Frag Attacks

Discovered and named by Mathy Vanhoef (New York University Abu Dhabi) on May 11, 2021, the FragAttacks (fragmentation and aggregation attacks) are a group of a dozen vulnerabilities that affect not only the WEP protocol but also other recent protocols such as WPA3. The vulnerabilities discovered are mainly located in the exchanges with the addition or modification of information, all the terminals connected to the network are therefore vulnerable.

According to Mathy Vanhoef’s research, three of the vulnerabilities are design flaws in the 802.11 standard. The researcher also said that these vulnerabilities are complex to exploit. However, he draws attention to weaknesses related to WiFi implementation flaws at the terminal level, as these can be directly exposed.

I will briefly present below the 3 design flaws of the 802.11 standard, to go into more detail I invite you to read the detailed information provided by Mathy Vanhoef.

1- Aggregation Attack (CVE-2020-24588)

The first design weakness is located in the 802.11 header and more specifically in the “is aggregated” flag, which is neither authenticated nor encrypted during the transmission of the frame. An attacker can therefore modify this field and thus allow a packet injection. An example of an attack would be to transmit a malicious DNS server to a client. After extensive testing by Mathy Vanhoef, it was found that all devices are vulnerable to this attack.

2- Mixed Key Attack (CVE-2020-24587)

The second design weakness in Wi-Fi is in the frame fragmentation function. This feature, in principle, allows the reliability of the connection through the division of large frames into small fragments. Thus, the same key is used to encrypt each fragment of the same frame. However, the receivers are not obliged to check the keys and could gather fragments decrypted with different keys. Even if the cases are rare, it is still possible to exploit this flaw to exfiltrate data. To do this, fragments encrypted with different keys must be mixed.

It must be said that this design flaw is correctable in a backwards compatible way through an exclusive gathering of fragments that have been decrypted with the same key. Since this attack is relatively rare, it is classified as a “theoretical attack”.

3- Fragment Cache Attack (CVE-2020-24586)

The third design weakness of Wi-Fi, like the second, is the frame fragmentation function. The problem lies in the fact that when a user disconnects from the network, the Wi-Fi device does not necessarily delete the fragments from the memory, which have remained uncollected. This can lead to abuse, especially in hotspot networks. This design flaw can lead to data exfiltration through the injection of a malicious fragment into the “fragment cache”. Thus, when the victim sends a fragmented frame after connecting to the access point, the selected fragments are combined with those injected by the adversary. This design flaw can be corrected in a backwards compatible way. This can be achieved by deleting the fragments when “reconnecting” or disconnecting to a network.

4- Some other cases

Another vulnerability that is important to note is the one noticed on some routers that transfer EAPOL frames to another client before the sender even authenticates. Through this vulnerability, attacks can be performed by aggregation by injecting arbitrary frames without any user interaction. The other implementation flaw that is very common concerns receivers that do not check that all fragments belong to the same frame. This flaw can allow other frames to be formed that come from mixing two different frames. Some devices do not support aggregation or fragmentation, but are still vulnerable to attack since they consider fragmented frames to be complete frames. It is possible that this flaw can be used to inject packets.

More details to follow

To go further :

https://www.fragattacks.com/