John Gruber Writes About David Maynor -- Again

   21 September 2007, late morning

John Gruber has written what I assume will be his last post on the David Maynor Apple WiFi exploit story. Maynor has finally published a paper on the exploit, which outlines a kernel panic he found. I think Gruber’s criticism of Maynor back during the summer of 2006 was spot on. There were so many ways Maynor could have proven he had an exploit without disclosing too much information, yet he didn’t choose to pursue any of them. That’s his prerogative I suppose.

Let’s say I tell you I have in my pocket a frog that can recite the entire alphabet. You doubt it, and ask me to show you. I refuse. You ask me to show it to a trusted third party. I refuse.

A year later, I show you a frog who can recite the alphabet. That’s certainly something. But it doesn’t prove I had the frog in my pocket a year ago.

This post is a bit too bitter. The implication that Maynor didn’t have a working exploit back in 2006 doesn’t seem fair. The idea that he’s been sitting at home trying to exploit an out of date version of MacOS X seems a bit off to me. You don’t get props for exploiting out of date operating systems. He also really has no reason to lie now. He didn’t seem all too bothered by the criticism leveled against him over the past year or so. It also doesn’t seem to have effected his standing in the security community. Though the Mac community may have felt he had something to prove, judging by his actions since 2006 he certainly didn’t feel this was the case.

Maynor said that he had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack. The security researcher wouldn’t say who his NDA was with, but that agreement is no longer in force, allowing him to talk about the exploit. “I published it now because I can publish it now,” he said.

This strikes me as the most reasonable reason for Maynor’s silence. It is possible Maynor wanted to make everyone crazy, and so decided the best course of action was to say he had an exploit, and then shut up. (That the story was as big as it was back in 2006 — a story about an exploit that didn’t exist — does in fact say a lot about the mac community and the way people react to criticism. In 2006 Maynor had basically proven nothing, yet people wouldn’t stop talking about him.)

If Maynor didn’t have a working exploit back in 2006, I imagine it would relate to the following point:

Worth pointing out: Maynor’s paper describes an attack that leads to a kernel panic. He claims it can be exploited to instead inject code and, rather than crash, take over the machine — but this is not described in the paper.

While it is true that Maynor’s paper only describes an attack that leads to a kernel panic, it also discusses in a fair amount of detail how to proceed if you want to inject code. It’s possible Maynor had figured out how to get a kernel panic, but not a full exploit. However, reading the paper, it doesn’t seem like going from the panic to the exploit is too tricky. (Of course, I don’t really know that much about this sort of thing. Patrick can probably say more on the topic.)

The most promising avenue for getting execution can be found in a function named ath_copy_scan_results. This function uses the fields that are overwritten to copy memory.

As an initial test, the author overwrote every function pointer in the structure with a pattern such as 0×61413761 (or aA7a in ASCII, which is the typical Metasploit buffer padding pattern). A crash dump with an error message about failing to execute code at a bad address like 0×61413761 proves that remote code execution is theoretically possible.

As Gruber himself said:

This entire saga boils down to one simple question: Have Maynor and Ellch discovered a vulnerability against MacBooks using Apple’s built-in AirPort cards and drivers?

The answer looks to be yes, but as of today this is really only of interest in an academic sense.

|  

Comments

Don't be shy, you can comment too!

 
Some things to keep in mind: You can style comments using Textile. In particular, *text* will get turned into text and _text_ will get turned into text. You can post a link using the command "linktext":link, so something like "google":http://www.google.com will get turned in to google. I may erase off-topic comments, or edit poorly formatted comments; I do this very rarely.