Exploit Released for Unpatched Apple Wi-Fi Flaw. Update, 4:35 p.m. ET: Lynn Fox over at Apple called back with the following statement:
"We were recently made aware of this security issue in our first generation AirPort card, which has not shipped since October 2003. This issue affects a small percentage of previous generation AirPort enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs. We are currently investigating the issue."
Original Post From Earlier Today:
Security researcher HD Moore today released computer code showing how attackers can exploit an unpatched flaw present in the wireless drivers in some Apple Macintosh computers.
"With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUD'ed by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," said LMH (the alias of the hacker who runs the Kernelfun blog) -- referring to an Apple wireless driver issue covered by Security Fix earlier this year (the links in the quote are his).
Moore said he tested the exploit on a 1.0Ghz PowerBook running Mac OS X 10.4.8 with the latest updates (Halloween, 2006). "The fastest way to trigger this bug is to place the card into active scanning mode. This can be accomplished by launching Kismac [a wireless network scanning program] with the active scanning driver, or by using the 'airport' utility provided with OS X."
While Apple released updates in September to fix at least three problems in its wireless drivers, there is currently no fix available from Apple for the flaw detailed by Moore.
I exchanged a series of e-mails with Moore today to ask about some of this exploit's more technical details, which can be viewed here for anyone interested. In a nutshell, he says the exploit is somewhat unreliable as written, but that it could be made more so if someone spent a bit more time finessing it. He also said "it may be possible to make this exploit reliable by hammering the Airport driver with requests while triggering the bug."
Moore has since folded the exploit into Metasploit 3.0, a free software tool built to help users exploit security flaws against a variety of operating systems and third-party software applications.
The vulnerability is the first in a series of daily bug details to be released over the next 29 days as part of the "Month of Kernel Bugs" project. LMH said we can expect at least five more Apple kernel bugs to be detailed in the coming days, as well as kernel flaws in Linux, BSD, and Solaris 10 systems.
The "kernel" is probably the most vital and fundamental area of any computer system, as it handles the transfer of information between hardware and software on a machine, among other things. Kernel flaws are serious vulnerabilities, but kernel flaws that are exploitable remotely are extremely dangerous, because an attacker can use them to completely subvert the security of the target machine, usually regardless of the presence of security software or the system privileges of the user account the victim happens to be running at the time.
I put a call in to Apple spokeswoman Lynn Fox and will update this post if I hear back from the company. I also pinged David Maynor from SecureWorks to determine if this was related to the exploit I saw at the BlackHat security conference in Las Vegas this summer, but I've not yet received a response from him either.
I did catch up with Maynor's co-presenter, Johnny "Cache" Ellch, who said the bug Moore released today is unrelated to the flaw detailed at Black Hat. [Security Fix]
8:58:53 PM 
|
