Fragmentation And Aggregation Attacks in Wi-Fi Implementation and Design (FragAttacks)

We discussed this vulnerability as part of our weekly podcast on 18 May 2021

12 CVEs, a few fundamental design issues, and some implementation issues. The implementation issues generally just removed some restrictions on abusing the design flaws making them more practical. The interesting part are the design flaws though.

First is in frame aggregation. As it is inefficient to send many small frames over the air a device might aggregate multiple frames into a single WiFi packet. When this happens a flag is set in the header indicating aggregation happened. The problem is that a MitM can manipulate this flag as it is not protected from tampering. So, with attacker controlled TCP data (like connecting to an attacker controlled server) a MitM can flip the flag on the WiFi packet and have its data treated as though it was multiple frames aggregated together. Enabling the injection of packets, such as an ICMP Router Advertisement providing a new malicious DNS to be used.

Second is an issue with the fragment cache. The note here being that fragmentation is rarely used except on WiFi 6. The issue being that the cache is not cleared across connections of the same MAC. So an attacker can connect, spoof their MAC to match the victim, and send a fragment to the router to be cached then disconnect. WHen the victim connects, and potentially sends their own fragments it’ll join the new packets with the attacker’s packets, allowing for exfiltration or injection of packets.

Third is the “Mixed Key” attack. This is where the fragments will be decrypted and reassembled even if different keys were used when sending them. The attack scenario being say a victim sends two packets, A and B, a MitM drops B, the victim refreshes their session key, and sends two more packets A2 and B2, the MitM dropping A2 this time. The packet will be reassembled as A and B2. Creating a scenario where an attacker and mix-and-match packets to create something more interesting. The author admits this is a fairly academic and unrealistic attack but still worth considering as someone might make it practical in the future.