[HN Gopher] RCE over ham radio - Reverse shell via WinAPRS memor... ___________________________________________________________________ RCE over ham radio - Reverse shell via WinAPRS memory corruption bug Author : rickostuff Score : 195 points Date : 2022-05-31 16:25 UTC (6 hours ago) (HTM) web link (www.coalfire.com) (TXT) w3m dump (www.coalfire.com) | ___8___ wrote: | Your header image is not of a ham radio. Nice read. | CliffStoll wrote: | Looks like a CB radio | randombits0 wrote: | Our hero didn't do that, that was marketing! :) | rickostuff wrote: | I'm not sure if you are the same Cliff Stoll who wrote 'The | Cuckoo's Egg', but if so I listened to the audio book in 2020 | during the first part of the pandemic and I loved it. It was | fascinating to see how a small billing discrepancy led you | down such a rabbit hole. I also enjoyed the various solutions | you came up with to crack the case using the technology of | the time. I enjoy reading about the early days of the | Internet. I have a sort of nostalgia for it, even though I | didn't get on the net myself until around 1997. Your book hit | a sweet spot for me with the combination of (now) retro | technology and security. You might guess from this ham radio | hacking post that I enjoy that kind of thing. If you are that | Cliff Stoll, thanks for sharing your story! | daveevad wrote: | Based on comment history, it looks like it's him; and also, | it looks like he's a licensed amateur too. | | I would like to echo your sentiment, that book was so good | and has made me curious about the physical and digital | world in so many different ways. | O__________O wrote: | Yes, user you replied to is the author The Cuckoo's Egg | according to this comment by the same user, which includes | an explanation of how the book came to be: | | https://news.ycombinator.com/item?id=29387116 | | Here's the wiki for those unfamiliar with it: | | https://en.m.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book) | alayne wrote: | Looks like some kind of hybrid. | https://reviews.transmission1.net/2006/02/cobra-200-gtl-dx-s... | rickostuff wrote: | I spent a lot of time last year researching packet radio software | for vulnerabilities. I found a remote code execution (RCE) | vulnerability in WinAPRS that let me hack into a system over the | air. The result is a reverse shell obtained over ham radio where | the victim machine doesn't have to be connected to Ethernet at | all, as long as they are running a WinAPRS station. Is it | practical? Not really. But it was fun and I learned a lot. I | always wondered if I could get RCE via ham radio through memory | corruption and it feels good to have proved to myself that I can | do it. | landr0id wrote: | Excellent work! As I learned more about digital modes and | packet radio I had similar thoughts! This is a really cool | writeup and I'm stoked someone looked into this. | jacquesm wrote: | Very neat hack! | alimov wrote: | Thanks for the write up and video demo | kloch wrote: | Another place to look is DSD/mbelib, although to exploit you | would have to transmit on a frequency they were monitoring and | any replies/confirmation would have to come from another path | (Internet). Since a common use case for that software is | monitoring public safety frequencies an exploit might actually | be practical for law enforcement agencies. | rickostuff wrote: | I'm not familiar with DSD/mbelib but based on what I saw with | a quick web search this sounds like a really interesting | attack vector. I do want to perform some more research in | this area, so thanks for the idea. | jcims wrote: | Be sure to look at both the control channel and voice | codecs. It's been a minute but IIRC there are a few open | source implementations for both. | | Finding a bug in RDS would be pretty funny - | https://en.wikipedia.org/wiki/Radio_Data_System | Gordonjcp wrote: | I can't find it now, but in the olden days of the | Internet I read an article about how an up-and-coming | band had "hacked" RDS to switch radios to play their song | when it was played out on the local station. | | The local station had a UHF link from the studio to the | TX site that was audio only, a very common setup in the | mid-90s, and the RDS flag on the transmitter was switched | "in band" by sending a burst of tones over the audio | feed, right at the start of the traffic jingle. Slap the | traffic announce jingle cart in, hit the button, tune | starts with just three quick DTMF digits. Uh-huh, you're | seeing where this is going, right? | | So if you put those three DTMF digits at the start of | your single... :-D | thereddaikon wrote: | There was an unintentional one earlier this year. | Seattle's local NPR station bricked