Newly discovered hole in old Apple WLAN driver
Following on July's Month of the Browser Bugs, a similar project to highlight security vulnerabilities has been announced for November under the title "Month of the Kernel Bugs" (MoKB). The project's initiators intend to release one security hole per day for the various operating system kernels. Because security hole announcements for Apple always gather a crowd, the MoKB launched with an error in the Mac OS X driver (Airport) for WLAN cards with the Orinoco chipset, through which cybercrooks can bring down addressable Macs completely wirelessly. HD Moore also claims that arbitrary program code can be planted through the hole as well.
For the hack to work, the WLAN card user must set the card into what is known as scan mode, either through the Airport software or through something like Kismac WLAN sniffer software. The vulnerability in the Orinoco Airport driver allows attackers to exploit what is known as a probe response, which is a response packet related to the WLAN network search. Probe response packets contain an "information element" following the header that is directly copied into the kernel structure. By manipulating the information element, an attacker could malform controlled pointers in this way.
There is as yet no patch available from Apple, and HD Moore claims to have reproduced the error on a 1 GHz Powerbook running a fully patched copy of Mac OS X 10.4.8. The Orinoco cards were built into Powerbooks and iMacs between 1999 and 2003, the MoKB report notes. How many of these devices are still in use in late 2006 is practically impossible to estimate.
One potential workaround until Apple releases an update is to refrain from network searches under Mac OS X when working with Orinoco hardware, including no WLAN sniffing. HD Moore has released a sample exploit for the Metasploit framework 3.0 that is the first to draw upon its libraries.
At first blush, a driver problem does not seem like an obvious fit for the Month of the Kernel Bugs. Yet because the driver runs in the context of the kernel and comes delivered from Apple in things like OS X 10.4.8, it is not too much of a stretch to call it a kernel bug.
- MoKB starts: MOKB-01-11-2006 - Apple Airport 802.11 Probe Response Kernel Memory Corruption, report in the MoKB Blog
- Apple Airport 802.11 Probe Response Kernel Memory Corruption, detailed analysis of the vulnerability
- Project website with background information on the Month of the Kernel Bugs
- MoKB Blog, inspired by the MoBB Blog