Dailydave mailing list archives

Re: This guy cracks me up. (MindsX)

From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 04 Sep 2006 19:24:33 -0700

John Gruber wrote:

  1) set up a netcat udp listener on the victim centrino
  box. (Why you actually need a listener is beyond me, but
  it seems to help)


I don't understand what this means. Does it mean that the victim
computer *must* be running a netcat udp listener for the attack to
work? If so, how would this be exploited in the wild?


What this means is that you need a process on that target machine that listens
on a UDP port. As Johnny later explained in his reply to Lyndon Sutherland, it
is not clear why this is needed and it could simply be something that influences
the timing of the race condition. In any case, you probably don't need a netcat
UDP listener, any process that listens for UDP traffic will do. There are plenty
of those: try netstat -aln | grep udp | grep '*.*'

  3) start flooding the victim machine with disassociation
  requests. A BSOD should follow very shortly.


So this attack crashes the machine?


Most exploits are controlled crashes. When you are developing an exploit,
usually you start by crashing the target and then you investigate what registers
and memory locations you control. Writing a reliable exploit is harder than
simply crashing the kernel, but a BSOD is sufficient to demonstrate the
existence of a potential remote code execution vulnerability. Of course, the
ability to crash a remote system is still an important security issue.

  The reason this bug takes two cards to exploit is that the
  race condition you are trying to win seems to be so small
  that a single card can't win it.


Who needs two cards -- the victim or the attacker?


The attacker needs two cards, because the two packets that cause the race
condition need to be sent in very quick succession. A single card with standard
drivers can't send the packets quickly enough.


Alex
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: This guy cracks me up. (MindsX) johnny cache (Sep 03)
- Re: This guy cracks me up. (MindsX) Lyndon Sutherland (Sep 04)
- Re: This guy cracks me up. (MindsX) Blue Boar (Sep 04)
- <Possible follow-ups>
- Re: This guy cracks me up. (MindsX) John Gruber (Sep 04)
  - Re: This guy cracks me up. (MindsX) Alexander Sotirov (Sep 05)
  - Re: This guy cracks me up. (MindsX) H D Moore (Sep 05)