OpenBSD Journal

The BLOB Strikes Back

Contributed by mbalmer on from the stop-whining-you-ve-been-warned dept.

Robert McMillan of IDG News Services reports on InfoWorld a scenario we have been warning about since the 3.9 release of OpenBSD:

Security researchers hacked a binary only Wi-Fi driver (we call it blob) to breach a laptop.

One of many flaws found [in a binary only driver] allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver [blob].

Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver."

Well, ... this time it was the researchers, ... next time it's going to be the script kiddies.

Read the full article at http://www.infoworld.com/article/06/06/21/79536_HNwifibreach_1.html

(Comments are closed)


Comments
  1. By Anonymous Coward (84.188.230.151) on

    Well and if YOU are interested to let such users pay the bills for the blobs they`re using... *just joking*

    http://www.802.11mercenary.net/lorcon/

    ;-))

  2. By Anonymous Coward (65.95.243.231) on

    Well, everyone start sprucing up the <a href="http://en.wikipedia.org/wiki/binary_blob">binary blob article on Wikipedia</a>, so people get a better shake of what risks they run when using binary-only stuff.

    Comments
    1. By Anonymous Coward (84.188.230.151) on

      > Well, everyone start sprucing up the binary blob article on Wikipedia, so people get a better shake of what risks they run when using binary-only stuff. "Normal" peoples wont listen to you because they simply "don`t care". They`ll start listen to you if something happens... p.s. Next time use HTML for the binary blob article on Wikipedia ;)

  3. By Anonymous Coward (70.109.50.2) on

    For years, folks like many of the OpenBSD committers have been trying to explain to the world that a big fat hastily-ported binary from some vendor that's linked into your kernel and running with full privileges is a really bad idea for security. And the mainstream press, even technical people who should know better, blew it off as a "theoretical" problem.

    Now there's a worked example of an exploit. It's now practice.

    Having this around will help add real-world weight to arguments against blobs.

    Comments
    1. By Anonymous Coward (203.113.233.137) on

      > For years, folks like many of the OpenBSD committers have been trying to explain to the world that a big fat hastily-ported binary from some vendor that's linked into your kernel and running with full privileges is a really bad idea for security. And the mainstream press, even technical people who should know better, blew it off as a "theoretical" problem.
      >
      > Now there's a worked example of an exploit. It's now practice.
      >
      > Having this around will help add real-world weight to arguments against blobs.



      like i said before
      "asif put some blob from some vendor into the obsd kernel"

  4. By Anonymous Coward (202.6.138.34) on

    Call me crazy, but that article does not actually mention anything about proprietary drivers.

    many examples of wireless device driver flaws

    This could mean blobby and/or non-blobby drivers. Anyone actually know which drivers on which systems are affected?

    Comments
    1. By Anonymous Coward (84.188.230.151) on

      > Call me crazy, but that article does not actually mention anything about proprietary drivers.
      >
      > many examples of wireless device driver flaws
      >
      > This could mean blobby and/or non-blobby drivers. Anyone actually know which drivers on which systems are affected?

      They wnana relase it at the BLackHat-Conference...

      Comments
      1. By Anonymous Coward (202.6.138.34) on

        > They wnana relase it at the BLackHat-Conference...

        So the article submitter has some insider knowledge?

        Comments
        1. By Anonymous Coward (84.188.230.151) on

          > > They wnana relase it at the BLackHat-Conference...
          >
          > So the article submitter has some insider knowledge?

          Donīt we all know some birds wich talk to us? ;) ;)

          In other words: Yes seams like this... :)

          Comments
          1. By Anonymous Coward (84.188.230.151) on

            > > > They wnana relase it at the BLackHat-Conference...
            > >
            > > So the article submitter has some insider knowledge?
            >
            > Donīt we all know some birds wich talk to us? ;) ;)
            >
            > In other words: Yes seams like this... :)


            Damn i forgot something:
            They made mostly all test with the tool Iīve mentioned in the first answer to this Thread.

        2. By Joachim Schipper (82.157.194.81) on

          > > They wnana relase it at the BLackHat-Conference...
          >
          > So the article submitter has some insider knowledge?

