Re: ssid with double space not stored correctly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(dup message; first was rejected due to HTML; I am noob)

Embedded spaces is only the tip of the iceberg. I have a set of evil
test SSIDs I use. The 802.11 spec just says "32 chars" and is very
unspecific about what a "char" consists of. We've found lots of weird
corner cases in applications, drivers, when hitting corner cases (like
exactly 32 chars).

#!/usr/bin/env python3
import logging
logger = logging.getLogger("wifi.dave")

evil = []

class SSID:
    def __init__(self, ssid):
        self.ssid = ssid
        self.buf = bytes(ssid, "utf8")

        # sanity checks
        assert len(self.buf) <= 32, len(self.buf)

        # kinda gross but lets me keep the creation code simple
        evil.append(self)

    def __str__(self):
        return "%r" % self.buf

def evil_ssids():
    # embedded spaces
    ssid = SSID("this is a test")

    # leading / trailing spaces
    ssid = SSID(" this is a test")
    ssid = SSID("this is a test ")
    ssid = SSID(" this is a test ")

    # all spaces
    ssid = SSID("                                ")

    # NULL bytes
    ssid = SSID("foo\0bar\0baz")

    # vt100 blink char
    # https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
    ESC = chr(27)
    CSI = ESC + "["
    # blinkyblinky
    ssid = SSID(CSI + "5m")

    # for lols
    ssid = SSID("(╯°□°)╯︵ ┻━┻")

    ssid = SSID("")  <--  poop emoji didn't come through text encoding
this email

    # shell injection attack
    ssid = SSID("`logger hello from evil ssid`")

    ssid = SSID("$(logger hello from evil ssid)")

    # i18n chars
    ssid = SSID("René Decartes")

    ssid = SSID("Académie française")

    # exactly 32 chars
    ssid = SSID("01234567890123456789012345678901")

    # cross site scripting
    ssid = SSID("<script>alert('hi');</script>")

    # sloppy sql injection
    # https://www.w3schools.com/sql/sql_injection.asp
    ssid = SSID("; DROP TABLE passwords;")
    ssid = SSID(" or 1=1")

if __name__=='__main__':
    evil_ssids()
    print("\n".join(["%s"%e for e in evil]))


On Wed, Dec 13, 2017 at 5:33 AM, Dale R. Worley <worley@xxxxxxxxxxxx> wrote:
> Erich Titl <erich.titl@xxxxxxxx> writes:
>> SALT# wpa_cli set_network 23 ssid \"NOS-CAFE DA  MARINA\"
>> Selected interface 'wlan0'
>> OK
>
> I'm just a lurker here, but if SSIDs can contain spaces (I never
> realized that!), then *all* the programs have to be hardened to deal
> with spaces in SSIDs correctly.  It's not too difficult if you pay close
> attention, but it's easy to overlook.
>
> For instance, one "correct" command line would be
>
> # wpa_cli set_network 23 ssid 'NOS-CAFE DA  MARINA'
>
> This is also correct:
>
> # wpa_cli set_network 23 ssid "NOS-CAFE DA  MARINA"
>
> In both cases, the 4th argument to the wpa_cli program is the string
> "NOS-CAFE DA  MARINA" (19 characters).
>
> This command:
>
> # wpa_cli set_network 23 ssid \"NOS-CAFE DA  MARINA\"
>
> would be expected to produce freaky results, since the 4th argument to
> wpa_cli is the string '"NOS-CAFE' (8 chars), the 5th is 'DA' (2 chars),
> and the 6th is 'MARINA"' (7 chars), since the spaces between the words
> aren't quotes (since the double-quotes are quoted, they do not make a
> quoted tring).
>
> Where it gets tricky is if one of the programs involved is a shell
> script; then you have to take special care to always quote the SSID when
> it's mentioned.
>
> Taking a brief look, wpa_cli seems to be a binary executable, so it
> shouldn't be needing to take special care about spaces, it probably does
> the right thing automatically.  But other programs in the suite may have
> problems.
>
> Dale
>
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap




[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux