September 18, 2007
Remember the Apple wireless exploit at Black Hat USA 2006 that caused such an uproar? Well, one of the researchers who demonstrated it has published a proof-of-concept of the attack for the first time. (See Notebooks Vulnerable to Wireless Attack and Apple Flap Redux.)
David Maynor, CTO of Errata Security -- who with researcher Jon Ellch, a.k.a. johnnycache, faced a firestorm of criticism from Mac enthusiasts and some researchers for their demo last year -- today published a formal paper for the online researcher journal Uninformed in which he releases proof-of-concept code showing how the bug could be exploited. Maynor also explains in detail how he inadvertently found the heap buffer overflow bug in the OS X Atheros wireless device driver while fuzzing other wireless notebook machines.
But whether this finally puts to rest questions surrounding the Black Hat demo is unclear. Ellch told Dark Reading that he believes the paper should resolve them.
It's unclear why Maynor, who was not available for comment at this posting, decided to show the code details now, over a year later.
Meanwhile, the Metasploit Project is releasing a new module for the exploit that runs on the popular penetration test tool, so researchers can test-run it themselves.
"[Maynor's] paper is a great example of turning a WiFi driver vulnerability into a working remote exploit and serves as an excellent resource for exploitation kernel-land vulnerabilities in OS X -- with Metasploit," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems.
In the paper, entitled "OS X Kernel-mode Exploitation in a Weekend," Maynor provides details on how he discovered the bug accidentally while fuzzing other machines. "During this time, one of the MacBooks in the vicinity running OS X 10.4.6 crashed unexpectedly," he writes.
The bug lets an attacker compromise and take over a targeted machine. "Since the flaw requires a targeted machine to receive and process a wireless management frame, the attacker must be within range in order to transmit the frame."
Maynor notes in his paper that the code execution he demonstrates is just one element of an exploit, however: "To do something useful, an attacker needs kernel-mode shellcode. That subject will be covered in a future paper."
Apple patched the flaw with a security update to Mac OS X 10.4.7 (CVE-2006-3508) last year.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingDec 12, 2023
SecOps & DevSecOps in the CloudDec 14, 2023
What's In Your Cloud?Jan 17, 2024
Everything You Need to Know About DNS AttacksJan 18, 2024
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
2022 Insurance Industry Cyber Threat Landscape Report
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report