          No, this was announced on the security list Full-Disclosure; and, at least, also in the linked article on InfoWorld. It's pretty much a complete copy, with 'see? Blobs are evil' attached.

          Not that there's anything wrong with that - after all, this bears repeating - but one does not need insider knowledge to do so.

          Joachim

          Comments
          1. By Anonymous Coward (202.6.138.34) on

            > > > They wnana relase it at the BLackHat-Conference...
            > >
            > > So the article submitter has some insider knowledge?
            >
            > No, this was announced on the security list Full-Disclosure; and, at
            >least, also in the linked article on InfoWorld. It's pretty much a
            >complete copy, with 'see? Blobs are evil' attached.

            I was referring to whether the submitter knew that the drivers in question were binary only, not about this being announced at the BlackHat conference.

            The BlackHat agenda doesn't say they're blobs either.
            http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Ellch

          2. By Anonymous Coward (217.12.147.5) on

            > > > They wnana relase it at the BLackHat-Conference...
            > >
            > > So the article submitter has some insider knowledge?
            >
            > No, this was announced on the security list Full-Disclosure; and, at least, also in the linked article on InfoWorld. It's pretty much a complete copy, with 'see? Blobs are evil' attached.

            Could you please provide some links? 'cause I can't find anything...

            Comments
            1. By Anonymous Coward (64.231.233.53) on

              > Could you please provide some links? 'cause I can't find anything...

              http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047298.html

              At this point it looks like there's no published proof that the affected drivers were blobs, but how many brain cells does one need to rub together to figure out that they were?

              We'll see, I guess.

              Comments
              1. By SH (82.182.103.172) on

                > > Could you please provide some links? 'cause I can't find anything...
                >
                > http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047298.html

                That post is just a rehash+copy of the Infoworld article. Like the grand parent poster, I looked for a post made by the researcher themselves at full-disclosure, but came up empty handed ;-)

                > At this point it looks like there's no published proof that the affected drivers were blobs, but how many brain cells does one need to rub together to figure out that they were?

                From the article it appears that at least one Windows driver have exploitable bugs, but one cannot draw the conclusion that the researchers only found exploitable bugs in blobs.

    2. By Nick Holland (68.43.117.34) nick@holland-consulting.net on

      1) There don't seem to be many non-binary wireless drivers left on OSs other than OpenBSD. I'm not aware of any Windows drivers distributed in source form. If most of the holes in question were in source-available drivers, I'd guess the headline would be somewhat different than it is. So..it's a safe guess.

      2) (much more relevant): the point isn't that binary blobs are "automatically insecure", but that they can not be supported, fixed, improved, or audited by developers or others (yes, 3.9 CD case was handy..and I'm only covering the directly security-related issues). You got a bug in your blob? Hope someone else cares, because you and the OS developers can't do a thing about it.

      Comments
      1. By Anonymous Coward (84.188.237.47) on

        > 1) There don't seem to be many non-binary wireless drivers left on OSs other than OpenBSD. I'm not aware of any Windows drivers distributed in source form. If most of the holes in question were in source-available drivers, I'd guess the headline would be somewhat different than it is. So..it's a safe guess.
        >
        > 2) (much more relevant): the point isn't that binary blobs are "automatically insecure", but that they can not be supported, fixed, improved, or audited by developers or others (yes, 3.9 CD case was handy..and I'm only covering the directly security-related issues). You got a bug in your blob? Hope someone else cares, because you and the OS developers can't do a thing about it.

        PLUS: Most customers are NOT aware of that.
        If I set up an OpenBSD for my aunt to have a Internet-PC (Browsing, Printing, Writing..foo (as example)) I hope that OpenBSD-Developers do a good job and if they find a misstake they`ll correct it.

        If I set up a Windows XP with a binary-driver I donīt exspect that she`ll look every week for a new driver or cares about "holes" she simply does not understand.

        On an OpenBSD updating is easy... cvs and can get automated *f.e. every 2 weeks in background*. :)

        On Windows.. well.. pls don`t exspect that I would like to watch the driver-version soo much and if it bumps I wont jump high to the sky and cry "god damn UPDATE UPDATE UPDATE"...

