ssid with double space not stored correctly
David Poole
testcluster at gmail.com
Wed Dec 13 05:53:15 PST 2017
(dup message; first was rejected due to HTML; I am noob)
Embedded spaces is only the tip of the iceberg. I have a set of evil
test SSIDs I use. The 802.11 spec just says "32 chars" and is very
unspecific about what a "char" consists of. We've found lots of weird
corner cases in applications, drivers, when hitting corner cases (like
exactly 32 chars).
#!/usr/bin/env python3
import logging
logger = logging.getLogger("wifi.dave")
evil = []
class SSID:
def __init__(self, ssid):
self.ssid = ssid
self.buf = bytes(ssid, "utf8")
# sanity checks
assert len(self.buf) <= 32, len(self.buf)
# kinda gross but lets me keep the creation code simple
evil.append(self)
def __str__(self):
return "%r" % self.buf
def evil_ssids():
# embedded spaces
ssid = SSID("this is a test")
# leading / trailing spaces
ssid = SSID(" this is a test")
ssid = SSID("this is a test ")
ssid = SSID(" this is a test ")
# all spaces
ssid = SSID(" ")
# NULL bytes
ssid = SSID("foo\0bar\0baz")
# vt100 blink char
# https://en.wikipedia.org/wiki/ANSI_escape_code#Colors
ESC = chr(27)
CSI = ESC + "["
# blinkyblinky
ssid = SSID(CSI + "5m")
# for lols
ssid = SSID("(╯°□°)╯︵ ┻━┻")
ssid = SSID("") <-- poop emoji didn't come through text encoding
this email
# shell injection attack
ssid = SSID("`logger hello from evil ssid`")
ssid = SSID("$(logger hello from evil ssid)")
# i18n chars
ssid = SSID("René Decartes")
ssid = SSID("Académie française")
# exactly 32 chars
ssid = SSID("01234567890123456789012345678901")
# cross site scripting
ssid = SSID("<script>alert('hi');</script>")
# sloppy sql injection
# https://www.w3schools.com/sql/sql_injection.asp
ssid = SSID("; DROP TABLE passwords;")
ssid = SSID(" or 1=1")
if __name__=='__main__':
evil_ssids()
print("\n".join(["%s"%e for e in evil]))
On Wed, Dec 13, 2017 at 5:33 AM, Dale R. Worley <worley at alum.mit.edu> wrote:
> Erich Titl <erich.titl at think.ch> writes:
>> SALT# wpa_cli set_network 23 ssid \"NOS-CAFE DA MARINA\"
>> Selected interface 'wlan0'
>> OK
>
> I'm just a lurker here, but if SSIDs can contain spaces (I never
> realized that!), then *all* the programs have to be hardened to deal
> with spaces in SSIDs correctly. It's not too difficult if you pay close
> attention, but it's easy to overlook.
>
> For instance, one "correct" command line would be
>
> # wpa_cli set_network 23 ssid 'NOS-CAFE DA MARINA'
>
> This is also correct:
>
> # wpa_cli set_network 23 ssid "NOS-CAFE DA MARINA"
>
> In both cases, the 4th argument to the wpa_cli program is the string
> "NOS-CAFE DA MARINA" (19 characters).
>
> This command:
>
> # wpa_cli set_network 23 ssid \"NOS-CAFE DA MARINA\"
>
> would be expected to produce freaky results, since the 4th argument to
> wpa_cli is the string '"NOS-CAFE' (8 chars), the 5th is 'DA' (2 chars),
> and the 6th is 'MARINA"' (7 chars), since the spaces between the words
> aren't quotes (since the double-quotes are quoted, they do not make a
> quoted tring).
>
> Where it gets tricky is if one of the programs involved is a shell
> script; then you have to take special care to always quote the SSID when
> it's mentioned.
>
> Taking a brief look, wpa_cli seems to be a binary executable, so it
> shouldn't be needing to take special care about spaces, it probably does
> the right thing automatically. But other programs in the suite may have
> problems.
>
> Dale
>
> _______________________________________________
> Hostap mailing list
> Hostap at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/hostap
More information about the Hostap
mailing list