MOKB-30-11-2006

Bug details
Title: Apple Airport Extreme Beacon Frame Denial of Service
Description: Apple Airport Extreme driver fails to handle certain beacon frames, leading to an out of bounds memory access, resulting in a so-called kernel panic.
Other security implications may exist, although this hasn't been verified and no details can be provided until further research is done. This issue is being coordinated with Apple, and under common agreement it's been decided to keep the details private until a fix has been made available to end-users.
Author/Contributor: NA<NA[at] info-pull.com> - discovery (6-Nov-2006), reported to Apple (25-Nov-2006, #4849XXX).
Proof of concept or exploit: A proof of concept module for the Metasploit framework may be provided after an official patch and announcement is released by Apple.
Debugging information:

This issue has been verified with a Macbook (2GHz Intel Core Duo), running Mac OS X 10.4.8 (8L2127), Apple Airport Extreme Firmware version 0.1.27.

Mon Nov  6 17:42:53 2006
panic(cpu 0 caller 0x001A3135): Unresolved kernel trap (CPU 0, Type 14=page fault), registers:
CR0: 0x8001003b, CR2: 0x25a4b000, CR3: 0x00d5b000, CR4: 0x000006e0
EAX: 0x25a4b000, EBX: 0x25a4afff, ECX: 0x028904cc, EDX: 0x25a4b000
CR2: 0x25a4b000, EBP: 0x13fe3cd8, ESI: 0x00000080, EDI: 0x25a4b000
EFL: 0x00010202, EIP: 0x00920f5d, CS:  0x00000008, DS:  0x02b60010

Backtrace, Format - Frame : Return Address (4 potential args on stack)
0x13fe39d8 : 0x128d1f (0x3c9540 0x13fe39fc 0x131df4 0x0)
0x13fe3a18 : 0x1a3135 (0x3cf1f4 0x0 0xe 0x3cea24)
0x13fe3b28 : 0x19a8d4 (0x13fe3b38 0x69fe 0xe 0x30e0048)
0x13fe3cd8 : 0x934dbd (0x28904cc 0x25a46800 0x2c7c404 0x80)
0x13fe3d28 : 0x925b65 (0x28904cc 0x25a46800 0x2c7c404 0x80)
0x13fe3e18 : 0x935a4e (0x28904cc 0x25a46800 0x2c7c404 0x31)
0x13fe3f08 : 0x398a1f (0x28902fc 0x2a14500 0x1 0x27193b4)
0x13fe3f58 : 0x397bf1 (0x2a14500 0x135ec3 0x0 0x27193b4)
0x13fe3f88 : 0x397927 (0x2a208c0 0x2a208c0 0x450 0x1203)
0x13fe3fc8 : 0x19a74c (0x2a208c0 0x0 0x19a75b 0x25b7e88) Backtrace terminated-invalid frame pointer 0x0
      Kernel loadable modules in backtrace (with dependencies):
         com.apple.driver.AirPortAtheros5424(106.1)@0x912000
            dependency: com.apple.iokit.IONetworkingFamily(1.5.1)@0x69c000
            dependency: com.apple.iokit.IOPCIFamily(2.1)@0x57f000
            dependency: com.apple.iokit.IO80211Family(140.4)@0x8f6000

Kernel version:
Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386