        Another disadvantage is that most binary drivers DON`T tell you in the changelog that they fixed some holes... *my experience*


        So I suspect Holes in Windows, Linux, SOlaris maybe and FreeBSD.. or in general: All OSs wich may use binary only-drivers.

        Comments
        1. By Anonymous Coward (203.113.233.137) on

          > > 1) There don't seem to be many non-binary wireless drivers left on OSs other than OpenBSD. I'm not aware of any Windows drivers distributed in source form. If most of the holes in question were in source-available drivers, I'd guess the headline would be somewhat different than it is. So..it's a safe guess.
          > >
          > > 2) (much more relevant): the point isn't that binary blobs are "automatically insecure", but that they can not be supported, fixed, improved, or audited by developers or others (yes, 3.9 CD case was handy..and I'm only covering the directly security-related issues). You got a bug in your blob? Hope someone else cares, because you and the OS developers can't do a thing about it.
          >
          > PLUS: Most customers are NOT aware of that.
          > If I set up an OpenBSD for my aunt to have a Internet-PC (Browsing, Printing, Writing..foo (as example)) I hope that OpenBSD-Developers do a good job and if they find a misstake they`ll correct it.
          >
          > If I set up a Windows XP with a binary-driver I donīt exspect that she`ll look every week for a new driver or cares about "holes" she simply does not understand.
          >
          > On an OpenBSD updating is easy... cvs and can get automated *f.e. every 2 weeks in background*. :)
          >
          > On Windows.. well.. pls don`t exspect that I would like to watch the driver-version soo much and if it bumps I wont jump high to the sky and cry "god damn UPDATE UPDATE UPDATE"...
          >
          > Another disadvantage is that most binary drivers DON`T tell you in the changelog that they fixed some holes... *my experience*
          >
          >
          > So I suspect Holes in Windows, Linux, SOlaris maybe and FreeBSD.. or in general: All OSs wich may use binary only-drivers.



          You can use automatic updates in windows and use hardware that has its drivers published there

          Comments
          1. By tedu (69.12.168.114) on


            > You can use automatic updates in windows and use hardware that has its drivers published there

            where is the list of drivers updated by windows update?

  5. By EN (83.248.138.152) en@openbsd.nu on http://www.openbsd.nu

    "The OpenBSD way" is about to pay off in that direction too!
    Switching from Linux to OpenBSD was right move after all.

    Comments
    1. By Anonymous Coward (85.112.75.252) on

      We told you so,just doesn't make it quiet enough :)

    2. By Anonymous Coward (151.188.0.249) on

      > "The OpenBSD way" is about to pay off in that direction too!
      > Switching from Linux to OpenBSD was right move after all.

      Actually, GNU/Linux really isn't a bad system to use, and it beats the hell out of what I used to use (MS Windows). I've been using it for years on laptops (usually Slackware, which uses an unpatched www.kernel.org kernel), and I do not allow any blobs or other non-Free software on my systems. This is, to be sure, thanks to the OpenBSD project who has found out which wireless chipsets have publicly-released programming specs, and for which I have been able to determine the drivers do not use blobs. Yes, I'm still on 802.11b, but it does the job very nicely for me, so I personally don't need to upgrade to 802.11g at this time.

      Thus, GNU/Linux is actually being helped significantly by the OpenBSD project's vigilance. Thank you, Theo and crew.

      A co-worker used to run OpenBSD on his personal laptop until very recently. The problem was that the PCMCIA slots finally went bad, and there is no integrated NIC of any sort (it's an older box). I was inspired enough by his example that I will investigate this myself, provided that OpenOffice.org and Ximian/Novell Evolution--both of which I absolutely need for work--are available for OpenBSD. If they are, then I'm all over it.

      Comments
      1. By Anonymous Coward (199.18.139.126) on

        ..."provided that OpenOffice.org and Ximian/Novell Evolution--both of which I absolutely need for work"...
        No and yes. KOffice is available, as well as xlhtml, which converts Excel documents to html tables.

