problem with overly long SSIDs). The picture below is from the day I bought the Macbook, July 15th 2006. This crash occurred because I was fuzzing other devices and the Macbook crashed before I got to run the initial setup.

Re:Crash? I thought the original claim was... (3, Insightful)

Durandal64 (658649) | more than 7 years ago | (#18209934)

This guy just doesn't quit. He claims that Apple confirmed that the vulnerability leads to remote code execution, which is bullshit. The description says "may be able to..." There's a world of difference there. Not every buffer overflow can be exploited to inject malicious code. It takes a lot of time and effort to actually find out whether it's practical to write an exploit, a lot more time and effort than simply patching the problem and being done with it. So why bother finding out for sure when you can just patch it and be sure that it won't get exploited?

The fact that he will only demonstrate a crasher just seals the deal that he's full of shit. If he's had a working AirPort exploit for all this time, why not just demo it and put this issue to rest? That's what any sane person would do. But instead he's carefully misrepresenting Apple's release notes to make them seem as if they support his claim, further destroying his credibility.

I think the most likely scenario here is that he originally found exploits for various third-party wireless drivers and saw an opportunity. With a cursory look at the AirPort drivers, he figured, "Yeah, I could write an exploit for them too". So he made a big announcement. He hated the "smug" Mac users, so now he could really stick it to them. But there was a problem. For whatever reason, he couldn't get his code to inject into the AirPort drivers. All he could do was KP the box. Well this wasn't what he initially promised. So when it came time to put-up or shut-up, he used a third-party card with drivers that he had been able to exploit. And of course, he knew that people would ask questions. Questions like, "Who cares? That card doesn't ship with Macs, and Macs have built-in wireless, so why would any Mac user ever need to buy this card?"

Ah, but clever him. He knew that Apple had a reputation for being secretive and releasing the legal hounds. So he could just say, "Apple threatened me with legal action if I demoed the exploit on their drivers" and voila! He's now a victim of The Evil Corporation! The Slashdot crowd would definitely believe him. After all, geeks don't like Apple because they're secretive, and this would be just another validation for them. They'd buy it without question. Even if Apple issued a statement saying that Maynor was lying, that wouldn't matter, because Apple is the one who tried to muzzle Maynor in the first place! See how the logic goes round and round?

Re:Crash? I thought the original claim was... (1)

Apotsy (84148) | more than 7 years ago | (#18211002)

He knew that Apple had a reputation for being secretive and releasing the legal hounds. So he could just say, "Apple threatened me with legal action if I demoed the exploit on their drivers" and voila! He's now a victim of The Evil Corporation!

Actually it was even more slimy than that. "Johnny Cache" said on a mailing list a while back: "Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch. Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation."

"Up for speculation" sounds like "we want everyone to think it, but don't want to be held responsible for saying it".

Also, "exceedingly responsible" ... hahahhahahahahaha ...

Re:Crash? I thought the original claim was... (1)

el americano (799629) | more than 7 years ago | (#18213008)

...he originally found exploits for various third-party wireless drivers...
...he figured, "Yeah, I could write an exploit for them too".
So he made a big announcement.
then...
All he could do was KP the box.

Hey, you left out, "he made a fraudulent demo to gullible reporter, then hung him out to dry." Clearly his biggest sin. Too bad for him that showing a system should be vulnerable, and developing an exploit for it are vastly different things. I half expected that he might come up with something during the months of stalling to make Apple look like liars. Now I can only assume (a) he's competent, and it cannot be exploited or (b) he's incompetent, and a vulnerability did exist, but he couldn't exploit it. I doubt Maynor likes either of these options, but what kind of fool is still going to buy the "I have it, but I can't show it yet" roadshow anymore?

Re:Crash? I thought the original claim was... (1)

gordo3000 (785698) | more than 7 years ago | (#18217158)

just to point out,
every critical patch in windows has exactly that wording, even if there has been a major virus already released that affects that vulnerability. I'm not saying whether or not this guy is full of shit, but the wording a company uses when issuing a patch never says anything along the lines of "there is a full and working exploit that has been demonstrated". at least, not one I've ever read...

Re:Crash? I thought the original claim was... (1)

Bretai (2646) | more than 7 years ago | (#18210812)

The Apple patches were simply additional frame validation measures. The claim that this confirms an exploit was possible is ridiculous, especially from a security researcher who damn well knows the difference. Furthermore, DOS attacks are not that exciting in the first place, but when it's wireless, which is inherently vulnerable to DOS, it's really a waste of time to use this as the subject of presentation.

It is not possible that he doesn't understand that the only point of contention is whether he had an exploit or not. If it's only a crash, then he deserves no credit for finding a security vulnerability. This is what he's whining about, right? Well, he knows how to get credit. Unfortunately, short of a confession, we may never know what went wrong. My guess is that had an exploit on an altered system, but it didn't work on a clean MacBook.

Re:Crash? I thought the original claim was... (1)

Bretai (2646) | more than 7 years ago | (#18214476)

Since "Hijack" details were clearly *not* revealed, by David Maynor's own account, the editor (Zonk) would do well to update his summary.

