Researcher Publishes Apple Wi-Fi Exploit Details

Duo show how they broke into a MacBook via a wireless driver flaw.

A researcher has published details of how he and a colleague broke into a MacBook via a flaw in its wireless drivers at Black Hat last year.

Errata Security Chief Technology Officer David Maynor published the details in an article in the September issue of Uninformed, an online security research magazine.

The situation got weird between the researchers—Maynor and independent security researcher Jon Ellch—and Apple after the two demonstrated the break-in at Black Hat in August 2006. The duo used an Apple MacBook laptop fitted with a wireless card that was broadcasting its presence to another computer set up as an access point at the security show.

Apple initially denied that the flaw affected its products. It then gave itself credit for finding the bug through an internal audit, altogether dropping from the reporting credits mention of either the researchers or SecureWorks, the company that claimed ownership of the vulnerability details.

28571.gif

Apple is one of the top vendors when it comes to publicly disclosed vulnerabilities. Read more here.

News reports quote Maynor as saying that the reason the exploit details are coming to light at this time is that until now he under a nondisclosure agreement that kept him from revealing the details. He has declined to say who the NDA is with.

As for the paper, Maynor said in the conclusion that it presents merely a quick walk-through of the vulnerability in terms of discovery and exploitation, but thats just one part of an exploit. "To do something useful, an attacker needs kernel-mode shellcode," he said—the subject of a future paper.

The exploit discussed in the paper is just a proof of concept, Maynor said, given that an exploit writer still needs the load address of the kernel module on the target machine.

But this "is a choice, not a restriction," Maynor writes, and weaponizing an exploit is simple.

"This method of gaining execution is well-suited to a proof of concept," he said. "Creation of a weaponized exploit that can execute arbitrary code with no prior knowledge is just as easy. Its just a matter of overwriting different parts of the kernel."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.