Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2023 Tenable Network Security, Inc.MACOSX_AIRPORT_2006-001.NASL
HistorySep 21, 2006 - 12:00 a.m.

AirPort Update 2006-001 / Security Update 2006-005

2006-09-2100:00:00
This script is Copyright (C) 2006-2023 Tenable Network Security, Inc.
www.tenable.com
12

7.6 High

AI Score

Confidence

Low

JSON

The remote host is missing a security update regarding the drivers of the AirPort wireless card.

An attacker in the proximity of the target host may exploit this flaw by sending malformed 802.11 frames to the remote host and cause a stack overflow resulting in a crash of arbitrary code execution.

#TRUSTED b22c00c6987d569d773062eb00f7890a9e910b03dae180e798987d4ce17f8f75a8c97fd177e8a274af0ff3d21084822f24338760812f923ff77b39d1c7ffdbcf7a6dbe0de1da55f171141daa2da844a284565a11cbb51679797aee87b8f93c522143ca7ad4f8cece6e653f932045863183d8e447a814ea53cd3c7dd4ee57d21c44bbcfa7eaa5a9204f2d4a6779e63b063b1196994a225feec172b7eda95155d0493ab97c6da29405f1126f47b995bb0ff51890b8e9a9affc4b6ec9690d55187dc9a9fa64c4de8331a3b118b5629e61d5090a2715f06796e0ca669f1a82d108dc5ee66bfa5fe63a5a6b71b133c90f2ef79423ce38c543c488289ea800b65b11a076095d2984859cfd25a0b4c88c3e425a3593ab8fd73aa6810869d98aa19fe44ec762e6c93849a5d8d41bbb0396acf8de34cd736d9541a9acfcb8b0bde2696b98866bb2181ef30f194052e2ce1f8d09fde7c409ebed66fa0c30d170eaeccf26892416c18f218f6c791035f7d12d9ac8e24f642409b6e75e3b9a3f7080bd58db56a422484384cfb2c6205778ea728d4a3f6b81953e1d5bad97a1efa4a51a37535791879bcdb1738586c36f8098f8fbdc1ff02581300c0106d1dd9770c2a40bb5f656e5070c465089d370c5b2c6f7233dce7f46f2b742aa074a483a553cf281c5c75764f7ffbb70d57198c9084b14baccb22b8cfc68a152dd0383f2b118a8252a76
#TRUST-RSA-SHA256 a1a1ef7d6c62b2425522a25050910052c0ad971ac245b014e4cc85ecbd31b93ef29a8d64f014320a19f5e700f27ff7b69674e31fddfdb4ecdd362a7496c105d70d20d44fd79824f2b0181ee0458f6bf17e294e61636918f86e5da047a0589c1c70ee0e60fd091198681cb75c43bc681f9e4b7ece3c1e4464f94f18d7138bac90ce9503b11805e8b1a09215d62c0211e59bfa62f1acb886fffe116fc66b830a6aa9f1045a22cfbba57cdd77741f8d46360a6047ceca61524a6aeda4ce42a79e4ec26f2f0f8648acfdace1733d4317eaa6490f5db5acde9fb5ed342d6432a86a2d4e98f34ed3bbdf1e1662925433280b42f25e707d79af104139838a5e5e5c478d577f80f97e7bea439e5a0235072f335926c0e74b87e4f093263affe5e2d55425713329211df9a2dc23afaf733b6c14e4d95aa5052e48535d372965df9ca8a994ad8805e2ec4a33f33ee72d7261ed0e962e1a3da91c5bd44bc633775e62b15d81db7b8038a46bed00a70fea16e064d4db4eeb3f9bd3c5424e6c98405a6485de5ca638c263ee3d74b0da3f41cd717f5021308320aaa758ab0941d51fdf52f822ede0ce3bd44b1528c293b099a4950675140a12d00d62cf701776bd56eeec947ff093d005ee3cc8bdc1ca59596bf9e211b2926b20d6974a872c1d8c7bdea34a4c453b354d61fb9ef43c330d1af97a219221c118bc7b6bbaaf20ea7e0fe79c5070fb
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(22418);
 script_version("1.28");
 script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

 script_cve_id("CVE-2006-3507", "CVE-2006-3508", "CVE-2006-3509");
 script_bugtraq_id(20144);

 script_name(english:"AirPort Update 2006-001 / Security Update 2006-005");
 script_summary(english:"Checks for the version of the Airport drivers");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host through the AirPort
Wireless card.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing a security update regarding the drivers of
the AirPort wireless card.

