lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <C6430B74-1E3A-4FCC-845C-91735978D456@attilla.nl>
Date: Wed, 29 Dec 2010 19:38:53 +0100
From: Attilla de Groot <attilla@...illa.nl>
To: bugtraq@...urityfocus.com
Subject: OS X 10.6.5 kernel crash upon wlan roaming with disabled mandatory MCS

During the buildup at the CCC 27c3 congress in Berlin we noticed several Apple Macbooks kernel paniced while connected to the wireless network. We identified the cause of this issue and we are able to reproduce this as well.

It seems to be limited to the aluminum unibody Macbooks, running OS X 10.6.5 with the following Broadcom wireless chip:

 Card Type:            AirPort Extreme  (0x14E4, 0x8D)
 Firmware Version:     Broadcom BCM43xx 1.0 (5.10.131.36.1)

The problem occurs when 802.11n MCS0 (Modulation and coding scheme) is disabled on a Cisco Wireless Controller. This scheme is mandatory according to the IEEE standard (802.11n-2009, page 265). Deselecting this MCS is available through the web interface (both WCS and WLC) and the console without a notification about the fact that it is mandatory:

 (Cisco Controller) >config 802.11a disable network
 Disabling the 802.11a network may strand mesh APs. Are you sure you want to continue? (y/n)y
 (Cisco Controller) >
 (Cisco Controller) >config 802.11a 11nSupport mcs tx 0 disable
 (Cisco Controller) >config 802.11a enable network

When this option is configured and an affected Mac OSX client roams from one Cisco AP to the other, the kernel panics. This is easily reproducible by just walking to another room in the congress center.

Thanks for helping identifying the issue:
Willem Hengeveld <itsme at xs4all dot nl>
Hartmut Schroeder <hacko at hacko dot org>


Best regards,
Attilla de Groot


Relevant files:
WCS config:                    http://www.attilla.nl/osx_crash/80211n_config_wcs.png
Multiple NOC macbooks crash:   http://www.attilla.nl/osx_crash/4macbooks.jpg
Normal association response:   http://www.attilla.nl/osx_crash/association_response_normal.pcap
Response when MCS disabled:    http://www.attilla.nl/osx_crash/association_response_crash.pcap
OSX kernel panic:              http://www.attilla.nl/osx_crash/kernel_panic.txt
OSX kernel panic reproduced:   http://www.attilla.nl/osx_crash/kernel_panic_reproduced.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