Another Minor AirPort Vulnerability Exposed
Mac OS X may be at risk via the original AirPort Card because of an attack methodology published last week as part of the Month of Kernel Bugs. The attack can corrupt some “internal kernel structures,” and causes a kernel panic – a crash. The developer of the attack believes that he may be able to modify this with some effort into a root exploit in which control of the machine could be seized.
The approach as published works only with the AirPort Card, the internal 802.11b Wi-Fi adapter for Macs introduced in 1999, and used in all Mac models introduced until late 2002. Apple stopped selling the AirPort Card some time ago – much to the dismay of people whose adapter died on an otherwise usable computer. All Mac models introduced in 2003 and later sport a slot for AirPort Extreme (802.11g) networking; the AirPort Extreme Card slot is not compatible with the original AirPort Card.
Further, the developer of the attack notes that the exploit works best when a Mac has been placed into active scanning mode, which requires a command-line tool included with Mac OS X or the KisMAC utility. In a brief interview with Brian Krebs of The Washington Post’s Security Fix blog, the exploit developer told Krebs that he found some vectors for breaking Macs with AirPort Cards that were in an idle, non-associated state, but hasn’t produced results he wanted to discuss yet.
The exploit was published as a recipe for reproduction, more or less, so it’s not embedded in a prefabricated application designed simply to crash computers, but it will be incorporated into the open-source Metasploit framework, which is a system to stress-test software and operating systems in an automated fashion using malformed packages of data and other techniques. (At this writing, the developers say it’s part of Metasploit, but I don’t see an item representing it in the list of modules.)
The Month of Kernel Bugs (MoKB) uses a small set of standard tools that stress test operating system kernels by generating massive amounts of arbitrary input – fuzzing – which can be associated with resulting errors on the attacked computer to figure out what input caused which exploitable errors or crashes. The project says they have five more Apple kernel bugs that will appear over the next 30 days. (No additional Apple bugs have appeared as of this writing.)
In a fairly irresponsible move, the MoKB coordinator said there will be no advance notice to the makers of affected systems in any systematic way prior to release of the exploit. Exploits that are released on the day the vulnerability is identified are called “zero-day exploits.” In the security world, this is considered bad form, somewhere between taking a dump in a swimming pool and selling drugs to children. There’s little reason to not provide advance information to affected parties unless you’re trying to be clever, instead of smart.
The justification by the MoKB coordinator, identified only as LMH, is the tired old “Apple doesn’t listen to security flaws and pretends it doesn’t have any” argument. The industry soap opera that began in August, “To the Maynor Born: Cache and Crash,” apparently has led many hobbyist and professional security researchers to decide that Apple systematically denies security flaws when they exist. In the case of that saga, it’s fairly clear that only a handful of people have actually seen what was alleged to have been given to Apple, which means that relying on that case as an example of Apple ignoring security issues or misusing security researchers requires second- or even third-hand knowledge. (Apple told Krebs that they are investigating this latest AirPort flaw, which they learned about “recently.”)
In comments to a post about this on LMH’s Kernel Fun blog, he or she writes, “It’s actually a matter of time to demonstrate that all the pro-Mac paranoia is just plain useless. Apple does good stuff indeed, but they obviously do [make] mistakes as everyone does.” It’s hilarious that anybody credible thinks that vocal Mac zealots represent the interests of the entire Mac community. A more realistic view by an experienced Mac user can be found as the second comment (by Dave Schroeder) on Ryan Russell’s blog entry on this exploit.
May I state for the record as a regular reporter on Macintosh matters that I don’t reflexively believe that Mac OS X is invulnerable? In fact, I have written regularly about flaws that are reported, and about the risk that we face as a community of users that lack immunity. While Apple has built its operating system on a strong foundation, that in no way precludes exploits that use vectors that weren’t considered.
Your high-level takeaway? No Mac model that shipped beginning in 2003 nor older Macs without active scanning enabled are known to be vulnerable. The vulnerability requires a nearby user, too, or one with a high-gain antenna who can reach your computer. I’m guessing Apple patches this relatively quickly for Mac OS X 10.3 and 10.4 users, and that they’ll be working overtime to stay on top of other MoKB announcements.