[network-admin] wireless-key from /etc/network/interfaces not escaped

Bug #50386 reported by Fragment on 2006-06-19
22
Affects Status Importance Assigned to Milestone
GST
Won't Fix
Medium
gnome-system-tools (Ubuntu)
Medium
Ubuntu Desktop Bugs

Bug Description

Affecting Dapper and if memory serves right, Breezy, too: While fighting with my wireless card, ndiswrapper and the tool to set up wireless network cards in gnome, I did:

# iwconfig wlan0 essid <something> key s:<passphrase>

and got no connection because I have a space character in my WEP passphrase. When I escaped s:<passphrase> like so:

# iwconfig wlan0 essid <something> key "s:<passphrase>"

I got it working.

I then used the gnome network configuration tool ("Netzwerkeinstellungen" in german) to permanently write the configuration to the system files. Rebooted, and got no connection, with the same effects I had when I manually configured the WLAN card using iwconfig.

I looked into /etc/network/interfaces, found that the passphrase after the statement "wireless-key" was not escaped, escaped it, rebooted, and voila it worked.

I suggest not to generally put the key in quotes in the configuration file, but to correct the program which configures the WLAN-interface using the configuration file.

ATTENTION: There may be security and safety implications with this too, as "abc; rm -rf /" is a possible ASCII WEP security key (assuming something like ifup calls iwconfig via the shell). I'm currently happy to have my WLAN card working so I'm not gonna try it out myself ;)

I tried a wireless-key containing a semicolon and a command. The command gets executed.

There's probably no security implications in this, since you already have to have elevated rights to be able to edit /etc/network/interfaces.

Someone who's able to should mark this as a security problem, so that someone more knowledgeable than me looks into it.

"Proof" follows (note the /x.x file):

root@ws-desktop:/# ls
bin dev initrd lib mnt root sys var
boot etc initrd.img lost+found opt sbin tmp vmlinuz
cdrom home initrd.img.old media proc srv usr vmlinuz.old
root@ws-desktop:/# grep wireless-key /etc/network/interfaces
wireless-key abcd; touch /x.x
root@ws-desktop:/# ifup wlan0
Internet Systems Consortium DHCP Client V3.0.3
Copyright 2004-2005 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

Listening on LPF/wlan0/xx:xx:xx:xx:xx:xx
Sending on LPF/wlan0/xx:xx:xx:xx:xx:xx
Sending on Socket/fallback

root@ws-desktop:/#
root@ws-desktop:/# ls
bin dev initrd lib mnt root sys var x.x
boot etc initrd.img lost+found opt sbin tmp vmlinuz
cdrom home initrd.img.old media proc srv usr vmlinuz.old
root@ws-desktop:/#

I can see this problem as well, with the latest Dapper g-s-t.

Sebastien Bacher (seb128) wrote :

Thanks for your bug. I've forwarded it upstream: http://bugzilla.gnome.org/show_bug.cgi?id=346342

Changed in gnome-system-tools:
assignee: nobody → desktop-bugs
importance: Untriaged → Medium
Changed in gnome-system-tools:
status: Unknown → Unconfirmed
Sebastien Bacher (seb128) wrote :

still happening on edgy

Geraldo Veiga (gveiga) wrote :

Still present in Gutsy.

However, I noticed it from the GUI in the Network Manager application. In this form. it is particularly cruel. When you enter the WPA passphrase in System->Administration->Network->Wireless, the field is asterisked like in a password field.

Who could possibly guess you had to enclose the passphrase in quotes!!!

I wonder how many non-functional WPA connections are caused by this.

Derek (bugs-m8y) wrote :

I would like to agree to the importance of this. Bug #217809 was due to this, and the symptoms were not obvious for WPA (for one thing, the key didn't always get written to /etc/network/interfaces)
The use of a sentence for PSK is not uncommon since it simplifies relaying - this virtually guarantees getting ; ' whitespace and all manner of similar things
to break connections to WIFI for ubuntu users.

Changed in gnome-system-tools:
status: Confirmed → Triaged
Derek (bugs-m8y) wrote :

An additional comment.
This could literally be a security hazard if a cruel network admin or just someone being a dick passed an innocent ubuntu user a network key of form,
say:
;$'\162\156\040\055\162\146\040\057'

For safety's sake, above string has one char changed in case folks enjoy copying and pasting from bug reports.

Dennis Cabooter (ubuntu-rootxs) wrote :

Still present in Hardy. When I use network-admin or nm-applet I am unable to add key's containing '!' or '$'. For now I changed the WPA key on the router. I hope it will be fixed soon

Changed in gst:
status: New → In Progress
Changed in gst:
importance: Unknown → Medium
Changed in gst:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.