An attacker in the proximity of the target host may exploit this flaw
by sending malformed 802.11 frames to the remote host and cause a
stack overflow resulting in a crash of arbitrary code execution.");
 script_set_attribute(attribute:"solution", value:
"Apple has released a patch for this issue :

http://docs.info.apple.com/article.html?artnum=304420");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2006-3509");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/09/19");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/09/19");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/21");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2023 Tenable Network Security, Inc.");
 script_family(english:"MacOS X Local Security Checks");

 script_dependencies("ssh_get_info.nasl");
 script_require_keys("Host/MacOSX/packages");
 exit(0);
}

include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");


enable_ssh_wrappers();

function vulnerable()
{
 security_hole( port : 0 );
 if ( ! islocalhost() ) ssh_close_connection();
 exit(0);
}

function cmd()
{
 local_var buf;
 local_var ret;

 if ( islocalhost() )
	return pread_wrapper(cmd:"/bin/bash", argv:make_list("bash", "-c", _FCT_ANON_ARGS[0]));

 ret = ssh_open_connection();
 if ( ! ret ) exit(0);
 buf = ssh_cmd(cmd:_FCT_ANON_ARGS[0]);
 ssh_close_connection();
 return buf;
}


uname = get_kb_item("Host/uname");
if ( "Darwin" >!< uname ) exit(0);


#
# Mac OS X < 10.4.7 is affected
#
if ( uname =~ "Version 8\.[0-6]\." ) vulnerable();

#
# Mac OS X < 10.3.9 is affected
#
if ( uname =~ "Version 7\.[0-8]\." ) vulnerable();



get_build   = "system_profiler SPSoftwareDataType";
has_airport = "system_profiler SPAirPortDataType";
atheros  = GetBundleVersionCmd(file:"AirPortAtheros5424.kext", path:"/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/");
broadcom = GetBundleVersionCmd(file:"AppleAirPortBrcm4311.kext", path:"/System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/");



build = cmd(get_build);
airport = cmd(has_airport);
if ( "Wireless Card Type: AirPort" >!< airport ) exit(0);  # No airport card installed

#
# AirPort Update 2006-001
#	-> Mac OS X 10.4.7 Build 8J2135 and 8J2135a
#
if ( egrep(pattern:"System Version: Mac OS X 10\.4\.7 \(8J2135a?", string:build) )
{
 atheros_version = cmd(atheros);
 broadcom_version = cmd(broadcom);
 if ( atheros_version =~ "^1\." )
	{
	 v = split(atheros_version, sep:'.', keep:FALSE);
	 if ( int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 5 ) vulnerable();
	}
 if ( broadcom =~ "^1\." )
	{
	 v = split(broadcom_version, sep:'.', keep:FALSE);
	 if ( int(v[0]) == 1 && int(v[1]) == 0 && int(v[2]) < 4 ) vulnerable();
	}
}
#
# Mac OS X Security Update 2006-005 (Tiger)
#	-> Mac OS X 10.4.7 build 8J135
#	-> Mac OS X 10.3.9 build 7W98
#
else if ( egrep(pattern:"System Version: Mac OS X 10\.4\.7 \(8J135", string:build) ||
          egrep(pattern:"System Version: Mac OS X 10\.3\.9 ", string:build) )
{
  cmd = GetBundleVersionCmd(file:"/AppleAirPort2.kext", path:"/System/Library/Extensions");
  airport_version = cmd(cmd);
  if ( airport_version =~ "^4\. " )
  {
	 v = split(atheros_version, sep:'.', keep:FALSE);
	 if ( int(v[0]) == 4 && int(v[1]) == 0 && int(v[2]) < 5 ) vulnerable();
  }
}


if ( ! islocalhost() ) ssh_close_connection();

Related

securityvulns 1
cve 3
cert 3
securityvulns
securityvulns
About the security content of AirPort Update 2006-001 and Security Update 2006-005
2006-09-22 00:00:00
cve
cve
CVE-2006-3507
2006-09-21 21:07:00
CVE-2006-3508
2006-09-21 21:07:00
CVE-2006-3509
2006-09-21 21:07:00
cert
cert
Apple AirPort wireless vulnerable to buffer overflow
2006-09-22 00:00:00
Apple AirPort wireless drivers fails to properly handle scan cache updates
2006-09-22 00:00:00
Apple AirPort wireless drivers vulnerable to integer overflow
2006-09-22 00:00:00

7.6 High

AI Score

Confidence

Low

JSON
Related for MACOSX_AIRPORT_2006-001.NASL
securityvulns1cve3cert3