Re:Crash? I thought the original claim was... (1)

mgabrys_sf (951552) | more than 7 years ago | (#18242946)

re:"Yup, I showed a crash. I didn't feel the need to do the do the entire hijack for two reasons:"

One - he couldn't - Two - he needed to use the remaining 59 seconds to think of a cover-story for reason number one.

apple can iFuck off (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18207662)

Apple iSucks my nuts.

This guy finds a bug, announces to the world that he found it (his mistake by not telling apple first), and then Apple threatens him legally.

Apple is a bunch of lawyer happy assholes. They haven proven it over and over.

Love the product but I fucking iDespise the company.

Re:apple can iFuck off (4, Insightful)

Space cowboy (13680) | more than 7 years ago | (#18208518)

So, let me get this straight

1) he finds a bug, but he can't quite manage to exploit it. He can crash the machine (and that's a bad thing) but it doesn't *necessarily* mean he can exploit it.

2) There's a big conference coming up, and he knows he'll get the headlines if he announces anything bad about Apple. That's just the way of the world. Dammit, he *still* can't find the exploit.

3) The deadline arrives, he can't exploit the machine, but he goes ahead and gives the demo (faking the evidence with a different machine), confident that he'll get there eventually.

4) He hides behind "legal issues" (even now, he won't reveal emails) to prevent himself from being exposed as the liar he appears to be.

This series of events is just about the worst thing a researcher can do. It's like an athlete taking steroids - there will be no forgiveness, no olive-branch will be offered; his reputation is irredeemably tarnished, because he lied for personal gain. We *need* to be able to trust people publishing exploits, and if this means his career is in ruins, I say "Hurrah!" The less people like this around in the business, the better.

I just want to also point out that I don't recall any lawyers being involved at any time in this dispute - neither party claimed lawyers were involved (he said Apple "leaned on" his employers, whatever that means, but lawyers were never mentioned.)

Apple claim he released insufficient technical details to them to help them in their investigation, so they had to go to the trouble of doing a full internal audit of a large source tree (and all the time, he's spreading disinformation and tarnishing their name). They find and fix some bugs, and now he's in an even worse position - his crash "exploit" won't work.

So, now, he releases the "details" - he's given up trying to exploit the original OS, and brushes that small point aside in the "details". He tries to save as much face as possible instead of admitting he was just plain wrong - he's basically covering his ass. Does anyone else think "details" ought to actually show the information he claimed to have (like being able to take control of a Mac in 60 seconds) ?

In science, there are two fundamental maxims

      1) Don't falsify the data.
      2) Extraordinary claims require extraordinary evidence. (*)

He failed, on both of these, as far as the world can tell.

(*) "Extraordinary" here means in the technical sense - the first exploit of any kind requires unequivocal proof. I don't care if it's OSX, Windows XP, or Linux - show the data. Prove the case. Don't wave your hands around and babble.

Simon.

Re:apple can iFuck off (0, Informative)

Anonymous Coward | more than 7 years ago | (#18209008)

Nice story you made up there, not the truth but nice story you made up.

Below is a link to the truth.

http://www.channelregister.co.uk/2007/03/02/maynor _apple_flaw/ [channelregister.co.uk]

Re:apple can iFuck off (4, Insightful)

Fahrenheit 450 (765492) | more than 7 years ago | (#18209340)

No. That is a link to a story with a great lack of details and a number of still unsubstantiated claims.
There is still no public supporting evidence for his clams -- he hasn't even posted his personal correspondence with Apple yet, something he'd been free to do since day one.

Maybe he'll get around to it someday... who knows. But for now it's still just a lot of words with no support.

Re:apple can iFuck off (0)

Anonymous Coward | more than 7 years ago | (#18209424)

It really kills you that somebody who saw his presentation now believes him doesn't it.

Don't take it so personally, he did sound like a hoax in many ways but when you put it all together and compare it to previous apple behavior it all kinda feel into place.

Also, the register is a fairly reputable new source, just fyi.

Re:apple can iFuck off (2, Insightful)

Fahrenheit 450 (765492) | more than 7 years ago | (#18209842)

It really kills you that somebody who saw his presentation now believes him doesn't it.

Not at all. Though it does bother me that someone is willing to call something truth when there is still no evidence made public to substantiate it.

And regardless of how reputable The Register is, the article provides no information that support the reporter's conclusions. And until Maynor publishes those emails, there won't be any. He's already posted two updates to the blog since his presentation, including one that pertains to why he can't release his old work emails, but he hasn't yet made the personal ones available (nor has he even claimed that his old company won't allow him to release the old emails, just that they aren't his property and that releasing them without permission could be bad -- has he even asked for permission?).

