An actual wi-fi driver vulnerability
aaron posted in wifi on November 1st, 2006
Well, it looks like the month of kernel bugs is starting off well with an actual apple wi-fi driver vuln. This is pretty interesting since it’s been several months since the David Maynor/Johnny Cache/Secure Works/Apple “is the vuln real or a hoax” debacle that’s been all over the news started. I was pretty disappointed that they didn’t give their speech at toorcon this year, certainly it would have been interesting. Johnny Cache doesn’t try to hide (well maybe a little) the fact that he’s not happy with the current situation. I find it funny how polarized everyone is on the subject. Certainly this will help to clear up the technical aspects of things, but releasing an exploit for an unpatched vulnerability isn’t exactly the way to make everyone friends again. I’m sensing another maclash (you know, like a backlash from mac-heads) on the horizon.
A post from HD Moore on the full-disclosure list shows this has already hit the news in few places already.
The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution.
Here’s a link to the metasploit module. Since this is an unpatched issue so far, going wired for a while probably isn’t a bad idea, ;). I’m guessing this isn’t the last wi-fi driver bug we’ll see this month.