From 3ad0d1a883413fcd5dbecede4f5b6338bc3a150b Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Mon, 1 Mar 2021 08:07:38 +0400 Subject: [PATCH] fragattacks: updated README for 1.3.1 release --- research/README.md | 63 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 47 insertions(+), 16 deletions(-) diff --git a/research/README.md b/research/README.md index 273df3fad..cfaae40bf 100644 --- a/research/README.md +++ b/research/README.md @@ -11,9 +11,11 @@ Older WPA networks by default use TKIP for encryption, and the applicability of this cipher are discussed in the paper. To illustrate that Wi-Fi has been vulnerable since its creation, the paper also briefly discusses the applicability of the attacks against WEP. + ## 1.1. Paper Clarifications -- [This overview](attacks.pdf) contains a summary of attacks and their preconditions. +- [This attack overview](attacks.pdf) contains a summary of attacks and their preconditions. It also contains + extra examples on how an adversary might abuse packet injection vulnerabilities in practice. - [These slides](amsduattack.pdf) clarify how the aggregation/A-MSDU attack (CVE-2020-24588) works in practice. Performing this attack requires tricking the victim into connecting to a server of the adversary. This can be as simple @@ -22,7 +24,7 @@ the paper also briefly discusses the applicability of the attacks against WEP. ## 1.2. Embargo notes -- This document refers to sections in **draft version 2 of the paper** "Fragment and Forge: Breaking Wi-Fi +- This document refers to sections in **draft version 3 of the paper** "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation". This paper can be found in the root directory of this repository. - For each implementation flaw we list a reference CVE identifier. There's currently an ongoing discussion @@ -30,6 +32,24 @@ the paper also briefly discusses the applicability of the attacks against WEP. ## 1.3. Change log +**Version 1.3.1 (1 March 2021)**: + +- Added the test [`ping BP [--bcast-dst]`](#id-extended-bcast-check-ping-bp) to this README. It injects a plaintext ping + while connecting (i.e. during the 4-way handshake). Both clients and APs can be vulnerable to this attack. + +- Updated the [attack overview](#id-paper-clarifications) with new examples on how packet injection vulnerabilities + can be abused in practice. This includes techniques to trick IPv4-only clients into using a malicious DNS server + and techniques to directly communicate with devices behind a NAT/firewall (to e.g. exploit local services). + +- Clarified that [broadcast fragment tests](#id-extended-bcast-check) can be performed against both clients and APs. + +- The test tool will now check whether the expected version of the Python Scapy library has been loaded. + +- Fixed some references to the paper in this README (now properly references sections 6.4, 6.6, and 6.8). + +- Updated to draft version 3 of the paper. There are no major changes compared to draft version 2, only minor textual + and structural tweaks. Content-wise this is now the final version of the paper. + **Version 1.3 (20 January 2021)**: - This version is based on hostap commit `a337c1d7c` ("New TWT operations and attributes to TWT Setup and Nudge"). @@ -487,11 +507,11 @@ In our experiments, this test only failed against Linux and against devices that The following two tests send broadcast frames, which are not automatically retransmitted, and it is therefore recommended to **execute them several times**. This is because background noise may prevent the tested devices -from receiving the injected broadcast frame: +from receiving the injected broadcast frame. In my experiments, mainly clients were affected (out of the tested +APs only Free/NetBSD ones were affected). - `ping I,D,P --bcast-ra`: Send a unicast ping in a plaintext broadcasted 2nd fragment once connected. The result - of this variant of the attack is checked automatically by the test tool. In my experiments mainly clients were - affected. + of this variant of the attack is checked automatically by the test tool. - `ping D,BP --bcast-ra`: Here the above frame is sent while connecting to the network (i.e. during the 4-way handshake). This is important because several clients and APs are only vulnerable before completing the 4-way handshake. To @@ -597,6 +617,7 @@ All commands work against both clients and APs unless noted otherwise. |
*[Broadcast checks (extensions of §6.4)](#id-extended-bcast-check)*
| `ping I,P --bcast-ra` | Ping in a plaintext broadcast frame after 4-way HS. | `ping BP --bcast-ra [--bcast-dst]` | Ping in plaintext broadcast frame during 4-way HS (use tcpdump). +| `ping BP [--bcast-dst]` | Ping in a plaintext frame during the 4-way handshake (use tcpdump). | `eapfrag BP,BP` | Experimental broadcast fragment attack (use tcpdump). |