Cases like this call for as much disclosure as is possible, and he hasn't come close to that yet. It's still a bunch of "oh, I plan to do this" and "oh, I could do that" with no backup. Either provide all of the info that you can, or shut up. That's all that's been asked since day one.

somebody now believes him (1)

Serious Callers Only (1022605) | more than 7 years ago | (#18209872)

It really kills you that somebody who saw his presentation now believes him doesn't it. Don't take it so personally, he did sound like a hoax in many ways


No, I think the grandparent just found your 'evidence' unconvincing, to say the least, and yes, Maynor does sound like a hoax, because he talks a lot about evidence and then doesn't present any.

Also, the register is a fairly reputable new source, just fyi.


The Register is in no sense reliable, it's a great example of sensationalist tabloid journalism, but it's about as reliable as a Slashdot article if you're looking for facts.

Yes it does! (0)

Anonymous Coward | more than 7 years ago | (#18211028)

> 1) he finds a bug, but he can't quite manage to exploit it. He can crash the machine (and that's a bad thing) but it doesn't *necessarily* mean he can exploit it.

When it's due to memory corruption and when you can overwrite certain registers, it DOES mean that arbitrary code execution is possible. It may be pretty damn difficult to get just the right values in there, but this is one case where you can be 99.999% certain that it really is exploitable.

If you don't believe me, please give a non-contrived example where you can do something like overwrite the EIP with an arbitrary value and still not be able to execute arbitrary code :P

Sorry, but sometimes you really *can* know that crash == remote code execution, even if getting exactly the values you want to make the exploit work is hard.

Lastly, the "extraordinary" in "extraordinary evidence" is a purely subjective matter. It has no place in what should be an objective pursuit. If you don't believe me, please provide "extraordinary" evidence of it, because I don't believe you.

Re:Yes it does! (3, Insightful)

Space cowboy (13680) | more than 7 years ago | (#18211400)

When it's due to memory corruption and when you can overwrite certain registers, it DOES mean that arbitrary code execution is possible. It may be pretty damn difficult to get just the right values in there, but this is one case where you can be 99.999% certain that it really is exploitable.

If you don't believe me, please give a non-contrived example where you can do something like overwrite the EIP with an arbitrary value and still not be able to execute arbitrary code :P


I refer the honourable gentleman to the reply I gave some moments ago - if he can do it, he ought to do it. Until he does it, I don't believe he can do it.

So, here's your example: the exact "exploit" he's claiming to be able to perform.

Lastly, the "extraordinary" in "extraordinary evidence" is a purely subjective matter


No, it's not. Which is why I used "in the technical sense" in the original comment. "Extraordinary" means "out-of-the-ordinary" - the claim is not run-of-the-mill, it's the first remote exploit of an Apple laptop. The proof should also be bulletproof (actually, right now I'd settle for just proof, not incontrovertible evidence!) At the moment, all we have is a load of hot air and bluster.

Simon.

Re:Yes it does! (1)

Luis Bruno (1070976) | more than 7 years ago | (#18218528)

please give a non-contrived example where you can do something like overwrite the EIP with an arbitrary value and still not be able to execute arbitrary code

If writable memory pages aren't executable (W^X, NDX, I don't recall the acronyms), your program can't execute runtime-supplied code, evah. Either setting EIP maliciously or not, you won't be able to "jump off and execute" any code which was not present at the time of compilation.

Were you trying to prove a negative proposition? Pretty basic mistaek, dude.

Re:apple can iFuck off (0)

Anonymous Coward | more than 7 years ago | (#18213288)

Don't worry, the Apple apologists will defend their beloved company to the end of time and do their damnedest to run this guy's reputation into the ground. They'll paint him as a liar, a fraud, whatever they can do so that Apple is the good-guy once again. Apple is never in the wrong. Never.

Re:Crash? I thought the original claim was... (1)

bluemonq (812827) | more than 7 years ago | (#18207664)

Pointing out a flaw != knowing how to exploit it.

Here's a crude analogy: scientists have known about the hole in the ozone layer around the South Pole. They know what caused the problem, the process of how the problem developed, even the chemical mechanism that perpetuates the hole - but they can't do anything to shrink it any faster than just letting it repair itself. Get my point?

Re:Crash? I thought the original claim was... (5, Interesting)

AchiIIe (974900) | more than 7 years ago | (#18207758)

That is correct, the original video was faked... They prob were close but did not want to wait.
Here is a video I made debunking their proof: http://video.google.com/videoplay?docid=1468187717 11399295&hl=en [google.com]
My guess is that they got a buffer overflow but had not yet found the correct location in memory to write their shellcode. They still have not...

Re:Crash? I thought the original claim was... (2, Interesting)

raynet (51803) | more than 7 years ago | (#18212974)

Pretty solid video. I just want to add two things. First, the IEEE page says:

Your attention is called to the fact that the firms and numbers listed may not always be obvious in product implementation. Some manufacturers subcontract component manufacture and others include registered firms' OUIs in their products.

And second, though not sure about Macbooks and OSX, but often you can change your MAC address, though it would be silly to change it to Apple's OUI.

So there is a small possibility that the video was real. Perhaps the shot where you see the Terminal.app was filmed at a later time, quite probable if they only used one camera for filming the demo.

So, most likely a fake.

Just an observation..... (2, Interesting)

8127972 (73495) | more than 7 years ago | (#18207294)

Apple came out with a patch that addresses this issue:

http://news.com.com/New+Apple+patch+plugs+Wi-Fi+hi jack+flaws/2100-1002_3-6118245.html [com.com]

The article doesn't mention if the machine he used in the demo had this patch. And if so, that may imply that the patch has holes.

Re:Just an observation..... (4, Informative)

donicer (256075) | more than 7 years ago | (#18207334)

There were two demos:
One on 10.4.6 showing that it was vulnerable (crash achieved and remote code execution is possible).
The second demo showed no crash on 10.4.8 showing that the patches Apple released did indeed fix the problem he pointed to.

I do not undestand the fuzz. (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18207444)

What's the point?

(1) I would and do release immediately security faults I find. (have found some).

(2) If someone says I did not find it or throws smut at me I'd sue - all the media running such articles which falsify my work or findings.

So simple.

Companies do act and correct bugs faster when security faults are released.

Re:I do not undestand the fuzz. (1, Informative)

Anonymous Coward | more than 7 years ago | (#18207594)

If I recall the facts of this particular event clearly, there was a lot of legal threat mumbo jumbo that Apple held over his head for a while.

Re:I do not undestand the fuzz. (0)

Anonymous Coward | more than 7 years ago | (#18207822)

Is it illegal to express yourself in the land of freedom (har har)?

Re:I do not undestand the fuzz. (0)

Anonymous Coward | more than 7 years ago | (#18209804)

There was never any proof of that... just Maynor spouting nonsense. It was only a fact that he mentioned it...

  He never put forth any evidence that he was being "silenced" or "threatened" by apple.

That's more of the Maynor "spin"...

And somewhere, (1)

Hawthorne01 (575586) | more than 7 years ago | (#18207704)

Re:And somewhere, (1)

Tim Browse (9263) | more than 7 years ago | (#18208394)

Do you mean because he put an expiry date on his challenge [daringfireball.net] ?

Proof in the pudding (4, Insightful)

Thrudheim (910314) | more than 7 years ago | (#18207818)

I await the promised publishing of the email exchanges with Apple on his blog. If he shows that he actually did provide Apple with details on the exploit, then he might restore some credibility. As it stands, however, his demo yesterday sounds like more of the same obfuscation that has characterized this whole incident.

1) In the original demo, he gained command-line access to the target machine (using a third-party wireless card). The claim was made to Brian Krebs in the Washington Post that the built-in wireless was similarly vulnerable (which would be far more relevant, since all MacBooks have built-in wireless). Yesterday's demo showed a crash of the target machine. That's bad, but he still has not demonstrated a takeover of the MacBook using the built-in wireless after all this time.

2) The fact that Apple's patch addresses the flaw that caused the crashing does not prove that Maynor engaged in responsible disclosure. Apple has said that Maynor provided them with no code or other details about the exploit, and that they did their own investigation. The investigation, according to Apple, revealed a flaw, leading to the patch. The issue is NOT whether a flaw existed. All Maynor demonstrated was that Apple's security patch works, which is really not that enlightening.

Re:Proof in the pudding (1)

Afecks (899057) | more than 7 years ago | (#18208122)

He doesn't need to "takeover" the MacBook. Apple has already verified that the bug leads to remote code execution. Do you need a signed affidavit from Apple? Obviously if he can trigger it to crash, he can get it to do what Apple has already admitted that it can do!

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18208234)

Well that is what he said he could do ... heck he even demoed it against a MacBook using a 3rd party adapter and in an interview stated that he could in effect do it against the built in MacBook adapter.

Really he likely should have just not said anything at all since what he just showed does nothing to provide what is he said months ago was actually true.

Re:Proof in the pudding (5, Insightful)

TPIRman (142895) | more than 7 years ago | (#18208542)

This is the same bullshit please-connect-the-dots-for-me reasoning that Maynor has come up with all along. The question at issue is not whether there was a bug that allowed remote code execution. Yes, Apple has said as much. The question is whether Maynor had actually discovered such a bug. So far he has done nothing to dissuade objective observers that he's anything but an attention-grabbing fraud.

Doesn't it strike you as the least bit shifty that Maynor, eager to clear his name and prove that he was right, suddenly doesn't "feel the need" to demo the hijack he originally claimed? Oh, but don't worry, he could hijack the MacBook if he really wanted to! According to Maynor, Apple has been lying and covering up through this whole ordeal, but now we are supposed to essentially take Apple's word for it that his crash demo = hijack. Please.

Let's apply Occam's Razor here. Did Maynor fail to demo a hijack -- despite the fact that it would restore at least some his credibility -- because he thought it was just as convincing to piece together circumstantial evidence from Apple press releases? Or did he fail to demo a hijack because he can't? Are we supposed to believe that after all this time and humiliation, Maynor really doesn't "feel the need" to back up his inflammatory words? I don't buy it, and I don't see how any rational observer can.

