Possible security hole when attacker connects with wrong WPA/RSN IE
Andriy Tkachuk
andriy.v.tkachuk
Tue Nov 3 09:53:47 PST 2009
Hello Jouni and folks.
It looks like hostapd allows (for example, when working with madwifi,
atheros or bsd driver wrappers) for clients to stay connected infinitely
when they connected with wrong WPA/RSN IE, while Host AP driver will
fail association for such clients. In worse case, when vendors don't
implement EAPoL frames filtering before 4-way handshake completes and
keys are set, an attacker may stay connected and use AP resources in
Open mode. In less worse case the AP could be open for DoS attack.
The solution seems to be straightforward - just disconnect such clients
either from driver wrappers, or maybe even better - from
hostapd_notif_assoc() routine, for example, like in attached patch.
Regards,
Andriy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hostapd-handle-weird-wpa_ie.patch
Url: http://lists.shmoo.com/pipermail/hostap/attachments/20091103/ab76b497/attachment.txt
More information about the Hostap
mailing list