Apple Wi-Fi Exploit Released

Security researcher HD Moore has released code that shows how attackers can exploit an unpatched flaw present in some Apple wireless drivers. Moore said he tested this on a 1.0Ghz PowerBook running Mac OS X 10.4.8 with the latest updates, and while Apple released updates to fix three other problems with these wireless drivers, this flaw is still unpatched.

“With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD’ed by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers,” said LMH (the alias of the hacker who runs the Kernelfun blog) — referring to an Apple wireless driver issue covered by Security Fix earlier this year (the links in the quote are his). Source: Security Fix

To see the exploit code and the release, click here Apple Airport 802.11 Probe Response Kernel Memory Corruption,

The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values.

A spokesman from Apple had this to say,

We were recently made aware of this security issue in our first generation AirPort card, which has not shipped since October 2003. This issue affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs. We are currently investigating the issue.” Source: Security Fix

Fun, fun, fun.