As the GP said, the proof is in the pudding -- all we've got here is a box that says "pudding mix, really!" and a promise from Maynor. Same as before. The guy is a charlatan.

Re:Proof in the pudding (3, Insightful)

mjeffers (61490) | more than 7 years ago | (#18208902)

Let's apply Occam's Razor here. Did Maynor fail to demo a hijack -- despite the fact that it would restore at least some his credibility -- because he thought it was just as convincing to piece together circumstantial evidence from Apple press releases? Or did he fail to demo a hijack because he can't? Are we supposed to believe that after all this time and humiliation, Maynor really doesn't "feel the need" to back up his inflammatory words? I don't buy it, and I don't see how any rational observer can.


This is really the key point. To believe Maynor at this point you need to believe that someone who is concerned about repairing a tarnished reputation is so worried about people figuring out how he could exploit an already patched vulnerability that he decides to only show the crash rather than the take-over exploit. Maynor has a bone to pick with Apple/Apple users and managed to find a bug he couldn't find last year with the help of Apple's patch notes.

If you need a security consultant to analyze your patch notes and find known vulnerabilities he's your man. Otherwise, he's a joke.

Re:Proof in the pudding (2, Insightful)

Sancho (17056) | more than 7 years ago | (#18209402)

You really have to piece together a lot of this puzzle to understand some of the underlying issues.

Timing is everything with wireless. An overflow which causes a crash one time may allow for remote code execution the next. It's all very tricky to get right, and there are non-driver issues that can cause problems (things like interference, which you can't control). Maynor or Cache alluded to this at one point, and it was speculated that this might have been the real reason that they did a video demo instead of a live one--a live exploit demo which fails (but crashes the system) 6 times before it succeeds isn't all that impressive.

So there were very similar (nearly identical) bugs in other vendor's drivers. FreeBSD had patched their version of the bug in January 2006. It was a similar exploit in a similar driver for similar hardware. It's far from a stretch to assume that he noticed his Macbook crash when he got it (he claims he was fuzzing other devices at the time here: http://erratasec.blogspot.com/2007/03/apple-infoan d-thats-all-folks.html [blogspot.com] ), he started investigating the chipset, found that it was Atheros, started researching the bug, and discovered the near identical one that had been patched 6 months ago. For someone with the knowledge, it should be trivial to adapt to the new platform, given the similarities between the FreeBSD and Apple drivers.

Now it all gets pretty fuzzy around the time that they claim to be using 3rd party hardware. Why do that? Why does the video clearly show the Apple interface with an Apple MAC if they were using a 3rd party card?

If we assume that he's lying, the video shows all of this because it was rigged. If we assume that he's telling the truth, then that is just more evidence to the "Apple coverup".

The point of all of this, though, is that I think there's a certain amount of plausibility to all of this. I don't think that the situation I outlined above is a stretch. I do think that if it even remotely resembles the reality of the situation, then Maynor and Cache were exaggerating their own skills in determining the exploit. There was a pretty big inference by everyone at Blackhat that Maynor and Cache had discovered and engineered the exploit alone, not that it was based upon a pre-existing exploit for another OS. If they didn't intentionally imply that...well, then it sucks to be them, but their credibility takes a bit of a hit for it.

Oh, and the timing issue I mentioned above? Could well be why he only demoed a crash instead of a full exploit this time. He's got Apple's word that remote code execution is possible, and he's shown that he can cause the crash. Who knows how many takes their video took to get right? With a live demo, you really only get one shot.

Re:Proof in the pudding (2, Interesting)

Afecks (899057) | more than 7 years ago | (#18209700)

You obviously know very little about exploits. If the bug allows remote code execution, which Apple plainly states is possible, the difference in a crash and a hijack is only a matter of a few bytes of shell code. So in essence he has done the hardest part already. Then you come along and claim that since he didn't take it all the way and give you the final easiest 1%, now he's a complete fraud and a liar.

Even if he had demonstrated the original takeover that still wouldn't prove his story. Yet you claim that because of this it makes him look guilty. Nice logic. Basically, either way you get to claim he's full of shit.

Many major vendors have a known history for screwing over vulnerability researchers such as Cisco, Apple, Microsoft and others. I just have a hard time believing this is any different.

Re:Proof in the pudding (1)

DaggertipX (547165) | more than 7 years ago | (#18210270)

>Many major vendors have a known history for screwing over vulnerability researchers such as Cisco, Apple, Microsoft and others. I just have a
>hard time believing this is any different.

So almost a year later he comes forward, still doesn't demo what was promised the first time (and I don't even want to hear you whine about, well that's the easy part - because if it really was, he would have shown that), and you still want to think it was just the big bad corporations holding him down...

I guess I'm just not good enough with the suspension of disbelief thing. I suppose it's not worth mentioning that maybe he's just trying to save face by exploiting what Apple has now published? Because honestly, even THAT is more reasonable than what he has claimed up until now. I guess we can thank him for proving the fix really work...

Re:Proof in the pudding (1)

Afecks (899057) | more than 7 years ago | (#18210448)

So did you have anything to add or were you just going to rehash and repeat the GGP?

