Re: [B.A.T.M.A.N.] [PATCH maint] batman-adv: Avoid probe ELP information leak

public inbox for b.a.t.m.a.n@lists.open-mesh.org
 help / color / mirror / Atom feed

From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Subject: Re: [B.A.T.M.A.N.] [PATCH maint] batman-adv: Avoid probe ELP information leak
Date: Fri, 31 Aug 2018 15:20:16 +0200	[thread overview]
Message-ID: <2117465.v8Cqqng2MF@sven-edge> (raw)
In-Reply-To: <20180831130844.5434-1-sven@narfation.org>

[-- Attachment #1: Type: text/plain, Size: 1807 bytes --]

On Freitag, 31. August 2018 15:08:44 CEST Sven Eckelmann wrote:
> The probe ELPs for WiFi interfaces are expanded to contain at least
> BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the
> number of bytes which the template ELP packet requires.
> 
> These extra padding bytes were not initialized and thus could contain data
> which were previously stored at the same location. It is therefore required
> to set it to some predefined or random values to avoid leaking private
> information from the system transmitting these kind of packets.

I was just able to extract (passive) real information from a system using 
that. Here is some example with non-compromising data:

    15:14:32.930238 02:ba:de:af:fe:01 (oui Unknown) > 02:ba:de:af:fe:02 (oui Unknown), ethertype Unknown (0x4305), length 214: 
        0x0000:  030f 02ba deaf fe01 0000 0000 0000 0000  ................
        0x0010:  6574 7479 206f 6e20 7474 7953 302e 0000  etty.on.ttyS0...
        0x0020:  0200 0400 1080 0000 4143 5449 4f4e 3d61  ........ACTION=a
        0x0030:  6464 0044 4556 5041 5448 3d2f 6465 7669  dd.DEVPATH=/devi
        0x0040:  6365 732f 7669 7274 7561 6c2f 7474 792f  ces/virtual/tty/
        0x0050:  7474 7973 3200 5355 4253 5953 5445 4d3d  ttys2.SUBSYSTEM=
        0x0060:  7474 7900 5359 4e54 485f 5555 4944 3d30  tty.SYNTH_UUID=0
        0x0070:  0044 4556 4e41 4d45 3d2f 6465 762f 7474  .DEVNAME=/dev/tt
        0x0080:  7973 3200 5345 514e 554d 3d31 3836 3500  ys2.SEQNUM=1865.
        0x0090:  5553 4543 5f49 4e49 5449 414c 495a 4544  USEC_INITIALIZED
        0x00a0:  3d32 3237 3830 3933 3900 4d41 4a4f 523d  =22780939.MAJOR=
        0x00b0:  3300 4d49 4e4f 523d 3530 0054 4147 533d  3.MINOR=50.TAGS=
        0x00c0:  3a73 7973 7465 6d64                      :systemd

Kind regards,
	Sven

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2018-08-31 13:20 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-31 13:08 [B.A.T.M.A.N.] [PATCH maint] batman-adv: Avoid probe ELP information leak Sven Eckelmann
2018-08-31 13:20 ` Sven Eckelmann [this message]
2018-09-02 16:08 ` Antonio Quartulli
2018-09-05 16:06 ` Sven Eckelmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2117465.v8Cqqng2MF@sven-edge \
    --to=sven@narfation.org \
    --cc=b.a.t.m.a.n@lists.open-mesh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox