Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-25 00:38:24 -05:00
Code Issues Projects Releases Wiki Activity

fragattack: fix SSP to SPP

Browse Source
This commit is contained in:
Mathy Vanhoef 2020-10-20 14:33:09 +04:00
parent 08e3267428
commit 5ed2ba7e06
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
research/README.md
View File

@ -249,7 +249,7 @@ device and are further discussed below the table.
| `ping-frag-sep` | Send a normal fragmented ping with fragments separated by another frame. | `ping-frag-sep` | Send a normal fragmented ping with fragments separated by another frame.
| `ping-frag-sep --pn-per-qos` | Same as above, but also works if the target only accepts consecutive PNs. | `ping-frag-sep --pn-per-qos` | Same as above, but also works if the target only accepts consecutive PNs.
| <div align="center">*A-MSDU attacks (§3)*</div> | <div align="center">*A-MSDU attacks (§3)*</div>
| `ping I,E --amsdu` | Send a ping encapsulated in a normal (non SSP protected) A-MSDU frame. | `ping I,E --amsdu` | Send a ping encapsulated in a normal (non SPP protected) A-MSDU frame.
| <div align="center">*Mixed key attacks (§4)*</div> | <div align="center">*Mixed key attacks (§4)*</div>
| `ping I,F,BE,AE` | Inject two fragments encrypted under a different key. | `ping I,F,BE,AE` | Inject two fragments encrypted under a different key.
| `ping I,F,BE,AE --pn-per-qos` | Same as above, but also works if the target only accepts consecutive PNs. | `ping I,F,BE,AE --pn-per-qos` | Same as above, but also works if the target only accepts consecutive PNs.
@ -306,7 +306,7 @@ include) these reference CVEs as a way to easily refer to each type of discovere
## 7.2. A-MSDU attack tests (§3 -- CVE-2020-24588) ## 7.2. A-MSDU attack tests (§3 -- CVE-2020-24588)
The test `ping I,E --amsdu` checks if an implementation supports A-MSDUs, in which case it is vulnerable to The test `ping I,E --amsdu` checks if an implementation supports A-MSDUs, in which case it is vulnerable to
attacks. To prevent attacks, the network must mandate the usage of SSP A-MSDUs (and drop all non-SSP A-MSDUs). attacks. To prevent attacks, the network must mandate the usage of SPP A-MSDUs (and drop all non-SPP A-MSDUs).
It's currently unclear how to prevent this attack in a backward-compatible manner. See Section 3 of the paper It's currently unclear how to prevent this attack in a backward-compatible manner. See Section 3 of the paper
for details. for details.
@ -461,7 +461,7 @@ presence of a certain vulnerability class, there is no need to test the other at
| -------------------------------------- | --------------------------------- | -------------------------------------- | ---------------------------------
| <div align="center">*A-MSDU attacks (§3)*</div> | <div align="center">*A-MSDU attacks (§3)*</div>
| `ping I,E --amsdu-fake` | If this test succeeds, the A-MSDU flag is ignored (§3.5). | `ping I,E --amsdu-fake` | If this test succeeds, the A-MSDU flag is ignored (§3.5).
| `ping I,E --amsdu-fake --amsdu-ssp` | Check if the A-MSDU flag is authenticated but then ignored (§3.5). | `ping I,E --amsdu-fake --amsdu-spp` | Check if the A-MSDU flag is authenticated but then ignored (§3.5).
| `amsdu-inject` | Send A-MSDU frame whose start is also a valid LLC/SNAP header (§3.2). | `amsdu-inject` | Send A-MSDU frame whose start is also a valid LLC/SNAP header (§3.2).
| `amsdu-inject-bad` | Same as above, but against targets that incorrectly parse the frame. | `amsdu-inject-bad` | Same as above, but against targets that incorrectly parse the frame.
| <div align="center">*Mixed key attacks (§4)*</div> | <div align="center">*Mixed key attacks (§4)*</div>
@ -501,7 +501,7 @@ understand how the tested device handles A-MSDU frames:
support A-MSDU frames). This behaviour is not ideal, although it is unlikely that an attacker can abuse this in support A-MSDU frames). This behaviour is not ideal, although it is unlikely that an attacker can abuse this in
practice (see Section 3.5 in the paper). practice (see Section 3.5 in the paper).
- `ping I,E --amsdu-fake --amsdu-ssp`: If this tests succeeds, the receiver authenticates the QoS A-MSDU flag of every - `ping I,E --amsdu-fake --amsdu-spp`: If this tests succeeds, the receiver authenticates the QoS A-MSDU flag of every
received frame (i.e. it will not mask it to zero on reception) but then treats all received frames as normal frames received frame (i.e. it will not mask it to zero on reception) but then treats all received frames as normal frames
(meaning it does not support the reception of real A-MSDU frames). This behaviour is not ideal, although it is unlikely (meaning it does not support the reception of real A-MSDU frames). This behaviour is not ideal, although it is unlikely
that an attacker can abuse this in practice (see Section 3.5 in the paper). that an attacker can abuse this in practice (see Section 3.5 in the paper).

2
research/fragattack.py
View File

@ -181,7 +181,7 @@ if __name__ == "__main__":
parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.") parser.add_argument('--inc-pn', type=int, help="To test non-sequential packet number in fragments.")
parser.add_argument('--amsdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.") parser.add_argument('--amsdu', default=False, action='store_true', help="Encapsulate pings in an A-MSDU frame.")
parser.add_argument('--amsdu-fake', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.") parser.add_argument('--amsdu-fake', default=False, action='store_true', help="Set A-MSDU flag but include normal payload.")
parser.add_argument('--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.") parser.add_argument('--amsdu-spp', '--amsdu-ssp', default=False, action='store_true', help="Force authentication of QoS A-MSDU flag.")
parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.") parser.add_argument('--arp', default=False, action='store_true', help="Override default request with ARP request.")
parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.") parser.add_argument('--dhcp', default=False, action='store_true', help="Override default request with DHCP discover.")
parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.") parser.add_argument('--icmp', default=False, action='store_true', help="Override default request with ICMP ping request.")

2
research/fraginternals.py
View File

@ -441,7 +441,7 @@ class Station():
# TODO: Implement and test this function # TODO: Implement and test this function
encrypted = encrypt_tkip(frame, key, self.pn[idx], keyid) encrypted = encrypt_tkip(frame, key, self.pn[idx], keyid)
elif len(key) == 16: elif len(key) == 16:
encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_ssp) encrypted = encrypt_ccmp(frame, key, self.pn[idx], keyid, self.options.amsdu_spp)
else: else:
encrypted = encrypt_wep(frame, key, self.pn[idx], keyid) encrypted = encrypt_wep(frame, key, self.pn[idx], keyid)