Maynor Releases Apple Wireless Bug Code

Remember the Apple wireless exploit at Black Hat USA 2006 that caused such an uproar? Well, one of the researchers who demonstrated it has published a proof-of-concept of the attack for the first time. (See Notebooks Vulnerable to Wireless Attack and Apple Flap Redux.)

David Maynor, CTO of Errata Security -- who with researcher Jon Ellch, a.k.a. johnnycache, faced a firestorm of criticism from Mac enthusiasts and some researchers for their demo last year -- today published a formal paper for the online researcher journal Uninformed in which he releases proof-of-concept code showing how the bug could be exploited. Maynor also explains in detail how he inadvertently found the heap buffer overflow bug in the OS X Atheros wireless device driver while fuzzing other wireless notebook machines.

But whether this finally puts to rest questions surrounding the Black Hat demo is unclear. Ellch told Dark Reading that he believes the paper should resolve them.

It's unclear why Maynor, who was not available for comment at this posting, decided to show the code details now, over a year later.

Meanwhile, the Metasploit Project is releasing a new module for the exploit that runs on the popular penetration test tool, so researchers can test-run it themselves.

"[Maynor's] paper is a great example of turning a WiFi driver vulnerability into a working remote exploit and serves as an excellent resource for exploitation kernel-land vulnerabilities in OS X -- with Metasploit," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems.

In the paper, entitled "OS X Kernel-mode Exploitation in a Weekend," Maynor provides details on how he discovered the bug accidentally while fuzzing other machines. "During this time, one of the MacBooks in the vicinity running OS X 10.4.6 crashed unexpectedly," he writes.

The bug lets an attacker compromise and take over a targeted machine. "Since the flaw requires a targeted machine to receive and process a wireless management frame, the attacker must be within range in order to transmit the frame."

Maynor notes in his paper that the code execution he demonstrates is just one element of an exploit, however: "To do something useful, an attacker needs kernel-mode shellcode. That subject will be covered in a future paper."

Apple patched the flaw with a security update to Mac OS X 10.4.7 (CVE-2006-3508) last year.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.