Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:35 AM
Connect Directly

Kernel Bugs Come Marchin' In

Day one of the Month of Kernel Bugs is under way, and an Apple Mac OS X and wireless exploit kicks it off

It may be All Saints' Day, but it's also day one of a month's worth of operating system kernel bugs that could spur some unsaintly exploits.

The first installment of the Month of Kernel Bugs (MOKB) is a Mac OS X WiFi exploit created by researcher HD Moore, according to researcher LMH who created the MOKB. (See Month of Kernel Bugs to Come.)

LMH's MOKB is similar in format to Moore's previous Month of Browser Bugs (MOBB), which ran in July. (See Getting Buggy with the MOBB.) Today's kernel bug is basically an Apple Airport memory corruption exploit that sends bogus "probe response" packets to the Mac machine.

The existence of Apple WiFi device driver flaws has been a hotly contested topic since researchers David Maynor of SecureWorks and Jon Ellch demonstrated a WiFi hack at Black Hat in August. "Hopefully, this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers," LMH says in his blog today.

Moore found the flaw with his own 802.11 fuzzing tools, which are based on a C fuzzer built by Ellch. LMH, meanwhile, is also offering his fsfuzzer tool for other bug hunters, and is soliciting other bugs for the month.

"Right now, 99 percent of the issues come from my private/personal research, using tools like fsfuzzer," LMH told Dark Reading. "Possibly I'll receive submissions from other people, but I doubt those will be even 20 percent of the total issues."

Here's how Moore's Airport exploit works. When a wireless card goes into active scan mode, it sends probe requests for the broadcast SSID, and any access point that's in range responds. "This sends a malformed response to the driver, which causes it to overwrite the internal kernel structures with the packet data." Then an attacker can execute arbitrary code from afar.

"The vulnerability seems to be in the Airport driver itself, but the exploit works by corrupting kernel memory using it," he says.

Machines most at risk of this exploit are iMacs and PowerBooks made between 1999 and 2003, using Orinoco-based Airport wireless cards, Moore says.

But that doesn't mean newer models are necessarily safe. "I did test this on new MacBook Pros and a newer G4 -- 1.33Ghz -- and neither of those were vulnerable to this specific bug. But there's more where this came from."

Moore didn't officially contact Apple about the bug, but he says he did get in touch with a friend who works there to give him a heads up. The exploit and tools will all be available in Metasploit 3.0.

"If they can find serious kernel bugs with a simple blind fuzzing tool, that bodes poorly for the current health of kernel filesystem and driver code," says Thomas Ptacek, a researcher with Matasano Security. "Which tells me that we badly need more of this kind of testing."

Among the bugs that will be highlighted this month in the MOKB: "Broken Linux filesystem code, Mac OS X WiFi-related bugs, and testing of many different systems, from Solaris to Minix," LMH says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Apple Inc. (Nasdaq: AAPL) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-25
    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
    PUBLISHED: 2020-02-24
    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
    PUBLISHED: 2020-02-24
    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...
    PUBLISHED: 2020-02-24
    controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
    PUBLISHED: 2020-02-24
    The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind...