Midnight Research Labs

DefconBots rules announced
sth posted in cons on November 30th, 2006
comments:2

For those interested in competing in the defcon robotics challenge, the new rules have been posted. It looks like the competition is similar to last year’s with some minor enhancements. The basic idea is to create a robotic gun that can take down small targets autonomously. Looks like fun, maybe I’ll slap together the airsoft gun and the servos I bought for last year’s competition, :). Any MRL people interested in helping out, let me know.

More wireless vulns
sth posted in exploits, wifi on November 15th, 2006
comments:1

As expected, there are a couple more wireless driver vulnerabilities that have been released as part of the month of kernel bugs run. A good description and FAQ on the Broadcom vunlerability are available here. This exploit was written by Johnny Cache, and here is the ported (by HD) metasploit module for it.

The second vulnerability is for the D-Link DWL-G132. The ususal suspects were involved, and the metasploit module is here. The MOKB post has details and download links for the patched driver versions.

p.s. Sorry about the lack of posts this week — I’ve been travelling and haven’t had much extra time. Maybe this weekend as I go through my RSS backlog I’ll have a few new posts

Wireless USB makes airplanes disappear
Jason posted in Uncategorized on November 1st, 2006
comments:1

Wireless USB, the USB consortium’s solution to the rat’s nest of wires found behind a typical PC, has been in the news a lot lately as products begin to roll out. Wireless USB uses a technology known as ultra wideband, or UWB, to get the 480 MBits/sec of throughput required by the top tier of the spec, and it seems to have some problems.

NASA’s Langely Research Center did some testing with United Airlines on a 737 way back in 2002 to see if UWB transmitters could interfere with the aircraft’s electronics. After setting up the test rig and testing some of the cockpit units with no effect, they tried the TCAS unit with these results:

The “ATC Fail” indicator lamp on the cockpit display panel illuminated, and airplane targets disappeared from the TCAS display when the UWB signal source was turned ON.

You’re probably wondering what the TCAS display is. Well, in layman’s terms, the TCAS computer is the thing that keeps the pilot from crashing into other planes. There’s a little picture of your plane, and little pictures showing you where the other planes are, and just like in Tron, when the two players touch it’s very very bad. When the RF testing group says things like “airplane targets disappeared from the TCAS display,” so the pilot suddenly is unaware of the other planes, it gives the manufacturer’s insurer a serious case of the heebie-jeebies.

This kind of evidence muddies the waters in the binary blob debate the OpenBSD folks are having with the wireless vendors. Implementing 802.11 is hard, really hard. There’s all these timers and responses you have to give while connected to a BSS, and having the host processor do all of it can suck up quite a few cycles. So, most of the wireless chipset vendors decided to do it using firmware and a coprocessor (the so-called “hard MAC” approach), which means the guts of the radio become fair game for hackers.

Now, when hackers start screwing around with the inner workings of things like software controlled radios, they can make it do some pretty bizarre things. Some of these things may or may not be FCC compliant, so the wireless chipset vendors get kind of nervous when the OpenBSD guys start doing things like publishing reverse engineered specs for the baseband MAC in Intel’s wireless chipset. Say, for example, that we were using those specs to do some WEP cracking on an international flight. If the frame injector was talking to the radio using custom firmware, and the radio started emitting things that the airplane’s electronics didn’t like, then there’s no end to the bad things that could happen to the airplane.

An actual wi-fi driver vulnerability
sth posted in wifi on November 1st, 2006
comments:0

Well, it looks like the month of kernel bugs is starting off well with an actual apple wi-fi driver vuln. This is pretty interesting since it’s been several months since the David Maynor/Johnny Cache/Secure Works/Apple “is the vuln real or a hoax” debacle that’s been all over the news started. I was pretty disappointed that they didn’t give their speech at toorcon this year, certainly it would have been interesting. Johnny Cache doesn’t try to hide (well maybe a little) the fact that he’s not happy with the current situation. I find it funny how polarized everyone is on the subject. Certainly this will help to clear up the technical aspects of things, but releasing an exploit for an unpatched vulnerability isn’t exactly the way to make everyone friends again. I’m sensing another maclash (you know, like a backlash from mac-heads) on the horizon.

A post from HD Moore on the full-disclosure list shows this has already hit the news in few places already.

The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution.

Here’s a link to the metasploit module. Since this is an unpatched issue so far, going wired for a while probably isn’t a bad idea, ;). I’m guessing this isn’t the last wi-fi driver bug we’ll see this month.