March 6th, 2007

More on Maynor

Posted by Jason D. O'Grady @ 5:49 am

Categories: Airport, Hack, Security, WiFi

Tags:

Last summer, David Maynor announced an exploit for Mac OS X and Apple's AirPort drivers that would allow third party code to be run. The hack was proven to work, but became controversial when a third party wireless card and third party drivers were involved with the exploit.

Maynor since offered an apology for mistakes that he had made and offered a live demonstration of the MacBook Wi-Fi vulnerability at a Black Hat event in DC last month. Maynor also offered to release e-mail exchanges, crash/panic logs, loose notes and the exploit code used in the hack, which allowed third party code to be run over the wireless connection, as a means of clearing is name.

Maynor's first video has been scrutinized and it is now known that the first hack did not involve a third-party wireless card. It appears to be fraudulent. Check this video.

Here's what someone in the know wrote to me:

You can see from that screenshot that there are only 3 interfaces (Built-In Ethernet, FireWire, and Airport) (the bottom thing on the left says daves-computer, it's the shell prompt). There is no third party device.

So that's one "lie" from the video.

Secondly, he explicitly mentioned the IP address at the beginning of the video. Why did he do this? The bug that apple found and he claimed to find was exploited when searching for networks, he didn't have to be connected to one. Which means there was no reason whatsoever for him to list an IP address.

And as you noticed, that IP is for the built-in airport card, which also supports his assertion there was a third party card was a lie.

He also seems to imply that the Mac Book was already connected to the dell (and that's why it had the IP address)

The other issue is if you look at the video in full, you can see that he gets access to the currently logged in user's account. Since the airport drivers run in kernel space, actually getting a hack to run would give him root access. Yet he doesn't since he creates files on the desktop of the logged in user.

So why is him having an IP address important? Well, if his badseed script simply logs in via ssh on the Mac Book, then he'd be able to do everything he said. In order to ssh in, he'd have to have the Mac Book on the network at a predetermined location (and he does).

So I posit that the entire thing is fake and he logged into the Mac Book normally and created a few files via ssh.

It might have been done to promote Errata security for Maynor  and separately to promote Johnny Cache's upcoming book.

I'm not really sure why they did it. Just that so far there is no evidence to support the idea that they actually found an exploit. Especially since they've refused to display publicly the claims they made in the video.

I'm as sick of this story as you probably are, but wanted to pass along this new piece of analysis of the original video. Apple's Airport stack has since been patched. Does anyone even care about this any more?