Like I said, it doesn't matter what he does now. The patch is released, anyone could reverse engineer it. It doesn't add to his creditability but it doesn't remove from it either. Regardless of how you want to spin it.

Which is the more reasonable culprit? A huge company with known problematic disclosure practices trying to keep its stock up or some guy trying to keep his pride. Both are reasonable. It's just that one has history of occurrences and the other doesn't.

Re:Proof in the pudding (1)

DaggertipX (547165) | more than 7 years ago | (#18210638)

Oh, so you missed my point. Fair enough. What I was adding to the conversation was that the "reasonable culprit" side of this argument was and is nothing more than paranoid "the man keeping us down" delusion. I'm not saying that it isn't a possibility, just that jumping to it with no further information is ridiculous.
Oh, and I wouldn't call him a "guy trying to keep his pride", I'd call him a security researcher trying to exploit the name of a corporation that is currently popular to inflate his own value.

Re:Proof in the pudding (1)

Afecks (899057) | more than 7 years ago | (#18210780)

I'd call him a security researcher trying to exploit the name of a corporation that is currently popular to inflate his own value.

Apple already did that more than he could ever hope of by making such a big stink over it. It's funny how that always backfires [wikipedia.org] on people. But go ahead and make your ad hominem argument. Maybe in the future he will be wise to only disclose vulnerabilities in software owned by companies that won't pitch a hissy fit and make him famous.

Re:Proof in the pudding (1)

DaggertipX (547165) | more than 7 years ago | (#18211018)

Obviously we disagree with how things were handled. Honestly, I think in this particular situation, Apple did well. I just don't necessarily think that all big corporations are evil by default. Maybe I just haven't been as abused by them.
I hope that if he does learn any lesson from this, instead it is this : Don't publicize a flaw unless you can prove it, which to date he has still failed to do.

Re:Proof in the pudding (4, Insightful)

TPIRman (142895) | more than 7 years ago | (#18210364)

If the bug allows remote code execution, which Apple plainly states is possible, the difference in a crash and a hijack is only a matter of a few bytes of shell code.

You are buying into Maynor's fundamental misdirection here. He wants you to assume that the bug he is exploiting is the same as the bug that Apple says could allow remote code execution. But there is no evidence to support this assumption. Apple has fixed multiple AirPort bugs since 10.4.6. There is no way of knowing that Maynor is exploiting an AirPort bug that allowed a hijack rather than a crash.

If it would only take "a few bytes of shell code" and the "easiest 1%" to make this exploit into a hijack, why not do it? His original claim was that he could hijack a MacBook, period. Now, supposedly given the chance to prove it, he just couldn't be bothered to slap together some shell code? Really? It's hard to believe that you don't find Maynor's "I can do that, I just don't feel like it" argument fishy at all.

Re:Proof in the pudding (2, Funny)

Afecks (899057) | more than 7 years ago | (#18210686)

It's hard to believe that you don't find Maynor's "I can do that, I just don't feel like it" argument fishy at all.

What the hell are you talking about?! Whether or not he can do it is not the issue! Apple has admitted that it is possible.

Here is TFA [apple.com] if you are too lazy to actually read it. Hell, since you like putting things in bold I'll help you out...

Impact: Attackers on the wireless network may cause arbitrary code execution

No no. That's not the bug Maynor was talking about, this is a different Wi-Fi remote code execution bug. Completely unrelated. Apple even pinky sweared.

Re:Proof in the pudding (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18211512)

So because he says there might be a remote exploit issue, he deserves credit for any and all exploit issues found from now on, no matter what, even though he never provided proof of anything? Oh, ok.

Say, I think there might be security problems in Windows. I now deserve credit for every single security patch ever from now on.

Re:Proof in the pudding (4, Insightful)

TPIRman (142895) | more than 7 years ago | (#18211548)

Whether or not he can do it is not the issue!

As I said above, that is, in fact, the issue. Nobody is disputing that a remote AirPort exploit was possible; that matter has been settled by Apple. You can be as sarcastic and triumphant as you want, but I already agree that there were documented remote-exploit bugs in Apple's code. Everybody does.

The issue here is Maynor's reputation. A responsible security researcher has to be able to back up his claims. Maynor said he could hijack a MacBook. He never provided evidence that he could. Now he says, "Look, they fixed this AirPort bug, so I was telling the truth!" But he still doesn't demo the hijack, even on an unpatched machine.

The debate over whether there were serious AirPort bugs has been settled. But Maynor has never demonstrated that he had the goods. He has left it to insinuation and sleight-of-hand. You have bought into his misdirection, and you still haven't answered the central question: If, as you claim, a remote takeover required only a bit of shell code, why not just do it?

(Boldface added to that last bit purely out of love.)

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18212826)

Becasue maybe the same reason he made the video in the first place, weaponized shellcode could be plugged into a number of diffrent exploit making things that were a DS before suddenly bad. He released the PoC of the macbook exploit showing that he can control the instruction pointer which means he could execute code of his choosing.

