WPA Keys can cause Router to reset to factory default

Denys Vlasenko vda.linux at googlemail.com
Mon Mar 2 14:22:30 UTC 2009


On Monday 02 March 2009 12:51:33 pm Chris Rigg-Milner wrote:
> This problem has been annoying me for a couple of years now, so I finally
> got around to doing some investigation after installing an upgrade to my
> Belkin f5d7633uk router which uses Busybox V1.00.
> 
> I will admit that I am not 100% sure the problem is down to the busybox
> software but as I cannot get Belkin to do anything about it I am trying this
> so here goes anyway.

This can be helped only if you have a way to log in the router
and modify files on its filesystem(s), including scripts.

> THE PROBLEM:
> 
> Some characters cause major problems to the router/router software.
> 
> Specifically 2 main issues:
> 
> If a " (double quote) appears in the string (valid according to the spec for
> WPA Keys) this causes the key to become useless as the router saves the key
> in the config file as a double quote delimited string.
...
> Some characters that appear in the generated key cause the router to reset 
> to what I assume is a factory default setting.
> 
> This happens when you make the changes on the admin panel supplied, in my
> case by Belkin.
> 
> When you save the changes to the security setting the router reboots, as I
> suppose one would expect. The result of that reboot does not give any
> indication of a problems but you now have a router with NO SECURITY AT ALL.
> The admin password is reset to "" (blank, nothing, nada). The wireless
> security is set to OFF, and  in many cases the ISP userid/password is lost
> and the router must be re-configured from scratch.
... 
> Now this has happened to me using various WPA keys but this one is the last
> one that caused it to happen, obviously not my current key.
> 
> wpakey="c/S/4Sc`oLTM at r_\?rJa$~Lu82Tr!^IA HXPQD9\P2RpJvz(+<:Lzk^2A#x{^c4"

Well duh, with characters like ` this may invoke shell's command substitution,
and this can be very bad. $ and \ are bad also.

> I had already removed any " (double quote) character and added something in
> its place but still, total mayhem on saving it to the router from the admin
> panel security page.

> I hope this is not your problem and if not, please let me know and I will
> have another attempt at getting Belkin to fix the problem.

Basically, what needs to be fixed is that the script which saves the key
in the form of wpakey=... must be fixed.

I suggest discarding any control characters first (with codes less than 32),
maybe also discarding all non-ascii chars (codes >= 127).

Piping the key through tr -cd ' -~' command will do it.

Then store the key with SINGLE quotes. They are more restrictive for shells:
only single quote has special meaning inside. Thus you need to escape only
single quote.

Sed command s/'/'"'"'/g would do it, but we need to massage it so
that shell itself would not be confused by "s and 's:

dq='"'
echo "any 'junk'" | tr -cd ' -~' | sed "s/'/'$dq'$dq'/g"

> This is a great pity as the mix of their hardware and your software make a
> perfectly adequate package apart from this issue.

If you can identify part of the script which does that, and replace it
with something like this:

wpakey=`dq='"'; echo "any 'junk'" | tr -cd ' -~' | sed "s/'/'$dq'$dq'/g"`
echo "wpakey='$wpakey'" >>some_configfile

it should do the trick. In this example, it should end up
writing the string wpakey='any '"'"'junk'"'"''
to some_configfile. Which is correct.

With your example string:

# raw='c/S/4Sc`oLTM at r_\?rJa$~Lu82Tr!^IA HXPQD9\P2RpJvz(+<:Lzk^2A#x{^c4'
# wpakey=`dq='"'; echo "$raw" | tr -cd ' -~' | sed "s/'/'$dq'$dq'/g"`
# echo "wpakey='$wpakey'"
wpakey='c/S/4Sc`oLTM at r_\?rJa$~Lu82Tr!^IA HXPQD9\P2RpJvz(+<:Lzk^2A#x{^c4'

it still seems to work correctly.
--
vda


More information about the busybox mailing list