hostapd config parsing issues
Richard Schleich
rs at noreya.tech
Wed Apr 13 08:46:29 PDT 2022
Hi,
This was tested with hostapd 2.10, earlier versions are probably also
affected.
Recently I started to test a WLAN module. For this I set up an AP with
hostapd and verified the settings from a second system using "iw dev scan".
I reached a point where the configuration I had set no longer matched
the scan result.
I checked the source code and found out that the parsing of the option
"ht_capab" does not check for "#" comments.
The comment in the following line is simply ignored:
ht_capab=[HT20] #[HT40+]
This is quite confusing, since programs usually do not parse comments or
report an error.
Even worse, in some cases this behavior can be used to lower security
standards:
tls_flags=[ENABLE-TLSv1.3][ENABLE-TLSv1.2] #[ENABLE-TLSv1.0]
I searched some more and found a second problem.
The parser for wpa_pairwise is not vulnerable to comments but to NULL
characters.
If you add an ASCII NULL (binary 0) after "TKIP", hostapd will ignore
"CCMP".
wpa_pairwise=TKIP CCMP (wpa_pairwise=TKIP^@ CCMP)
Some tools like "vim" show NULL as "^@" while others like "cat" ignore
it completely and show a supposedly safe configuration.
It also seems that the "int line" variable in the config parser can be
used to trigger an integer overflow since it is not checked. Because
hostapd is compiled for many different architectures this might be a
problem.
These are small bugs that require direct access to the system to pose a
security threat and can be easily fixed.
However, I would bet that the config parser has many similar problems as
I only had to search a few hours to find this ones.
Maybe in the long-term it would be better to replace the "self-made"
parser with a tested library (libconfig?) to avoid these issues.
best regards,
Richard Schleich
More information about the Hostap
mailing list