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18237558)

And why lie during his videoed exploit about using an external wifi card, when his screen shows the MAC address belonging to Apple? At the very least, he is a "researcher" who lies about his setup. You may continue to beileve his data and conclusions as untainted. I don't, I take a researcher's ethics seriously, and he is off my radar in terms of believing any thing he may now claim.

Re:Proof in the pudding (1)

Sancho (17056) | more than 7 years ago | (#18212432)

I touched on "why not just do it" in another reply.

With timing attacks, not only do you have to get the shell code right, you also have to get the timing right, and that's mostly going to be luck unless you have control over a lot of factors.

With a wifi timing attack, you need even more control over your environment, because stray interference can cause you to lose the opportunity to exploit and simply cause a crash.

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18236124)

It might have something to dow ith the first demo. When he did a full takeover of the mahchine in a video nobody understood what was going on. Maybe he thought just showing it crashing with get his point across.

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18212328)

Occam's Razor only applies if you use all evidence to form the conclusion, you seem to leave a bunch out. Things like Apples track record with researchers needs to be included. You failed to factor in the email that completely disproved Apple's statements of receiving nothing useful since it shows them how to build a testing environment for theses types of flaws and included code to trigger one of them. If you add in these tidbits of information you suddenly get a completely different output using Occam's Razor. So which is it? Long time researcher decides to suddenly fake a problem or a company that has a long history of covering up problems does it once again?

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18212434)

Yes, you're absolutely correct. Here's something many have failed to mention: Maynor is showing an image of a crashed Macbook and yet (at least according to securityfocus.com) claiming responsibility for the Broadcom driver exploit. Yet - Broadcom chipsets are NOT USED on macbooks. Hrm - little confused there Maynor? Possibly just an inaccuracy in securityfocus.com, but certainly suspicious.

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18212564)

He claimed he reported both a macbook exploit and a powerbook exploit to apple. The powerbook is based on the broadcom chipset. Its this kind of errors that makes noone want think you have a clue.

Its amazing everyone seems to have made up their mind without seeing the presentation.

Re:Proof in the pudding (1)

_pi-away (308135) | more than 7 years ago | (#18214648)

Let's apply Occam's Razor here.

Yes, let's do apply it. He announced a vulnerability in apple's (and a number of other vendors) wifi layer 2 frame handling and then demonstrated it (without releasing code). Apple, intel, and a number of other affected vendors then release patches for exactly that area of code.

You truly feel the simplest explanation is that he was just bs'ing and then those vendors just happened to find that exact issue? Seems unlikely to me.

Not to mention, in many cases, a crash is just a landing pad and some shell code away from an exploit.

Re:Proof in the pudding (0)

Anonymous Coward | more than 7 years ago | (#18217276)

No one mentions how crappy the audit must have been if HD More and the Month of Kernel bugs project found two diffrent bugs not even a month after they were released.

So was it an audit or did they fix problems they were told about and called it an audit?

Re:Proof in the pudding (1)

SanityInAnarchy (655584) | more than 7 years ago | (#18208508)

I await the promised publishing of the email exchanges with Apple on his blog.

Not happening. From TFA:

For legal reasons, Maynor said he could not share e-mails sent from his SecureWorks address.

In any case, I can say that Apple throws NDAs on every email they send from their bug reporting service. I don't know if it'd hold up in court, but it does make me nervous about even posting the stupid, annoying little bugs that I've reported to Apple... and it is one of the reasons why my next laptop will not be a MacBook.

Re:Proof in the pudding (1)

Achromatic1978 (916097) | more than 7 years ago | (#18210190)

I can say that Apple throws NDAs on every email they send from their bug reporting service. I don't know if it'd hold up in court

I'd hazard a guess at "No, it wouldn't", though it doubtlessly would be an expensive/time-consuming/stressful experience to have to go through if need be. Non Disclosure AGREEMENT... I haven't agreed to anything, let alone a legally binding commitment, by sole virtue of receiving an email from Apple.

Fir5t post... (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18207920)

the mundane chores Nearly two years whole has lost states that there A losing b4ttle; I

The reason he didn't actually show a takeover... (4, Funny)

dpbsmith (263124) | more than 7 years ago | (#18208460)

Why didn't he simply show a repeat of the same thing he demonstrated before--a takeover of the machine?

Because "a magician never repeats a trick."

Re:The reason he didn't actually show a takeover.. (0)

Anonymous Coward | more than 7 years ago | (#18215154)

Watch the video linked in the message above [slashdot.org]

It is obvious he faked the exploit, the video clearly shows the Mac WAS NOT running the wireless card he showed and claimed to be using. The MAC address was visible, the first half of which indicates the vendor.

He's still trying to weasel out of it. (0)

Anonymous Coward | more than 7 years ago | (#18210386)

What little "evidence" he's provided actually seems to discredit him further.

He keeps claiming that he found an exploit and reported it to Apple, but that the emails he exchanged with them aren't his property. But why can't he finally---for once---be quite explicit about what he did and when.

