Home & Office

MacBook exploit in circulation?

An anonymous blogger claims he/she was able to monitor the network at CanSecWest security conference and snag a full packet capture of the MacBook hijack contest.
Written by Ryan Naraine, Contributor

Rumors are flying that Dino Dai Zovi's MacBook Pro exploit has been swiped and is making the rounds online.

An anonymous blogger claims he/she was able to monitor the network at CanSecWest security conference and snag a full packet capture of the contest, which pitted hackers against two new MacBook Pro machines

Any researcher who was not at CanSecWest could have spent their day today figuring out the exact issue used. Any researcher who was at CanSecWest could have easily monitored the network and discovered the vulnerability themselves. I did just that today and while I had the advantage of a full packet capture of the entire contest I was also able to confirm the vulnerability with good 'ol fashioned vulnerability research.

Matasano Security's Thomas Ptacek is quoting "multiple credible sources" as saying that the two CanSecWest MacBooks were exposed to an unprotected wireless network, and that raw packet captures of the successful exploit where sniffed and taken by unknown parties. 

Ptacek however stressed that his information is unconfirmed.

A CanSecWest organizer responded to Ptacek with the following:

Someone may have reverse-engineered the vulnerability but they didn’t pull it off the network there. The network was very simple: a WAP that was connected to a hub and to the router to provide Internet access. The Macs sat on the hub and the only other systems on there were the ones we used to monitor the network to ensure rules were followed and then K2’s when he ran the exploit. The WAP was routing traffic from the hub to the Internet, not sending it out over the wireless network.

We were sniffing the traffic on the wireless network and would have noticed if it had been getting traffic from the wired side.

Y’all know routing & switching protocols well enough to know that traffic destined for the Internet wouldn’t end up on the pocket wireless network. The AP doesn’t have enough smarts to mess up routing that way unless someone owned it (which is admittedly possible).

The point is, no one sitting on the wireless network would have been able to sniff the traffic from the wired network to the Internet.

TippingPoint's Zero Day Initiative, the company that bought the rights to the vulnerability information from Dai Zovi, has added the "CanSecWest Mac Hack" to its list of upcoming advisories.  

I have independenly confirmed that Apple has been fully notified of all the details of the bug, including the exploit code and is working on producing a patch.

In the meantime, Matasano's Ptacek has the best advice:  

Stop living dangerously, right now. Turn Java off in your browser...

There's a difference between the exploit being captured and the exploit being successfully hosted by attackers in the wild. Even so, this is a particularly virulent problem. It affects every mainstream browser on every mainstream desktop platform -- possibly excepting Vista. Disable Java in your browser until you’ve received a patch...

if this exploit has leaked to the wild, it is very important that you update your browser configuration.

Editorial standards