Authentication / Mac Spoofing of Device with Known Psk
Description
MAC Spoofing of Device with known PSK is a type of authentication vulnerability (CWE-287) that occurs in infrastructure. It is a type of attack in which the attacker changes the MAC address of the device with a known pre-shared key (PSK) in order to gain access to the network. This attack is commonly used to bypass authentication protocols and gain access to the network. According to the OWASP Testing Guide, the attacker can use this attack by first obtaining the MAC address of the device, then spoofing the MAC address of the device with the known PSK and finally attempting to authenticate with the network.
Risk
This vulnerability has a high risk of compromising the security of the network. The attacker can gain access to the network by bypassing authentication protocols. This could lead to the attacker having access to sensitive data and resources on the network. This can cause severe damage to the network and can have serious implications for the security of the organization.
Solution
The best way to protect against this vulnerability is to implement strong authentication protocols. This can be done by using two-factor authentication, or by using a combination of public key authentication and password authentication. Additionally, organizations should also employ network segmentation and network access control to limit the access of the attacker.
Example
The following code example is based on a CVE-2020-5384 vulnerability and shows a basic example of MAC spoofing of a device with a known PSK.
// Set the source MAC address to the known PSK
int set_mac_address(char *mac_addr)
{
if (strlen(mac_addr) != 17)
return -1;
// Set up the netlink socket
int sockfd;
sockfd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
// Create the payload
struct nlmsghdr *nlhdr;
struct ifaddrmsg *ifaddr;
struct rtattr *rta_mac;
char *payload;
nlhdr = (struct nlmsghdr *) malloc(NLMSG_SPACE(sizeof(struct ifaddrmsg) + RTA_LENGTH(6)));
ifaddr = NLMSG_DATA(nlhdr);
rta_mac = (struct rtattr *) IFA_RTA(ifaddr);
payload = (char *) RTA_DATA(rta_mac);
// Fill the payload with the new MAC address
memcpy(payload, mac_addr, 6);
// Set up the netlink header
nlhdr->nlmsg_len = NLMSG_SPACE(sizeof(struct ifaddrmsg) + RTA_LENGTH(6));
nlhdr->nlmsg_flags = NLM_F_REQUEST;
nlhdr->nlmsg_type = RTM_NEWADDR;
// Set up the ifaddr structure
ifaddr->ifa_family = AF_PACKET;
ifaddr->ifa_index = 0;
ifaddr->ifa_prefixlen = 6;
// Set up the rtattr structure
rta_mac->rta_len = RTA_LENGTH(6);
rta_mac->rta_type = IFA_ADDRESS;
// Send the request
sendto(sockfd, nlhdr, nlhdr->nlmsg_len, 0, (struct sockaddr *)&saddr, sizeof(saddr));
// Free the allocated memory
free(nlhdr);
return 0;
}