Vulnerability: Command injection

[ecapson]

When using the module autocrack the input is not sanitized properly and it was possible to inject code as root.
The following addition was made in the crack_locally function for clarity.
print('autocrack start')
print('cmd:',cmd)

Environment is Latest Kali linux with eaphammer v1.13.5.

Eaphammer was started with eaphammer -i wlan0 --channel 6 --essid test --auth wpa-eap --autocrack --cloaking none

In the screenshot, an EAP authentication was made with the following identity: |;whoami;#.

The injection is possible due to the data=data.strip().split('|') in the run_autocrack function.
When the username contains '|', the user identity overrides the channel which is later used in the crack_locally function as an 'asleap' parameter.

[s0lst1c3]

Good find. You obviously have some technical chops since you were able to identify this issue: mind submitting a patch via pull request?

[s0lst1c3]

@ecapson - Just a quick follow-up. Do you have the spare cycles for this or should I go ahead and write a patch?

[ecapson]

Hey, thanks for the follow-up. I should be able create a pull-request this week.

[s0lst1c3]

I’ve merged your pull request and am closing the issue. That said, I think this calls for a standardized, repeatable solution that can be used across the entire project. I’m thinking something like a small standardized library for making system calls and handling input / output, as well as strictly defining types and formats for anything input coming into the application. I’ll add it to the top of the queue. Thanks again.