  6. By Anonymous Coward (84.188.237.47) on

    Sorry for that but I`ve a generic question.

    VIA and others offen release new Chipset-Drivers... wich ma yspeed up some stuff and co.
    Do the OpenBSD-Developers improve such Drivers too?!

    And some very oftopic: VIA enables HOT-Plug SATA for even older Chipsets. Why dosn`t OpenBSD provide at least Hotplug SATA if it`s NOT the root-Disk?!

    Comments
    1. By tedu (71.139.166.59) on

      > VIA and others offen release new Chipset-Drivers... wich ma yspeed up some stuff and co.
      > Do the OpenBSD-Developers improve such Drivers too?!

      of course.

      > And some very oftopic: VIA enables HOT-Plug SATA for even older Chipsets. Why dosn`t OpenBSD provide at least Hotplug SATA if it`s NOT the root-Disk?!

      because nobody has written the code.

      Comments
      1. By Anonymous Coward (24.117.246.131) on

        > > VIA and others offen release new Chipset-Drivers... wich ma yspeed up some stuff and co.
        > > Do the OpenBSD-Developers improve such Drivers too?!
        >
        > of course.
        >
        > > And some very oftopic: VIA enables HOT-Plug SATA for even older Chipsets. Why dosn`t OpenBSD provide at least Hotplug SATA if it`s NOT the root-Disk?!
        >
        > because nobody has written the code.
        >

        And beacause hot-plug sata is a dumb dumb dumb idea.

        Comments
        1. By Anonymous Coward (70.27.15.123) on

          > And beacause hot-plug sata is a dumb dumb dumb idea.

          Stop repeating this bullshit. There is nothing wrong with hot swap SATA, or SCSI, or PCI. Just because openbsd doesn't support it, doesn't mean its bad.

          Comments
          1. By Anonymous Coward (24.117.246.131) on

            > > And beacause hot-plug sata is a dumb dumb dumb idea.
            >
            > Stop repeating this bullshit. There is nothing wrong with hot swap SATA, or SCSI, or PCI. Just because openbsd doesn't support it, doesn't mean its bad.

            SATA hot plug is bad standard; if it can even be called that. SCSI is ugly but works when used right. Stop repeating this bullshit that SATA is a good idea for anything but a workstation without a real io load. You get what you pay for.

            Comments
            1. By Anonymous Coward (66.11.66.41) on

              > SATA hot plug is bad standard; if it can even be called that. SCSI is ugly but works when used right. Stop repeating this bullshit that SATA is a good idea for anything but a workstation without a real io load. You get what you pay for.

              Hot plug SATA is not a bad standard at all, go read it. Neither is the SCSI spec "ugly". And I never said SATA was a good idea for anything but a workstation. Although now that you mention it, its good for basically everything where you don't need the performance of SCSI. Including many kinds of servers.

              Comments
              1. By Anonymous Coward (67.64.89.177) on

                So you think that up to 1 minute for a phy to come online is a good idea?
                You also think that the signal drivers that are unreliable over 30cm is a good idea?
                You also think that having 1 pending io is a good idea?
                Oh, NCQ, yeah i have seen the test results on that, less than a few % of improvement.
                Commands missing in the 1.0 and 1.5 SATA spec because "it had to ship to recoup some of the investment" is a good idea too.

                Inherent to being cheaper the disks are made out of cheaper material, hope you can follow that argument. You get what you pay for.

                SCSI hotplug is a very very marginal spec with inherent issues. "It works" due to the of endless retries in the layers above the physical one. It's saving grace is the SCA connector with other mechanical aids.

                SATA is slightly better of because it has a phy which helps dramatically; since it also has less signals it is easier to get right however, there is no standard for backplanes and inherent to that you'll end up with either a cable hotplug scenario which is bad (no you can not insert those cables perpendicular by sight) or a propriatary interposer to strengthen/enhance the signal (not enough driver strength to run it through an enclosure).

                Read the spec, build a product and then come back with an informed opinion.