*[A-MSDU EAPOL attack (§6.5)](#id-extended-cloackamsdu)*
| `eapol-amsdu[-bad] BP --bcast-dst` | Same as `eapol-amsdu BP` but easier to verify against APs (use tcpdump). @@ -687,20 +708,20 @@ Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the fo can try these two extra tests as well. I think it's quite unlikely this will uncover a new vulnerability. -## 8.5. Broadcast fragment attack tests (§6.4 -- CVE-2020-26145) +## 8.5. Broadcast fragment attack tests (extensions of §6.4) -- Because all these tests send broadcast frames, which are not automatically retransmitted, it is recommended - to **execute these tests several times**. This is because background noise may prevent the tested devices - from receiving the injected broadcast frame. So far only clients were affected by these attacks. Additionally, - most clients are only vulnerble while connecting to the network (i.e. during the execution of the 4-way handshake). +Most of the following tests send broadcast frames, which are not automatically retransmitted, and it is therefore +recommended to **execute them several times**. This is because background noise may prevent the tested devices +from receiving the injected broadcast frame. In my experiments, mainly clients were affected. Most clients are +only vulnerable while connecting to the network (i.e. during the execution of the 4-way handshake). -- `ping I,P --bcast-ra`: this sends a unicast ICMP ping request inside a plaintext broadcast Wi-Fi frame. This test - only makes sense against a client. +- `ping I,P --bcast-ra`: this sends a unicast ICMP ping request inside a plaintext broadcast Wi-Fi frame (CVE-2020-26145). + This test can be performed against both clients and APs. - `ping BP --bcast-ra`: similar to the above test `ping I,P --bcast-ra`, but the ping is sent before the client has - authenticated with the network (i.e. during the execution of the 4-way handshake). You must run tcpdump or wireshark - to check if the client accepts the frame. In tcpdump you can use the filter `icmp` and in wireshark you can also use - the filter `frame contains "test_ping_icmp"` to more easily detect this ping request. + authenticated with the network, i.e., during the execution of the 4-way handshake (CVE-2020-26145). You must run tcpdump + or wireshark to check if the client accepts the frame. In tcpdump you can use the filter `icmp` and in wireshark you + can also use the filter `frame contains "test_ping_icmp"` to more easily detect this ping request. - `ping BP --bcast-ra --bcast-dst`: this test is the same as the previous one, but is useful if you cannot run tcpdump on the target AP. Note that this test is only meaningfull against APs. The extra `--bcast-dst` parameter in this test @@ -708,6 +729,16 @@ Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the fo AP is vulnerable, execute this command, and listen for broadcast Wi-Fi frames on a second device that is connected to the AP by using the filter `icmp` or `frame contains "test_ping_icmp"`. + + +- `ping BP [--bcast-dst]`: this is a variant of the above two tests, except that the ping request is now send in a + plaintext unicast frame instead of a broadcast one (no CVE is allocated yet - it's related to CVE-2020-26145). This test + must be performed against both clients and APs. The ping is sent before the client has authenticated with the network + (i.e. during the execution of the 4-way handshake), meaning you must run tcpdump or wireshark to check if the device + accepts this frame. Alternatively, when testing APs, you can add the `--bcast-dst` parameter similar to the above test, + and then use tcpdump or wireshark on a second device that is connected to the AP by using the filter `icmp` or + `frame contains "test_ping_icmp"`. + - `eapfrag BP,BP`: this is a specialization of the above two tests that is performed before the client has authenticated. It is a _very experimental_ attack based on the analysis of leaked code. It first sends a plaintext fragment that starts with an EAPOL header, which is accepted because the 4-way handshake is still being executed. Then it sends a second @@ -926,7 +957,7 @@ tcpdump on it. In particular, the broadcast fragment attack tests (CVE-2020-2614 tests (CVE-2020-26144) can be performed without running tcpdump on the device under test. Instead, tcpdump has to run on another client connected to the AP. Concretely, the following commands can be used: -- `ping I,P --bcast-ra` and `ping BP --bcast-ra --bcast-dst` +- `ping I,P --bcast-ra --bcast-dst` and `ping BP --bcast-ra --bcast-dst` - `eapol-amsdu BP --bcast-dst` and `eapol-amsdu-bad BP --bcast-dst`