Maynor Releases Apple Wireless Bug Code

Remember the Apple Inc. (Nasdaq: AAPL) wireless exploit at Black Hat USA 2006 that caused such an uproar? Well, one of the researchers who demonstrated it has published a proof-of-concept of the attack for the first time. (See Notebooks Vulnerable to Wireless Attack and Apple Flap Redux.)
David Maynor, CTO of Errata Security -- who with researcher Jon Ellch, a.k.a. johnnycache, faced a firestorm of criticism from Mac enthusiasts and some researchers for their demo last year -- today published a formal paper for the online researcher journal Uninformed in which he releases proof-of-concept code showing how the bug could be exploited. Maynor also explains in detail how he inadvertently found the heap buffer overflow bug in the OS X Atheros wireless device driver while fuzzing other wireless notebook machines.
But whether this finally puts to rest questions surrounding the Black Hat demo is unclear. Ellch told Dark Reading that he believes the paper should resolve them.
It's unclear why Maynor, who was not available for comment at this posting, decided to show the code details now, over a year later.
Meanwhile, the Metasploit Project is releasing a new module for the exploit that runs on the popular penetration test tool, so researchers can test-run it themselves.
"[Maynor's] paper is a great example of turning a WiFi driver vulnerability into a working remote exploit and serves as an excellent resource for exploitation kernel-land vulnerabilities in OS X -- with Metasploit," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems .
In the paper, entitled "OS X Kernel-mode Exploitation in a Weekend," Maynor provides details on how he discovered the bug accidentally while fuzzing other machines. "During this time, one of the MacBooks in the vicinity running OS X 10.4.6 crashed unexpectedly," he writes.
The bug lets an attacker compromise and take over a targeted machine. "Since the flaw requires a targeted machine to receive and process a wireless management frame, the attacker must be within range in order to transmit the frame."
Maynor notes in his paper that the code execution he demonstrates is just one element of an exploit, however: "To do something useful, an attacker needs kernel-mode shellcode. That subject will be covered in a future paper."
Apple patched the flaw with a security update to Mac OS X 10.4.7 (CVE-2006-3508) last year.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
David Maynor, CTO of Errata Security -- who with researcher Jon Ellch, a.k.a. johnnycache, faced a firestorm of criticism from Mac enthusiasts and some researchers for their demo last year -- today published a formal paper for the online researcher journal Uninformed in which he releases proof-of-concept code showing how the bug could be exploited. Maynor also explains in detail how he inadvertently found the heap buffer overflow bug in the OS X Atheros wireless device driver while fuzzing other wireless notebook machines.
But whether this finally puts to rest questions surrounding the Black Hat demo is unclear. Ellch told Dark Reading that he believes the paper should resolve them.
It's unclear why Maynor, who was not available for comment at this posting, decided to show the code details now, over a year later.
Meanwhile, the Metasploit Project is releasing a new module for the exploit that runs on the popular penetration test tool, so researchers can test-run it themselves.
"[Maynor's] paper is a great example of turning a WiFi driver vulnerability into a working remote exploit and serves as an excellent resource for exploitation kernel-land vulnerabilities in OS X -- with Metasploit," says HD Moore, creator of Metasploit and director of security research for BreakingPoint Systems .
In the paper, entitled "OS X Kernel-mode Exploitation in a Weekend," Maynor provides details on how he discovered the bug accidentally while fuzzing other machines. "During this time, one of the MacBooks in the vicinity running OS X 10.4.6 crashed unexpectedly," he writes.
The bug lets an attacker compromise and take over a targeted machine. "Since the flaw requires a targeted machine to receive and process a wireless management frame, the attacker must be within range in order to transmit the frame."
Maynor notes in his paper that the code execution he demonstrates is just one element of an exploit, however: "To do something useful, an attacker needs kernel-mode shellcode. That subject will be covered in a future paper."
Apple patched the flaw with a security update to Mac OS X 10.4.7 (CVE-2006-3508) last year.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
FEATURED VIDEO
UPCOMING LIVE EVENTS
February 7-9, 2023, Virtual Event
February 15, 2023, Virtual Event
March 15-16, 2023, Embassy Suites, Denver, CO
March 21, 2023, Virtual Event
May 15-17, 2023, Austin, TX
December 6-7, 2023, New York City
UPCOMING WEBINARS
February 7, 2023
Optical Networking Digital Symposium - Day 1
February 9, 2023
Optical Networking Digital Symposium - Day 2
February 14, 2023
Achieve Your Growth Potential with Next-Gen Content Delivery
February 15, 2023
Digital Divide Digital Symposium
February 16, 2023
SCTE® LiveLearning for Professionals Webinar™ Series: Getting the Edge on Edge Computing
Webinar Archive
PARTNER PERSPECTIVES - content from our sponsors
How 5G Thrives ASEAN Digital Economy
By Huawei
Capitalizing On 5G Innovation To Deliver Breakthroughs At The Edge
By Kerry Doyle, sponsored by ZTE
All Partner Perspectives