                Comments
                1. By Anonymous Coward (66.11.66.41) on

                  > So you think that up to 1 minute for a phy to come online is a good idea?

                  Yes. What is wrong with a maximum 1 minute delay before its online?

                  > You also think that the signal drivers that are unreliable over 30cm is a good idea?

                  I can't find the part of the spec that defines when anything should be unreliable. Oh right, this has nothing to do with the spec, its just you pointing to worst case shitty hardware as an example of why the spec is bad. Nice try.

                  > You also think that having 1 pending io is a good idea?

                  I think it has nothing to do with hot plugging.

                  > Oh, NCQ, yeah i have seen the test results on that, less than a few % of improvement.

                  Which also has nothing to do with hotplugging.

                  > Commands missing in the 1.0 and 1.5 SATA spec because "it had to ship to recoup some of the investment" is a good idea too.

                  Still more irrelivance. You are pretty shitty at making an argument.

                  > Inherent to being cheaper the disks are made out of cheaper material, hope you can follow that argument. You get what you pay for.

                  And that makes hot plug bad how? No shit SATA drivers are lower quality than SCSI drives. Nobody said otherwise.

                  > SCSI hotplug is a very very marginal spec with inherent issues. "It works" due to the of endless retries in the layers above the physical one. It's saving grace is the SCA connector with other mechanical aids.

                  Does marginal mean "I just like bitching for no reason" by any chance? What exactly do you think is missing from it?

                  > SATA is slightly better of because it has a phy which helps dramatically; since it also has less signals it is easier to get right however, there is no standard for backplanes and inherent to that you'll end up with either a cable hotplug scenario which is bad (no you can not insert those cables perpendicular by sight) or a propriatary interposer to strengthen/enhance the signal (not enough driver strength to run it through an enclosure).

                  So, the spec is complete, and products following it work great. But because you can find shitty gear that doesn't, that means the whole concept is worthless? Nice logic.

                  Comments
                  1. By Anonymous Coward (143.166.226.19) on

                    Obviously there is no discussion to be had with you but that reflects your reading comprehension. Hope you have a nice blissful ignorant life.

        2. By Anonymous Coward (203.113.233.137) on

          > > > VIA and others offen release new Chipset-Drivers... wich ma yspeed up some stuff and co.
          > > > Do the OpenBSD-Developers improve such Drivers too?!
          > >
          > > of course.
          > >
          > > > And some very oftopic: VIA enables HOT-Plug SATA for even older Chipsets. Why dosn`t OpenBSD provide at least Hotplug SATA if it`s NOT the root-Disk?!
          > >
          > > because nobody has written the code.
          > >
          >
          > And beacause hot-plug sata is a dumb dumb dumb idea.

          "And beacause hot-plug sata is a dumb dumb dumb idea."

          NER WRONG ANSWER!

          Comments
          1. By djm@ (203.217.30.86) on

            > NER WRONG ANSWER!

            i think you got lost on your way to kindergarten

  7. By Stephan A. Rickauer (130.60.5.218) on

    Thanks, Marc, for pointing to this very interesting article. This is what I needed to finally move my notebook to OpenBSD, too.

    Comments
    1. By jb (69.239.198.33) on

      > Thanks, Marc, for pointing to this very interesting article. This is
      > what I needed to finally move my notebook to OpenBSD, too.

      I've been running OpenBSD on various notebooks for a while. The problems I've encountered range from funkiness with firmware for the audio ("clcs") to the occasional short "freeze" when the system is running a bunch of network traffic through the aironet card.

      Outside of that, 3.9 has been outstanding.

  8. By Anonymous Coward (203.113.233.137) on

    I'm thinking of buying a laptop but it has a Broadcom or something wireless, since the DMESG does not seem to list any wireless devices but it does say there is a Broadcome unknown product of class network not configured

    Comments
    1. By Anonymous Coward (203.113.233.137) on

      > I'm thinking of buying a laptop but it has a Broadcom or something wireless, since the DMESG does not seem to list any wireless devices but it does say there is a Broadcome unknown product of class network not configured



      Does anybody know any good PCMCIA 802.11b and g WiFi cards for a laptop? (That are well supported under OpenBSD)

      Comments
      1. By sthen (81.168.66.243) on

        > > I'm thinking of buying a laptop but it has a Broadcom or something wireless, 
        > > since the DMESG does not seem to list any wireless devices but it does 
        > > say there is a Broadcome unknown product of class network not configured
        
        You can try looking up the PCI ID here.
        Though there are plenty of good laptops with supported wireless... 
        
