Possible security hole when attacker connects with wrong WPA/RSN IE

Andriy Tkachuk andriy.v.tkachuk at globallogic.com
Tue Nov 3 13:01:27 EST 2009


Sorry, but in prev. patch *_STATUS_* should be changed to *_REASON_*. 
Fixed patch attached.

On 2009-11-03 19:53, Andriy Tkachuk wrote:
> Hello Jouni and folks.
>
> It looks like hostapd allows (for example, when working with madwifi, 
> atheros or bsd driver wrappers) for clients to stay connected 
> infinitely when they connected with wrong WPA/RSN IE, while Host AP 
> driver will fail association for such clients. In worse case, when 
> vendors don't implement EAPoL frames filtering before 4-way handshake 
> completes and keys are set, an attacker may stay connected and use AP 
> resources in Open mode. In less worse case the AP could be open for 
> DoS attack.
>
> The solution seems to be straightforward - just disconnect such 
> clients either from driver wrappers, or maybe even better - from 
> hostapd_notif_assoc() routine, for example, like in attached patch.
>
> Regards,
>    Andriy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hostapd-handle-weird-wpa_ie2.patch
Url: http://lists.shmoo.com/pipermail/hostap/attachments/20091103/9d4b18a3/attachment.txt 


More information about the HostAP mailing list