Menu

Database

Mac OS X Wireless Driver Malformed Frame Remote Code Execution

WVE ID: WVE-2006-0060

Type: Vulnerability

Status: Candidate

Classification:
Input Manipulation

Description:
Some wireless drivers utilized by OS X contain a vulnerability allowing remote code execution, which is triggered by malformed 802.11 frames.

Discussion:
At the BlackHat 2006 and Defcon 14 security conferences a vulnerability in the driver used wireless adapters containing Atheros chipsets was discussed. Details of this vulnerability were not initially disclosed due to security reasons. However, the vulnerability was demonstrated to be exploitable and can lead to total system compromise due to the driver's close interaction with the kernel.

The demonstration system used was a MacBook utilizing an Atheros based 802.11 USB adapter. At the time, additional reports suggested that the Apple supplied Airport Extreme, which makes use of an Atheros chipset on x86 Macs, might also be vulnerable to the same issue.

It is doubtful that this issue affects non-x86 Mac products with Airport Extreme due to the use of Broadcom chipsets on those platforms. However, it is possible that similar issues exist on such systems.

Details of the vulnerability demonstrated in 2006 were disclosed by Maynor in September 2007 (see referenced URL). According to Maynor, the vulnerability was found in the Apple driver included with Mac OS X version 10.4.7 on Macbooks and Mac Minis running on an Intel processor. Beacon and probe fuzzing tests uncovered a buffer overflow flaw in the driver's handling of the Extended Rate Information Element. The flaw causes memory corruption that has been shown to permit arbitrary OS X kernel-mode shell code execution on the vulnerable system, allowing an attacker to gain control of that system.

Credits
Author: David Maynor : SecureWorks
Author: Johnny Cache : None

References
URL: http://blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Ellch
URL: http://uninformed.org/?v=8&a=4

Released: 2006-08-02

Submitter
Andrew Lockhart (alockhart@networkchemistry.com) : Network Chemistry

Submitted: Mon Aug 07 15:41:27 -0700 2006

Candidate Date: Mon Aug 07 15:42:28 -0700 2006


Recent Entries

TKIP Replay and Plaintext Discovery
WVE-2008-0013 11/18/2008
Active Https Cookie Hijacking
WVE-2008-0012 9/18/2008
Auto Immune Attack
WVE-2008-0011 9/17/2008
Marvell Null SSID Association Request
WVE-2008-0010 9/15/2008
Marvell EAPOL-Key Length Overflow
WVE-2008-0009 9/15/2008
Atheros IE Tag Overflow
WVE-2008-0008 9/15/2008
Weaknesses in the A5/1 Cipher
WVE-2008-0007 4/9/2008
Block ACK DoS
WVE-2008-0006 4/9/2008
GF Mode WIDS Rogue AP Evasion
WVE-2008-0005 4/9/2008
HT Intolerant Degradation of Service
WVE-2008-0004 4/9/2008
More Entries...

News

SANS Institute Sponsors WVE
4/19/2008
Wireless Attackers and Honeypot Technology
4/15/2008
High Speed Risks in 802.11n Slides Posted
4/11/2008
Vulnerabilities in 802.11n
4/9/2008
WVE Editors Speaking at SHARKFEST.08
1/3/2008
More News...