        Alternatively the radio+MAC are often just MiniPCI modules that can
        be swapped out (very easily in some cases, but sometimes you need 
        to alter cmos or maybe hack the bios as some have an 'approved card'
        list).
        
        You're likely to get a much better signal from the antenna built-in 
        to a laptop than the one in a PC-Card.
        
        > Does anybody know any good PCMCIA 802.11b and g WiFi cards for a 
        > laptop? (That are well supported under OpenBSD)
        
        PCMCIA: wi(4) - Prism 2+, Wavelan etc.
        CardBus: ral(4) generally works well, cheap and usually easy to find.
        
        Take a laptop to a shop and try them there if you can and care...
        
        Chipset ID'ing: If it says "125Mb/s" or "11G+" it's probably TI 
        (unsupported). If it says "XR" it's probably a newer Atheros that's 
        unlikely to work yet. Marvell is another that won't work but slightly 
        harder to identify if it doesn't actually tell you on the packaging. 
        And broadcom (though they seem more likely to be built-in than add-on).
        I think that covers the chipsets you're most likely to find that 
        /don't/ work; google around for clues if you have a particular card 
        in mind that you can't positively ID (watch out as many manufacturers 
        change chipsets too often to keep track of; fortunately they're 
        pretty cheap).

        Comments
        1. By Anonymous Coward (203.113.233.137) on

          > I'm thinking of buying a laptop but it has a Broadcom or something wireless,
          > since the DMESG does not seem to list any wireless devices but it does
          > say there is a Broadcome unknown product of class network not configured
          >
          > You can try looking up the PCI ID here.
          > Though there are plenty of good laptops with supported wireless...
          >
          > Alternatively the radio+MAC are often just MiniPCI modules that can
          > be swapped out (very easily in some cases, but sometimes you need
          > to alter cmos or maybe hack the bios as some have an 'approved card'
          > list).
          >
          > You're likely to get a much better signal from the antenna built-in
          > to a laptop than the one in a PC-Card.
          >
          > Does anybody know any good PCMCIA 802.11b and g WiFi cards for a
          > laptop? (That are well supported under OpenBSD)
          >
          > PCMCIA: wi(4) - Prism 2+, Wavelan etc.
          > CardBus: ral(4) generally works well, cheap and usually easy to find.
          >
          > Take a laptop to a shop and try them there if you can and care...
          >
          > Chipset ID'ing: If it says "125Mb/s" or "11G+" it's probably TI
          > (unsupported). If it says "XR" it's probably a newer Atheros that's
          > unlikely to work yet. Marvell is another that won't work but slightly
          > harder to identify if it doesn't actually tell you on the packaging.
          > And broadcom (though they seem more likely to be built-in than add-on).
          > I think that covers the chipsets you're most likely to find that
          > /don't/ work; google around for clues if you have a particular card
          > in mind that you can't positively ID (watch out as many manufacturers
          > change chipsets too often to keep track of; fortunately they're
          > pretty cheap).


          ahh ok so it looks like the ral is the one to get... unfortunately the laptop was a cheapie second hand one so I couldn't just choose one which had supported wireless built-in.

  9. By Choochus (12.107.224.66) on

    "Well, ... this time it was the researchers, ... next time it's going to be the script kiddies."

    Just because a white hat published, doesn't mean that some bad guys (or governments) haven't been taking advantage of this until now...

    Comments
    1. By Anonymous Coward (203.113.233.137) on

      > "Well, ... this time it was the researchers, ... next time it's going to be the script kiddies."
      >
      > Just because a white hat published, doesn't mean that some bad guys (or governments) haven't been taking advantage of this until now...

      Of course






      ...

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]