Dailydave mailing list archives
Re: This guy cracks me up. (MindsX)
From: Alexander Sotirov <asotirov () determina com>
Date: Mon, 04 Sep 2006 19:24:33 -0700
John Gruber wrote:
1) set up a netcat udp listener on the victim centrino box. (Why you actually need a listener is beyond me, but it seems to help)I don't understand what this means. Does it mean that the victim computer *must* be running a netcat udp listener for the attack to work? If so, how would this be exploited in the wild?
What this means is that you need a process on that target machine that listens on a UDP port. As Johnny later explained in his reply to Lyndon Sutherland, it is not clear why this is needed and it could simply be something that influences the timing of the race condition. In any case, you probably don't need a netcat UDP listener, any process that listens for UDP traffic will do. There are plenty of those: try netstat -aln | grep udp | grep '*.*'
3) start flooding the victim machine with disassociation requests. A BSOD should follow very shortly.So this attack crashes the machine?
Most exploits are controlled crashes. When you are developing an exploit, usually you start by crashing the target and then you investigate what registers and memory locations you control. Writing a reliable exploit is harder than simply crashing the kernel, but a BSOD is sufficient to demonstrate the existence of a potential remote code execution vulnerability. Of course, the ability to crash a remote system is still an important security issue.
The reason this bug takes two cards to exploit is that the race condition you are trying to win seems to be so small that a single card can't win it.Who needs two cards -- the victim or the attacker?
The attacker needs two cards, because the two packets that cause the race condition need to be sent in very quick succession. A single card with standard drivers can't send the packets quickly enough. Alex _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: This guy cracks me up. (MindsX) johnny cache (Sep 03)
- Re: This guy cracks me up. (MindsX) Lyndon Sutherland (Sep 04)
- Re: This guy cracks me up. (MindsX) Blue Boar (Sep 04)
- <Possible follow-ups>
- Re: This guy cracks me up. (MindsX) John Gruber (Sep 04)
- Re: This guy cracks me up. (MindsX) Alexander Sotirov (Sep 05)
- Re: This guy cracks me up. (MindsX) H D Moore (Sep 05)