| Network Card | USB | 5GHz | mixed mode | injection mode | |
|---|---|---|---|---|---|
| Technoethical N150 HGA | Yes | No | patched driver/firmware | patched driver/firmware | |
| TP-Link TL-WN722N v1.x | Yes | No | patched driver/firmware | patched driver/firmware | |
| Alfa AWUS036NHA | Yes | No | patched driver/firmware | patched driver/firmware | |
| Intel Wireless-AC 8265 | No | Yes | patched driver | yes | |
| Intel Wireless-AC 3160 | No | Yes | patched driver | yes | |
| Alfa AWUS036ACM | Yes | Yes | patched driver | yes | MT7612U |
| Netgear WN111v2 | Yes | No | patched driver | yes | |
| Alfa AWUS036ACH | Yes | Yes | no | yes |
(venv) {10:19}~/workspace/fragattacks/research:master ✓ ➭ ./fragattack.py –help
[10:19:38] This is FragAttack version 1.3.
usage: fragattack.py [-h] [–inject INJECT] [–inject-test INJECT_TEST] [–inject-test-postauth INJECT_TEST_POSTAUTH] [–hwsim HWSIM]
[–ip IP] [–peerip PEERIP] [–ap] [–debug DEBUG] [–delay DELAY] [–inc-pn INC_PN] [–amsdu] [–amsdu-fake]
[–amsdu-spp] [–arp] [–dhcp] [–icmp] [–ipv6] [–udp UDP] [–no-dhcp] [–icmp-size ICMP_SIZE] [–padding PADDING]
[–rekey-request] [–rekey-plaintext] [–rekey-early-install] [–full-reconnect] [–bcast-ra] [–bcast-dst]
[–bad-mic] [–pn-per-qos] [–no-qos] [–freebsd-cache] [–connected-delay CONNECTED_DELAY]
[–pre-test-delay PRE_TEST_DELAY] [–to-self] [–no-drivercheck] [–stay-up]
iface testname [actions]
Test for fragmentation vulnerabilities (version 1.3).
positional arguments:
iface Interface to use for the tests.
testname Name or identifier of the test to run.
actions Optional textual descriptions of actions
optional arguments:
-h, –help show this help message and exit
–inject INJECT Interface to use to inject frames.
–inject-test INJECT_TEST
Use given interface to test injection through monitor interface.
–inject-test-postauth INJECT_TEST_POSTAUTH
Same as –inject-test but run the test after authenticating.
–hwsim HWSIM Use provided interface in monitor mode, and simulate AP/client through hwsim.
–ip IP IP we as a sender should use.
–peerip PEERIP IP of the device we will test.
–ap Act as an AP to test clients.
–debug DEBUG Debug output level.
–delay DELAY Delay between fragments in certain tests.
–inc-pn INC_PN To test non-sequential packet number in fragments.
–amsdu Encapsulate pings in an A-MSDU frame.
–amsdu-fake Set A-MSDU flag but include normal payload.
–amsdu-spp, –amsdu-ssp
Force authentication of QoS A-MSDU flag.
–arp Override default request with ARP request.
–dhcp Override default request with DHCP discover.
–icmp Override default request with ICMP ping request.
–ipv6 Override default request with ICMPv6 router advertisement.
–udp UDP Override default request with UDP packet to the given port.
–no-dhcp Do not reply to DHCP requests as an AP.
–icmp-size ICMP_SIZE
Size of the ICMP ping request to send.
–padding PADDING Add padding data to ARP/DHCP/ICMP requests.
–rekey-request Actively request PTK rekey as client.
–rekey-plaintext Do PTK rekey with plaintext EAPOL frames.
–rekey-early-install
Install PTK after sending Msg3 during rekey.
–full-reconnect Reconnect by deauthenticating first.
–bcast-ra Send pings using broadcast receiver address (= addr1).
–bcast-dst Send pings using broadcast destination when to AP ().
–bad-mic Send pings using an invalid authentication tag.
–pn-per-qos Use separate Tx packet counter for each QoS TID.
–no-qos Don’t send QoS data frames (experimental - may break some tests).
–freebsd-cache Sent EAP(OL) frames as (malformed) broadcast EAPOL/A-MSDUs.
–connected-delay CONNECTED_DELAY
Second to wait after AfterAuth before triggering Connected event
–pre-test-delay PRE_TEST_DELAY
Delay before launching the test
–to-self Send ARP/DHCP/ICMP with same src and dst MAC address.
–no-drivercheck Don’t check if patched drivers are being used.
–stay-up Don’t quit when test has finished.
Design flaw: aggregation attack
The first design flaw is in the frame aggregation feature of Wi-Fi. This feature increases the speed and throughput of a network by combining small frames into a larger aggregated frame. To implement this feature, the header of each frame contains a flag that indicates whether the (encrypted) transported data contains a single or aggregated frame. This is illustrated in the following figure:
Unfortunately, this “is aggregated” flag is not authenticated and can be modified by an adversary, meaning a victim can be tricked into processing the encrypted transported data in an unintended manner. An adversary can abuse this to inject arbitrary network packets by tricking the victim into connecting to their server and then setting the “is aggregated” flag of carefully selected packets. Practically all tested devices were vulnerable to this attack. The ability to inject packets can in turn be abused to intercept a victim’s traffic by making it use a malicious DNS server (see the demo).
This design flaw can be fixed by authenticating the “is aggregated” flag. The Wi-Fi standard already contains a feature to authenticate this flag, namely requiring SPP A-MSDU frames, but this defense is not backwards-compatible and not supported in practice. Attacks can also be mitigated using an ad-hoc fix, though new attacks may remain possible.
Design flaw: mixed key attack
The second design flaw is in the frame fragmentation feature of Wi-Fi. This feature increases the reliability of a connection by splitting large frames into smaller fragments. When doing this, every fragment that belongs to the same frame is encrypted using the same key. However, receivers are not required to check this and will reassemble fragments that were decrypted using different keys. Under rare conditions this can be abused to exfiltrate data. This is accomplished by mixing fragments that are encrypted under different keys, as illustrated in the following figure:
In the above figure, the first fragment received by the access point is decrypted using a different key than the second fragment. Nevertheless, the victim will reassemble both fragments. In practice this allows an adversary to exfiltrate selected client data.
This design flaw can be fixed in a backwards-compatible manner by only reassembling fragments that were decrypted using the same key. Because the attack is only possible under rare conditions it is considered a theoretical attack.
Design flaw: fragment cache attack
The third design flaw is also in Wi-Fi’s frame fragmentation feature. The problem is that, when a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory. This can be abused against hotspot-like networks such as eduroam and govroam and against enterprise network where users distrust each other. In those cases, selected data sent by the victim can be exfiltrated. This is achieved by injecting a malicious fragment in the memory (i.e. fragment cache) of the access point. When the victim then connects to the access point and sends a fragmented frame, selected fragments will be combined (i.e. reassembled) with the injected fragment of the adversary. This is illustrated in the following figure:
In the above figure, the adversary injects the first fragment into the fragment cache of the access point. After the adversary disconnects the fragment stays in the fragment cache and will be reassembled with a fragment of the victim. If the victim sends fragmented frames, which appears uncommon in practice, this can be abused to exfiltrate data.
This design flaw can be fixed in a backwards-compatible manner by removing fragments from memory whenever disconnecting or (re)connecting to a network.
| Command | Short description |
|---|---|
| Sanity checks | |
| ping | Send a normal ping. |
| ping I,E,E | Send a normal fragmented ping. |
| Basic device behaviour | |
| ping I,E,E –delay 5 | Send a normal fragmented ping with a 5 second delay between fragments. |
| ping-frag-sep | Send a normal fragmented ping with fragments separated by another frame. |
| ping-frag-sep –pn-per-qos | Same as above, but also works if the target only accepts consecutive PNs. |
| A-MSDU attacks (§3) | CVE-2020-24588 |
| ping I,E –amsdu | Send a ping encapsulated in a normal (non SPP protected) A-MSDU frame. |
| amsdu-inject | Simulate attack: send A-MSDU frame whose start is also a valid rfc1042 header. |
| amsdu-inject-bad | Same as above, but against targets that incorrectly parse the frame. |
| Mixed key attacks (§4) | **CVE-2020-**24587 |
| ping I,F,BE,AE | Inject two fragments encrypted under a different key. |
| ping I,F,BE,AE –pn-per-qos | Same as above, but also works if the target only accepts consecutive PNs. |
| Cache attacks (§5) | **CVE-2020-**24586 |
| ping I,E,R,AE | Inject a fragment, try triggering a reassociation, and inject second fragment. |
| ping I,E,R,E | Same as above, but with a longer delay before sending the second fragment. |
| ping I,E,R,AE –full-recon | Inject a fragment, deauthenticate and reconnect, then inject second fragment. |
| ping I,E,R,E –full-recon | Same as above, but with a longer delay before sending the second fragment. |
| Non-consecutive PNs attack (§6.2) | **CVE-2020-**26146 |
| ping I,E,E –inc-pn 2 | Send a fragmented ping with non-consecutive packet numbers. |
| Mixed plain/encrypt attack (§6.3) | **CVE-2020-**26147/26140/25143 |
| ping I,E,P | Send a fragmented ping: first fragment encrypted, second fragment in plaintext. |
| ping I,P,E | Send a fragmented ping: first fragment in plaintext, send fragment encrypted. |
| ping I,P | Send a plaintext ping. |
| ping I,P,P | Send a fragmented ping: both fragments are sent in plaintext. |
| linux-plain | Mixed plaintext/encrypted fragmentation attack specific to Linux. |
| Broadcast fragment attack (§6.4) | **CVE-2020-**26145 |
| ping I,D,P –bcast-ra | Send a unicast ping in a plaintext broadcasted 2nd fragment once connected. |
| ping D,BP –bcast-ra | Same as above, but frame is sent during 4-way handshake (check with tcpdump). |
| A-MSDU EAPOL attack (§6.5) | **CVE-2020-**26144 |
| eapol-amsdu I,P | Send a plaintext A-MSDU containing a ping request cloacked as an EAPOL frame. |
| eapol-amsdu BP | Same as above, but the frame is sent during the handshake (check with tcpdump). |
| eapol-amsdu-bad I,P | Send malformed plain. A-MSDU containing a ping req. cloacked as EAPOL frame. |
| eapol-amsdu-bad BP | Same as above, but the frame is sent while connecting (check with tcpdump). |