AirPort Update 2006-001 / Security Update 2006-005

2006-09-21T00:00:00
ID MACOSX_AIRPORT_2006-001.NASL
Type nessus
Reporter Tenable
Modified 2018-07-14T00:00:00

Description

The remote host is missing a security update regarding the drivers of the AirPort wireless card.

An attacker in the proximity of the target host may exploit this flaw by sending malformed 802.11 frames to the remote host and cause a stack overflow resulting in a crash of arbitrary code execution.

                                        
                                            #TRUSTED 6d425222beca4d06a7ecdf79e35276c43729c5e1188262494d6d39de0a41de2f5b4af1f0fd10839269f8872cbd3dd3815f39d767f8c9631a81a3b34c0d981bc0f6174a5d52aa4caed3da0af6e807c645e7f669fd0f35a0ef2633d15c617fd335e456a9aa8fe7dd85c0a0a3dd4d1735df4f7fac7698b96128d72a7f8e37c71a62ac0f9a6cac914a70e3c311af082562fb9602d9a7223323fb599727aeda8ebc8610b6183cbd7256109cdd18c74fe3b3e9ab05b017656ab52a1de90d17469d3c26995809490d904d51fca330959f66ca1b888759075884207f9d135f2e34374af763c58ee04f04e364055896b48baca82eb23db9407e7444ade186cf0fa4b4cda878f17b57df6ead0b228014226f472a8b071484072fcfc7173fd73271b4d14b67933cbba34f1b45b03b6f1957e6696bead9612ff46394c3d87acc0512541b45f9a079ff46b80903c8870ba3c12af18b3adf377a832f1b0cffa5ac61099553a71a3d52f8f5219bf142377cedbf40a6a76b89827b1f711668ea8fd5f3bf291ae944b6a500f3c6c20a938cc9b694d9f9df6277a202aa58cd1d1dac4c9783ca38900590ac370ed4349c48bd58bb06b330d135c9c56600ac44724edaa7a5bac0221796802bba326e63d599badabb6d7488d613776edd3a285bd68c4b875176de2086aa0b7607818eb92a02b3802c0603c8812e8ee27168e7c7115d04910405ae7d5a4a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22418);
 script_version("1.24");
 script_set_attribute(attribute:"plugin_modification_date", value: "2018/07/14");

 script_cve_id("CVE-2006-3507", "CVE-2006-3508", "CVE-2006-3509");
 script_bugtraq_id(20144);

 script_name(english:"AirPort Update 2006-001 / Security Update 2006-005");
 script_summary(english:"Checks for the version of the Airport drivers");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the AirPort
Wireless card.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing a security update regarding the drivers of
the AirPort wireless card.

An attacker in the proximity of the target host may exploit this flaw
by sending malformed 802.11 frames to the remote host and cause a
stack overflow resulting in a crash of arbitrary code execution.");
 script_set_attribute(attribute:"solution", value:
"Apple has released a patch for this issue :

http://docs.info.apple.com/article.html?artnum=304420");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/19");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/09/19");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/21");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}

include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

function vulnerable()
{
 security_hole( port : 0 );
 if ( ! islocalhost() ) ssh_close_connection();
 exit(0);
}

function cmd()
{
 local_var buf;
 local_var ret;

 if ( islocalhost() )
	return pread(cmd:"/bin/bash", argv:make_list("bash", "-c", _FCT_ANON_ARGS[0]));

 ret = ssh_open_connection();
 if ( ! ret ) exit(0);
 buf = ssh_cmd(cmd:_FCT_ANON_ARGS[0]);
 ssh_close_connection();
 return buf;
}


uname = get_kb_item("Host/uname");
if ( "Darwin" >!< uname ) exit(0);


#
# Mac OS X < 10.4.7 is affected
#
if ( uname =~ "Version 8\.[0-6]\." ) vulnerable();

#
# Mac OS X < 10.3.9 is affected
#
if ( uname =~ "Version 7\.[0-8]\." ) vulnerable();



get_build   = "system_profiler SPSoftwareDataType";
has_airport = "system_profiler SPAirPortDataType";
atheros  = GetBundleVersionCmd(file:"AirPortAtheros5424.kext", path:"/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/");
broadcom = GetBundleVersionCmd(file:"AppleAirPortBrcm4311.kext", path:"/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/");



build = cmd(get_build);
airport = cmd(has_airport);
if ( "Wireless Card Type: AirPort" >!< airport ) exit(0);  # No airport card installed

#
# AirPort Update 2006-001
#	-> Mac OS X 10.4.7 Build 8J2135 and 8J2135a
#
if ( egrep(pattern:"System Version: Mac OS X 10\.4\.7 \(8J2135a?", string:build) )
{
 atheros_version = cmd(atheros);
 broadcom_version = cmd(broadcom);
 if ( atheros_version =~ "^1\." )
	{
	 v = split(atheros_version, sep:'.', keep:FALSE);
	 if ( int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 5 ) vulnerable();
	}
 if ( broadcom =~ "^1\." )
	{
	 v = split(broadcom_version, sep:'.', keep:FALSE);
	 if ( int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 4 ) vulnerable();
	}
}
#
# Mac OS X Security Update 2006-005 (Tiger)
#	-> Mac OS X 10.4.7 build 8J135
#	-> Mac OS X 10.3.9 build 7W98
#
else if ( egrep(pattern:"System Version: Mac OS X 10\.4\.7 \(8J135", string:build) ||
          egrep(pattern:"System Version: Mac OS X 10\.3\.9 ", string:build) )
{
  cmd = GetBundleVersionCmd(file:"/AppleAirPort2.kext", path:"/System/Library/Extensions");
  airport_version = cmd(cmd);
  if ( airport_version =~ "^4\. " )
  {
	 v = split(atheros_version, sep:'.', keep:FALSE);
	 if ( int(v[0]) == 4 && int(v[1]) == 0 && int(v[2]) < 5 ) vulnerable();
  }
}


if ( ! islocalhost() ) ssh_close_connection();