fragattack: fix SSP to SPP

This commit is contained in:
Mathy Vanhoef 2020-10-20 14:33:09 +04:00
parent 08e3267428
commit 5ed2ba7e06
3 changed files with 6 additions and 6 deletions

View File

@ -249,7 +249,7 @@ device and are further discussed below the table.
| `ping-frag-sep` | Send a normal fragmented ping with fragments separated by another frame.
| `ping-frag-sep --pn-per-qos` | Same as above, but also works if the target only accepts consecutive PNs.
| <div align="center">*A-MSDU attacks (§3)*</div>
| `ping I,E --amsdu` | Send a ping encapsulated in a normal (non SSP protected) A-MSDU frame.
| `ping I,E --amsdu` | Send a ping encapsulated in a normal (non SPP protected) A-MSDU frame.
| <div align="center">*Mixed key attacks (§4)*</div>
| `ping I,F,BE,AE` | Inject two fragments encrypted under a different key.
| `ping I,F,BE,AE --pn-per-qos` | Same as above, but also works if the target only accepts consecutive PNs.
@ -306,7 +306,7 @@ include) these reference CVEs as a way to easily refer to each type of discovere
## 7.2. A-MSDU attack tests (§3 -- CVE-2020-24588)
The test `ping I,E --amsdu` checks if an implementation supports A-MSDUs, in which case it is vulnerable to
attacks. To prevent attacks, the network must mandate the usage of SSP A-MSDUs (and drop all non-SSP A-MSDUs).
attacks. To prevent attacks, the network must mandate the usage of SPP A-MSDUs (and drop all non-SPP A-MSDUs).
It's currently unclear how to prevent this attack in a backward-compatible manner. See Section 3 of the paper
for details.
@ -461,7 +461,7 @@ presence of a certain vulnerability class, there is no need to test the other at
| -------------------------------------- | ---------------------------------
| <div align="center">*A-MSDU attacks (§3)*</div>
| `ping I,E --amsdu-fake` | If this test succeeds, the A-MSDU flag is ignored (§3.5).
| `ping I,E --amsdu-fake --amsdu-ssp` | Check if the A-MSDU flag is authenticated but then ignored (§3.5).
| `ping I,E --amsdu-fake --amsdu-spp` | Check if the A-MSDU flag is authenticated but then ignored (§3.5).
| `amsdu-inject` | Send A-MSDU frame whose start is also a valid LLC/SNAP header (§3.2).
| `amsdu-inject-bad` | Same as above, but against targets that incorrectly parse the frame.
| <div align="center">*Mixed key attacks (§4)*</div>
@ -501,7 +501,7 @@ understand how the tested device handles A-MSDU frames:
support A-MSDU frames). This behaviour is not ideal, although it is unlikely that an attacker can abuse this in
practice (see Section 3.5 in the paper).
- `ping I,E --amsdu-fake --amsdu-ssp`: If this tests succeeds, the receiver authenticates the QoS A-MSDU flag of every
- `ping I,E --amsdu-fake --amsdu-spp`: If this tests succeeds, the receiver authenticates the QoS A-MSDU flag of every
received frame (i.e. it will not mask it to zero on reception) but then treats all received frames as normal frames
(meaning it does not support the reception of real A-MSDU frames). This behaviour is not ideal, although it is unlikely
that an attacker can abuse this in practice (see Section 3.5 in the paper).

View File

@ -181,7 +181,7 @@ if __name__ == "__main__":
parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.")
parser.add_argument('--amsdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.")
parser.add_argument('--amsdu-fake', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.")
parser.add_argument('--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.")
parser.add_argument('--amsdu-spp', '--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.")
parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.")
parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.")
parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.")

View File

@ -441,7 +441,7 @@ class Station():
# TODO: Implement and test this function
encrypted = encrypt_tkip(frame, key, self.pn[idx], keyid)
elif len(key) == 16:
encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_ssp)
encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_spp)
else:
encrypted = encrypt_wep(frame, key, self.pn[idx], keyid)