H. D. Moore has released attack code that can cause a Macintosh to kernel panic. The attack code was added to a Metasploit 3.0, a security tool used by both security experts and the bad guys to probe for holes in a target computer or network. The attack code can be used against Orinoco-based AirPort cards that shipped in PowerBooks and iMacs from 1999-2003, according to the description published by Mr. Moore.
The exploit requires the attacker to be on the same AirPort network as the target, and was tested on a 1.0 GHz PowerBook running Mac OS X 10.4.8 with the latest updates as of October 31, 2006. It was released as part of "The Month of Kernel Bugs," in which Mr. Moore and others will be publishing information about various kernel problems with various operating systems.
According to the description, "This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values."
In the release at the KernelFun blog, Mr. Moore wrote (links added by TMO), "With all the hype and buzz about the now infamous Apple wireless device driver bugs (brought to attention at Black Hat, by Johnny Cache and David Maynor, covered up and FUDied by others), hopefully this will bring some light (better said, proof) about the existence of such flaws in the Airport device drivers."
He told CNet in an e-mail interview that Apple handled that event poorly, and that he felt his exploit would be a great way to demonstrate just how vulnerable wireless drivers can be. "The vulnerability itself only affects older hardware and is going to be difficult to turn into a remote code execution exploit," he said, "but itis definitely possible, just a matter of time and motivation. The current proof-of-concept triggers a fatal kernel panic and forces the user to power cycle their machine."
Apple said in a statement addressing the exploit, "This issue affects a small percentage of previous generation AirPort-enabled Macs and does not affect currently shipping or AirPort Extreme enabled Macs."