Almost a year ago, I wrote a post talking about these guys that ‘found a hack that compromises any Mac using a wireless connection’. Of course this was with a lot of skepticism, since they had no way to actually prove it, except for a video of them using a MacBook and some 3rd party wireless card. He touted that he was able to get ‘kernel access’ with this hack, and exploit any Mac around.
Well, after being under an NDA for a year (which, of course, we dont know who with), he has published a paper on how he did this hack. It actually goes into a bit of detail, so I have not really read all that deep into it yet. Basically what they did is send the wireless card randomly generated metadata. If that metadata was to large, the Mac would Kernel panic (makes total sense). What they found out though, is that if they sent the right packet to the wireless card, the machine would not crash right away. It looks that then after debuging how and what packets were sent, one of these could be overflowed, and the remaining other packets could contain code. This could could even contain binary data to create a new root account, etc.
This is a really in depth and technical read, but some people may really like it. Supposedly this bug was fixed in 10.4.7, since it was found by Apple Engineers as well. Hopefully someone finds it useful!
Listening To: ‘Girls’ by The Beastie Boys