[Dailydave] This guy cracks me up. (MindsX)
Alexander Sotirov
asotirov at determina.com
Mon Sep 4 21:24:33 EST 2006
John Gruber wrote:
>> 1) set up a netcat udp listener on the victim centrino
>> box. (Why you actually need a listener is beyond me, but
>> it seems to help)
>
> I don't understand what this means. Does it mean that the victim
> computer *must* be running a netcat udp listener for the attack to
> work? If so, how would this be exploited in the wild?
What this means is that you need a process on that target machine that listens
on a UDP port. As Johnny later explained in his reply to Lyndon Sutherland, it
is not clear why this is needed and it could simply be something that influences
the timing of the race condition. In any case, you probably don't need a netcat
UDP listener, any process that listens for UDP traffic will do. There are plenty
of those: try netstat -aln | grep udp | grep '*.*'
>> 3) start flooding the victim machine with disassociation
>> requests. A BSOD should follow very shortly.
>
> So this attack crashes the machine?
Most exploits are controlled crashes. When you are developing an exploit,
usually you start by crashing the target and then you investigate what registers
and memory locations you control. Writing a reliable exploit is harder than
simply crashing the kernel, but a BSOD is sufficient to demonstrate the
existence of a potential remote code execution vulnerability. Of course, the
ability to crash a remote system is still an important security issue.
>> The reason this bug takes two cards to exploit is that the
>> race condition you are trying to win seems to be so small
>> that a single card can't win it.
>
> Who needs two cards -- the victim or the attacker?
The attacker needs two cards, because the two packets that cause the race
condition need to be sent in very quick succession. A single card with standard
drivers can't send the packets quickly enough.
Alex
More information about the Dailydave
mailing list