Daring Phucball

Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Industry Watch

HD Moore publishes an Apple exploit. And simultaneously sends a greeting to an old friend.

Get It

Try It

In keeping with his 'month of kernel bugs' campaign, acknowledged security expert HD Moore has published an exploit against Apple wireless drivers. This exploit only works with older cards and is not identical to the exploit created by Jon Ellch and David Maynor.

'The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values', explains more at his Metasploit page.

Moore tested his exploit, given the title 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', on a 1.0 GHz PowerBook running running OS X Tiger 10.4.8 with the latest (Halloween) updates.

The proof of concept exploit is now part of the Metasploit Framework 3.0 source tree.

msf > use auxiliary/dos/wireless/daringphucball

Moore's choice of names for his exploit is hardly happenstance. It relates directly back to an exchange he had with a certain Apple Macintosh demagogue about the Ellch/Maynor exploit.

John, your arrogance and complete naivete in all things security has finally gotten to me.

I saw their Black Hat presentation, I know both of them personally, and I would stake my reputation that neither one of them is blowing smoke when they say they have a working exploit.

The only entities with real information about the Apple driver bug are Johnny, David, SecureWorks, and Apple. This is how it will stay until the patch is released. Johnny published the technical details to reproduce the bugs he personally found. If this doesn't display some level of 'evidence', no amount of bloggery and 'challenges' will.

You could easily convince me that you aren't a moron by flying to Austin (TX) and taking a standard IQ test in front of me. If you don't show up by next week, I will have proved that you indeed are a moron, and will post to my blog to make it seem credible. If you do show up and score 100 or higher, I will pay for your airfare, otherwise you walk home.

Sound fair?

The implications are obvious if you understand the details. If you don't understand what remote code execution at ring-0 means, it's not Johnny's job to educate you (nor mine). It also not Johnny's job to feed you with quotes to post on your blog.

Welcome to the world of vulnerability disclosure, disclosure policies, and corporate politics. Johnny posted enough details to back his claim about the Centrino driver issues (a flaw that probably affects more systems than Apple has actually shipped). The Apple driver bugs will have to wait for public patch release. If you don't like it, tell Apple to fix their code faster.

Gee, if a large company made legal threats against you, and one of the terms of out-of-court settlement was to not comment on it publicly, what would you do? Rise to the challenge of some self-righteous blogger and be sued into oblivion? I don't know whether this is the case, but use some common sense please.