Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Nov 2003 13:13:36 +0000
From:      "Andrea Bittau (sorbo)" <sorbox@yahoo.com>
To:        freebsd-current@freebsd.org
Subject:   wi driver reads wrong first 8 bytes when in monitor mode in data packets
Message-ID:  <20031126131335.GA1605@tribal.sorbonet.org>
next in thread | raw e-mail | index | archive | help 
If I am not wrong, it seems that the wi driver, when in monitor mode, will skip
8 bytes of data input (filling it in with random values).

We notice in if_wi.c:

        case 7:
                switch (rx_frame->wi_whdr.i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
                case IEEE80211_FC0_TYPE_DATA:
                        hdrlen = WI_DATA_HDRLEN;

data is then read according to the hdrlen offset.
if (wi_read_bap(sc, fid, hdrlen, mtod(m, caddr_t) + hdrlen,
            datlen + 2) == 0) {

in if_wavelan_ieee.h:
#define WI_DATA_HDRLEN          0x44
#define WI_MGMT_HDRLEN          0x3C
#define WI_CTL_HDRLEN           0x3C

we notice that data frames seem to have an 8 byte "header" extra

we then notice
/*
 * all data packets have a snap (sub-network access protocol) header that
 * isn't entirely definied, but added for ethernet compatibility.
 */
struct wi_snap_frame {
        u_int16_t       wi_dat[3];
        u_int16_t       wi_type;
};
(it is 8 bytes)
It seems like if the llc/snap is treated as a "802.11 header" per se and not act
ual data. (Maybe this was the mentality of the developers).

Under "normal" circumstances this is ok, since many people do not care about sna
p/llc when in monitor mode. Infact, the ip header will be just fine.

However when auditing wep, those 8 bytes are crucial (since the first 3+1 bytes
contain IV information) and the first few bytes of cyphertext are normally used
in known plaintext attacks. Infact, bsd-airtools will probably not work at all.

I am running:
FreeBSD tribal.sorbonet.org 5.2-BETA FreeBSD 5.2-BETA #5: Wed Nov 26 05:24:11 GM
T 2003     root@tribal.sorbonet.org:/usr/obj/usr/src/sys/SORBO  i386


A very basic patch which seems to works is:
if_wavelan_ieee.h.diff:

********** CUT ********************

*** if_wavelan_ieee.h.orig      Wed Nov 26 06:00:58 2003
--- if_wavelan_ieee.h   Wed Nov 26 05:08:08 2003
***************
*** 466,472 ****
        u_int8_t        wi_src_addr[6];
        u_int16_t       wi_len;
  };
! #define WI_DATA_HDRLEN                0x44
  #define WI_MGMT_HDRLEN                0x3C
  #define WI_CTL_HDRLEN         0x3C

--- 466,472 ----
        u_int8_t        wi_src_addr[6];
        u_int16_t       wi_len;
  };
! #define WI_DATA_HDRLEN                0x3C
  #define WI_MGMT_HDRLEN                0x3C
  #define WI_CTL_HDRLEN         0x3C

********** CUT ****************





Andrea Bittau
sorbox@yahoo.com
http://www.darkircop.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031126131335.GA1605>