Metasploit founder HD Moore has released an exploit for an unpatched vulnerability in the Apple Airport driver that ships with some PowerBook and iMac computers.
The exploit kicks off a new project called Month of Kernel Bugs and follows a heated debate over the existence of 802.11 (Wi-Fi) flaws affecting Apple Computers Mac OS X systems.
In an e-mail exchange with eWEEK, Moore said the exploit is not related to the Wi-Fi driver flaws discovered and discussed in Aug. 2006 by researchers David Maynor and Jon “Johnny Cache” Ellch at the Black Hat Briefings.
“This exploit is one I found over the weekend, using the new 802.11 fuzzer modules in the Metasploit Framework,” Moore said, referring to a new version of the point-and-click hacking tool that will ship with Wi-Fi exploits.
Moores exploit, available here, targets a remote memory corruption flaw that affects the Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks and iMacs).
When the driver is placed into active scanning mode, Moor found, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution.
“This bug is definitely not patched, but it only affects Apple users who have the original Airport cards [the rebranded Orinoco]. I have no idea if this also affects Windows users of the Orinoco hardware,” Moore said. He said the proof-of-concept code can be tweaked by others to find other potential attack vectors.
Moore, who is collaborating with Ellch on Wi-Fi flaw research, named the exploit after Daring Fireball, a Mac blogger who doubted the Black Hat findings and issued a public challenge to Ellch and Maynor. “Normally I wouldnt sink to this level but, damn it, its funny,” Moore said of his taunt to Daring Fireball.
The Month of Kernel Bugs project, the brainchild of a hacker called “L.M.H.,” intends to release information about kernel-level bugs, hacks and tricks throughout the month of November. The idea is to expose tools and procedures useful for testing the strength and quality of kernel code in Mac OS X, FreeBSD, Solaris, GNU/Linux and Windows.
L.M.H., like Moore, is using fuzzers, or fuzz-testing tools, to find kernel-level bugs. Fuzzers are used to send random input to an application, forcing a crash or server error that could highlight the existence of a security flaw.
Metasploits Moore plans to release new fuzzer modules to help security researchers test for Wi-Fi driver flaws.
“I picked up USB Wi-Fi adapters from six different vendors yesterday. It should be a busy week,” Moore said.