He won't because it seems to support the story that came from Apple: that he found some kind of wifi vulnerability in *something* but completely and utterly failed to demonstrate how it could affect any stock Apple product. The demo last year did *not* use the MacBook's built-in wifi card or driver. And the only data that he's actually said he sent to Apple was how to set up a Linux machine to demonstrate a wifi exploit.

Best case: he found some kind of bug which was common in wifi drivers, acted incredibly unprofessionally in the way he reported it (prefering FUD to concrete warnings), and tried as hard as he could to get publicity by pretending it had anything to do with Apple.

Worse case (that I think is still quite likely): he never really found anything, and has been working his ass off the last six months trying to find any kind of wifi bug that Apple fixed between 10.4.6 and 10.4.8 that he can claim was the basis for his original exploit. The argument "if I could find a bug based on a path, then I could have found the bug without the patch" is absurdly disingenuous: more information can only help you. Throw in an extra six months to work on the problem, and a demo now is quite a different achievement than it would have been when he claimed he did it.

All we know is that there used to be some kind of bug in 10.4.6 which was fixed in 10.4.8 (which is exactly what Apple said in the release notes)---there is zero new evidence that any exploit existed six months ago, and there is zero evidence that Maynor/Ellch provided any technical assistance to Apple in finding this bug.

Maynor still hasn't actually posted the data he has promised (and hasn't said exactly what this data is), he's not giving straightfoward answers to simple questions, and he's refusing any critical comments on his blog.

This is a long way from a vindication for him...

Mistakes? (2, Insightful)

dr.badass (25287) | more than 7 years ago | (#18214358)

I'm still waiting for a demo of this phantom exploit on a Windows machine:

"Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said." -- Hijacking a Macbook in 60 Seconds or Less [washingtonpost.com]

Actually, what I'm really waiting for is for Maynor to stop opening his mouth.

Re:Mistakes? (1)

mkiwi (585287) | more than 7 years ago | (#18214982)

Actually, what I'm really waiting for is for Maynor to stop opening his mouth.

And typing with his fingers/toes, possibly with his nose.

I dunno- Apple's legal team will have to get together and see if they can get a court order to recommend his castration.

Re:Mistakes? (0)

Anonymous Coward | more than 7 years ago | (#18217194)

http://it.slashdot.org/article.pl?sid=06/11/12/082 4250 [slashdot.org]

He showed on stage how that vulnerability was found in June of last year and how to exploit it. Code is available throught the metasploit project.

Just stop it (0)

Anonymous Coward | more than 7 years ago | (#18216380)

David Maynor is a fraud and a liar. The demo in the original video was faked. How do I know? Let's think about this...David Maynor had no driver sources...maybe even no x86 Darwin sources (I believe those were posted later). This sort of elaborate hack could take a really really really good programmer weeks and weeks on a completely open source system. Why? Because there are many non-trivial problems to solve. How do I figure out exactly what fields in the wireless frame cause an overflow in the driver and, how can I prevent that overflow from causing a panic? How do I take over the instruction pointer? How and at what address do I inject my object code? How do I jump to the object code, execute enough instructions to manipulate a process (likely requiring many jumps around the kernel) to connect back to me with a shell, and do it without panicing the kernel? How do I include all the object code necessary to do this in either one (the easiest) wireless frame or a series (much harder) of frames? If I recall correctly, David Maynor started rambling about this hack almost a month before Black Hat Las Vegas. That gives him a little over a month from the release of original MacBook to have developed this exploit. Is David Maynor an x86 assembly expert? Is David Maynor an xnu kernel master? Is David Maynor a Darwin kernel extension reverse engineering rockstar? He would have to be in order to accomplish such a feat. In fact, if that were the case, I would go as far as say that David Maynor is wasting his life giving worthless lectures on how anyone can sniff your pop3 email password if you check your mail on an open wireless network. Someone should really be paying him a lot of money to write code...but nobody is. Why? Because David Maynor has no hack.

From the looks of it...all this joker did was run an off the shelf "phishing", or whatever the kids call it, tool that threw a bunch of garbage wireless frames at the MacBook. Yea he made it panic, but so what. That's not sensational enough to sell books and speaking engagements, so he made up a dramatic video that the press ate up.

I would love for Maynor, or his sidekick Johhny "the boy wonder" Ellch, to prove me wrong and give us all the nitty gritty technical details of how they actually gained control of the MacBook. Unfortunately, that will never happen. Not because of any legal problems or whatever Maynor is crying about this week, but because he has no hack...and he is a liar..and a fraud...and we should all do the legitimate security community a favor and stop giving this guy the kind of attention he craves.

Third Party Wireless (1)

stewbacca (1033764) | more than 7 years ago | (#18216584)

Good thing all MacBooks have wireless built in and there is no need to install whatever third party wireless adapter he was using.

I don't know the history, but evidently he claims to be able to hack the built-in wireless too? Then why doesn't this video show that? For all I can tell, he setup some code that lets the too machines talk to each other. Whoopdy doo.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...