[olug] wifi device driver exploits

Rob Townley rob.townley at gmail.com
Sat Sep 22 12:21:35 UTC 2007


On 8/24/06, Rob Townley <rob.townley at gmail.com> wrote:
> Hijacking a MacBook in 60 Seconds or Less
> http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco.html
>
>
> In case you have not heard, there is very probably a probable
> (repetition intended) exploit of wifi devices no matter what operating
> system is used because it attacks device driver code based on FreeBSD
> that was used in Linux, Windows, and the Mac.
>
> Just like a Ford Mustang is almost completely made in Mexico of parts
> from who knows where.  Device drivers are often not made in the houses
> of Apple and Microsoft and RedHat.    Apple can say the Atheros driver
> was not Apple made, but it does come on the OS CD.  When Netgear uses
> FreeBSD source from Atheros and pays Microsoft to sign the driver, who
> owns the driver.  Because of this, they think they have deniability.
>
>
> Jon brought this up at a SecurityPosture/CompUSA meeting long before
> it came out at Blackhat, so i am particularly interested in what his
> position is on the issue.    Yes, i used "position" because the proof
> is not supposed to be released until manufacturers have a fix.  Based
> on prior experience, i am firmly in the camp that this is a real
> issue.  The point is that not many seem to be talking about the real
> issue of a class of exploits of device drivers that run on modifiable
> firmware.
>

You have probably heard by now that David Maynor has posted his paper
on remotely hacking a machine over WiFi.  Although entitled "OS X
Kernel-mode Exploitation in a Weekend", it makes Windows and Linux
vulnerable, but for some reason that isn't talked about in his
article.

http://uninformed.org/index.cgi?v=8&a=4

For those that went to Aaron Grothe's talk on MetaSploit Wednesday...
Maynor used the LORCON fuzzing tools and rewrote the entire attack in
Ruby on Rails for MetaSploit.

SlashDot Discussion:
http://apple.slashdot.org/article.pl?sid=07/09/19/0542242&from=rss



More information about the OLUG mailing list