ssid with double space not stored correctly
testcluster at gmail.com
Wed Dec 13 05:53:15 PST 2017
(dup message; first was rejected due to HTML; I am noob)
Embedded spaces is only the tip of the iceberg. I have a set of evil
test SSIDs I use. The 802.11 spec just says "32 chars" and is very
unspecific about what a "char" consists of. We've found lots of weird
corner cases in applications, drivers, when hitting corner cases (like
exactly 32 chars).
logger = logging.getLogger("wifi.dave")
evil = 
def __init__(self, ssid):
self.ssid = ssid
self.buf = bytes(ssid, "utf8")
# sanity checks
assert len(self.buf) <= 32, len(self.buf)
# kinda gross but lets me keep the creation code simple
return "%r" % self.buf
# embedded spaces
ssid = SSID("this is a test")
# leading / trailing spaces
ssid = SSID(" this is a test")
ssid = SSID("this is a test ")
ssid = SSID(" this is a test ")
# all spaces
ssid = SSID(" ")
# NULL bytes
ssid = SSID("foo\0bar\0baz")
# vt100 blink char
ESC = chr(27)
CSI = ESC + "["
ssid = SSID(CSI + "5m")
# for lols
ssid = SSID("(╯°□°）╯︵ ┻━┻")
ssid = SSID("") <-- poop emoji didn't come through text encoding
# shell injection attack
ssid = SSID("`logger hello from evil ssid`")
ssid = SSID("$(logger hello from evil ssid)")
# i18n chars
ssid = SSID("René Decartes")
ssid = SSID("Académie française")
# exactly 32 chars
ssid = SSID("01234567890123456789012345678901")
# cross site scripting
ssid = SSID("<script>alert('hi');</script>")
# sloppy sql injection
ssid = SSID("; DROP TABLE passwords;")
ssid = SSID(" or 1=1")
print("\n".join(["%s"%e for e in evil]))
On Wed, Dec 13, 2017 at 5:33 AM, Dale R. Worley <worley at alum.mit.edu> wrote:
> Erich Titl <erich.titl at think.ch> writes:
>> SALT# wpa_cli set_network 23 ssid \"NOS-CAFE DA MARINA\"
>> Selected interface 'wlan0'
> I'm just a lurker here, but if SSIDs can contain spaces (I never
> realized that!), then *all* the programs have to be hardened to deal
> with spaces in SSIDs correctly. It's not too difficult if you pay close
> attention, but it's easy to overlook.
> For instance, one "correct" command line would be
> # wpa_cli set_network 23 ssid 'NOS-CAFE DA MARINA'
> This is also correct:
> # wpa_cli set_network 23 ssid "NOS-CAFE DA MARINA"
> In both cases, the 4th argument to the wpa_cli program is the string
> "NOS-CAFE DA MARINA" (19 characters).
> This command:
> # wpa_cli set_network 23 ssid \"NOS-CAFE DA MARINA\"
> would be expected to produce freaky results, since the 4th argument to
> wpa_cli is the string '"NOS-CAFE' (8 chars), the 5th is 'DA' (2 chars),
> and the 6th is 'MARINA"' (7 chars), since the spaces between the words
> aren't quotes (since the double-quotes are quoted, they do not make a
> quoted tring).
> Where it gets tricky is if one of the programs involved is a shell
> script; then you have to take special care to always quote the SSID when
> it's mentioned.
> Taking a brief look, wpa_cli seems to be a binary executable, so it
> shouldn't be needing to take special care about spaces, it probably does
> the right thing automatically. But other programs in the suite may have
> Hostap mailing list
> Hostap at lists.infradead.org
More information about the Hostap