hostapd config parsing issues

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

This was tested with hostapd 2.10, earlier versions are probably also affected.

Recently I started to test a WLAN module. For this I set up an AP with hostapd and verified the settings from a second system using "iw dev scan".

I reached a point where the configuration I had set no longer matched the scan result. I checked the source code and found out that the parsing of the option "ht_capab" does not check for "#" comments.
The comment in the following line is simply ignored:
ht_capab=[HT20] #[HT40+]

This is quite confusing, since programs usually do not parse comments or report an error. Even worse, in some cases this behavior can be used to lower security standards:
tls_flags=[ENABLE-TLSv1.3][ENABLE-TLSv1.2] #[ENABLE-TLSv1.0]

I searched some more and found a second problem.
The parser for wpa_pairwise is not vulnerable to comments but to NULL characters. If you add an ASCII NULL (binary 0) after "TKIP", hostapd will ignore "CCMP".
wpa_pairwise=TKIP CCMP (wpa_pairwise=TKIP^@ CCMP)

Some tools like "vim" show NULL as "^@" while others like "cat" ignore it completely and show a supposedly safe configuration.

It also seems that the "int line" variable in the config parser can be used to trigger an integer overflow since it is not checked. Because hostapd is compiled for many different architectures this might be a problem.

These are small bugs that require direct access to the system to pose a security threat and can be easily fixed. However, I would bet that the config parser has many similar problems as I only had to search a few hours to find this ones. Maybe in the long-term it would be better to replace the "self-made" parser with a tested library (libconfig?) to avoid these issues.

best regards,
Richard Schleich


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux