Amazing-Mirror/fragattacks
1
0
Fork 0
mirror of https://github.com/vanhoefm/fragattacks.git synced 2024-11-24 16:28:23 -05:00
Code Issues Projects Releases Wiki Activity

fragattack: updated README and SUMMARY

Browse Source
This commit is contained in:
Mathy Vanhoef 2021-01-20 04:30:41 +04:00
parent 2f4a6cb56e
commit 694aaa0100
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
research/README.md
View File

@ -2,9 +2,10 @@
# 1. Introduction
The discovered vulnerabilities affect all Wi-Fi networks. A short summary of all vulnerabilities can be
found [here](SUMMARY.md), although we also recommend reading the [paper](fragattacks.pdf). The resulting
attacks are identical against WPA2 and WPA3 because their CCMP and GCMP encryption ciphers are identical.
The discovered vulnerabilities affect all Wi-Fi networks. A short overview of all vulnerabilities can be
found [here](SUMMARY.md) and a summary of resulting attacks and their preconditions can be found [here](attacks.pdf).
We also recommend reading the [paper](fragattacks.pdf). Note that the attacks are identical against WPA2
and WPA3 because their CCMP and GCMP encryption ciphers are identical.
Older WPA networks by default use TKIP for encryption, and the applicability of the attacks against
this cipher are discussed in the paper. To illustrate that Wi-Fi has been vulnerable since its creation,
@ -20,12 +21,14 @@ the paper also briefly discusses the applicability of the attacks against WEP.
## 2.2. Change log
**Version 1.3 (12 January 2021)**:
**Version 1.3 (20 January 2021)**:
- This version is based on hostap commit `a337c1d7c` ("New TWT operations and attributes to TWT Setup and Nudge").
- Added <a href="#id-wpa3-sae">instructions</a> on how to test WPA3/SAE devices using either the hunting-and-pecking or hash-to-element method.
This also implies that Management Frame Protection (MFP) is supported by the test tool.
- Added an [overview](attacks.pdf) of resulting attacks and their preconditions.
- Added <a href="#id-wpa3-sae">instructions</a> on how to test WPA3/SAE devices using either the hunting-and-pecking
or hash-to-element method. This also implies that Management Frame Protection (MFP) is supported by the test tool.
- Added a clarification to this README on how to use tcpdump to verify the result of certain tests.

4
research/SUMMARY.md
View File

@ -26,7 +26,7 @@
- **CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated**: Vulnerable Access Points (APs) forward EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. An adversary might be able to abuse this in projected Wi-Fi networks to launch denial-of-service attacks against connected clients, and this makes it easier to exploit other vulnerabilities in connected clients.
- **CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames**: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
- **CVE-2020-26142: Processing fragmented frames as full frames**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
- **CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames**: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.