Kernel Bugs Come Marchin' In

It may be All Saints' Day, but it's also day one of a month's worth of operating system kernel bugs that could spur some unsaintly exploits.

The first installment of the Month of Kernel Bugs (MOKB) is a Mac OS X WiFi exploit created by researcher HD Moore, according to researcher LMH who created the MOKB. (See Month of Kernel Bugs to Come.)

LMH's MOKB is similar in format to Moore's previous Month of Browser Bugs (MOBB), which ran in July. (See Getting Buggy with the MOBB.) Today's kernel bug is basically an Apple Airport memory corruption exploit that sends bogus "probe response" packets to the Mac machine.

The existence of Apple WiFi device driver flaws has been a hotly contested topic since researchers David Maynor of SecureWorks and Jon Ellch demonstrated a WiFi hack at Black Hat in August. "Hopefully, this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," LMH says in his blog today.

Moore found the flaw with his own 802.11 fuzzing tools, which are based on a C fuzzer built by Ellch. LMH, meanwhile, is also offering his fsfuzzer tool for other bug hunters, and is soliciting other bugs for the month.

"Right now, 99 percent of the issues come from my private/personal research, using tools like fsfuzzer," LMH told Dark Reading. "Possibly I'll receive submissions from other people, but I doubt those will be even 20 percent of the total issues."

Here's how Moore's Airport exploit works. When a wireless card goes into active scan mode, it sends probe requests for the broadcast SSID, and any access point that's in range responds. "This sends a malformed response to the driver, which causes it to overwrite the internal kernel structures with the packet data." Then an attacker can execute arbitrary code from afar.

"The vulnerability seems to be in the Airport driver itself, but the exploit works by corrupting kernel memory using it," he says.

Machines most at risk of this exploit are iMacs and PowerBooks made between 1999 and 2003, using Orinoco-based Airport wireless cards, Moore says.

But that doesn't mean newer models are necessarily safe. "I did test this on new MacBook Pros and a newer G4 -- 1.33Ghz -- and neither of those were vulnerable to this specific bug. But there's more where this came from."

Moore didn't officially contact Apple about the bug, but he says he did get in touch with a friend who works there to give him a heads up. The exploit and tools will all be available in Metasploit 3.0.

"If they can find serious kernel bugs with a simple blind fuzzing tool, that bodes poorly for the current health of kernel filesystem and driver code," says Thomas Ptacek, a researcher with Matasano Security. "Which tells me that we badly need more of this kind of testing."

Among the bugs that will be highlighted this month in the MOKB: "Broken Linux filesystem code, Mac OS X WiFi-related bugs, and testing of many different systems, from Solaris to Minix," LMH says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading