Maynor Releases Apple Wireless Bug Code

Over a year after the Apple wireless flap, researcher David Maynor publishes a paper with proof-of-concept of the controversial hack

Remember the Apple wireless exploit at Black Hat USA 2006 that caused such an uproar? Well, one of the researchers who demonstrated it has published a proof-of-concept of the attack for the first time. (See Notebooks Vulnerable to Wireless Attack and Apple Flap Redux.)

David Maynor, CTO of Errata Security -- who with researcher Jon Ellch, a.k.a. johnnycache, faced a firestorm of criticism from Mac enthusiasts and some researchers for their demo last year -- today published a formal paper for the online researcher journal Uninformed in which he releases proof-of-concept code showing how the bug could be exploited. Maynor also explains in detail how he inadvertently found the heap buffer overflow bug in the OS X Atheros wireless device driver while fuzzing other wireless notebook machines.

But whether this finally puts to rest questions surrounding the Black Hat demo is unclear. Ellch told Dark Reading that he believes the paper should resolve them.

It's unclear why Maynor, who was not available for comment at this posting, decided to show the code details now, over a year later.

Meanwhile, the Metasploit Project is releasing a new module for the exploit that runs on the popular penetration test tool, so researchers can test-run it themselves.

"[Maynor's] paper is a great example of turning a WiFi driver vulnerability into a working remote exploit and serves as an excellent resource for exploitation kernel-land vulnerabilities in OS X -- with Metasploit," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems.

In the paper, entitled "OS X Kernel-mode Exploitation in a Weekend," Maynor provides details on how he discovered the bug accidentally while fuzzing other machines. "During this time, one of the MacBooks in the vicinity running OS X 10.4.6 crashed unexpectedly," he writes.

The bug lets an attacker compromise and take over a targeted machine. "Since the flaw requires a targeted machine to receive and process a wireless management frame, the attacker must be within range in order to transmit the frame."

Maynor notes in his paper that the code execution he demonstrates is just one element of an exploit, however: "To do something useful, an attacker needs kernel-mode shellcode. That subject will be covered in a future paper."

Apple patched the flaw with a security update to Mac OS X 10.4.7 (CVE-2006-3508) last year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights