Almost a year after it was patched by Apple; David Maynor has released a complete paper on his exploitation of Apple’s Wi-Fi drivers to enable full remote code execution. The paper covers the accidental discovery of the vulnerability, details on the debugging and driver analysis, and finally, code execution.
The vulnerability was first unveiled back in August of last year at the Black Hat security conference in Las Vegas. A live demonstration caused a wave of controversy; many people claimed that the exploit was a fake and purely a publicity stunt. Others speculated that the hack would only work on the third-party wireless card used in the demonstration and not on the inbuilt Apple Airport (otherwise why use the third-party adaptor at all?).
Apple didn’t credit Maynor when they patched the flaw almost two months later saying that their own engineers had found the bug during an internal audit.
Maynor has now revealed that he was told to use a third-party Wi-Fi adaptor in his live demonstration as it was deemed “the least offensive to people.” Interestingly, Maynor has reported that he hadn’t published any details on the vulnerability nor its exploit as he was under a nondisclosure agreement. He wouldn’t say who held the NDA, but I don’t think it takes a rocket scientist to work out who the potential candidates are…