some Mazda | infotainment sets by sending malformed data. | https://arstechnica.com/cars/2022/02/radio-station-snafu- | in-... | GekkePrutser wrote: | Mbelib is of questionable legality as it implements a codec | patented by DVSI. Indeed you might trigger some vulnerability | at a hobbyist but a professional would never use it. | | And public safety channels here are all encrypted so there's | nothing to listen to, perhaps in the US that's not the case. | xen2xen1 wrote: | Sounds like a first, though I would not know. | rickostuff wrote: | I couldn't find where anyone else had done this before with | ham radio. That was another motivating factor. It was an | interesting new (but, actually old) attack vector. I've | always been interested in weird attack vectors like this. | I've read some fun research in the past about infrared | communications, magnetic strips, etc. Things that are all | around us but we don't really think of as attack vectors. | ImpulseGuided wrote: | >I've read some fun research in the past about infrared | communications, magnetic strips, etc. Things that are all | around us but we don't really think of as attack vectors. | | Any particular source that you would recommend to start | learning about these vectors? | rickostuff wrote: | The resources that come to mind are actually all videos | of Defcon talks by the same person (Major Malfunction aka | Adam Laurie). They are pretty old now, but still | interesting. | | Infrared Hacking: https://www.youtube.com/watch?v=61Fo- | zg-DqI | | Magstripe Hacking: | https://www.youtube.com/watch?v=ITihB1c3dHw | | Satellite Hacking: | https://www.youtube.com/watch?v=PyXZX63etog | | These all hit the sweet spot for me of technologies we | use all the time but don't really consider the security | implications. | ImpulseGuided wrote: | Thank you very much for linking these. | | By the way, did you catch yesterday's thread on the Hack- | a-Sat(ellite) CTF? | | >https://news.ycombinator.com/item?id=31559117 | | Also congratulations on passing the OSED. Reading your | 5-part report it looks like you got your money's worth. | | Did you study for the OSED full-time or did you manage to | complete all studying and tasks after work? | rickostuff wrote: | Thanks! I actually took three OffSec courses last year. | The first one I did was the OSWP (wifi) as a sort of warm | up because it's the easiest course they offer and I knew | I could knock that out pretty quick. Then I took the OSEP | course which was a ton of content. Finally I took the | OSED which was another ton of content and the most | technical of those three. My work gave me 40 hours of in- | office time to last year for training. I can't recall if | I used that 40 hours for the OSEP or OSED, but I know I | used it for one of those two. However, I still put in a | ton of hours on my own time too. It's just a lot of | content to go through. 40 hours isn't enough time for | either of those courses in my opinion. Having no children | (and an understanding spouse) made it easier for me to | dedicate a lot of personal time on the training. I love | OffSec's stuff though and recommend it to anyone who is | into offensive security and wants practical training. | amatecha wrote: | Yeah, I've thought about this a lot with the increased | popularity of digital modes. Especially those small | programs made by one or two people, just as you identified. | I mean, I crashed a friend's radio simply by sending him an | SMS over DMR (seems like a known issue/limitation with the | radio firmware). Even well-established products are | susceptible to attacks. No different from any other modern | tech I guess :) | rickostuff wrote: | I'd like to spend some time digging into radio/tnc | firmware for vulnerabilities but that's a bit over my | head. I've managed to dump the firmware from my TNC but I | haven't found a good way to get it disassembled yet. I've | got a partial disassembly, but that's it. Unfortunately, | I won't have more time to work on that for a few months. | _joel wrote: | Excellent write up, bonus points if you can do an RCE via ISS | repeater :D | rurcliped wrote: | With CVEs for ham radio, clearly the next step is to add ATT&CK | tactics and techniques. If you compromise a PC that's connected | to a ham radio, you might be able to transmit maliciously, or | interfere with the radio owner's ability to transmit or receive. | But it turns out that ham radio isn't only about communicating | with other ham radio people - it's also about using PKI to store | details of who you communicated with: https://lotw.arrl.org/lotw- | help/developer-pki/ | | Private key disclosure seems catastrophic because of their | scorched-earth security policy https://lotw.arrl.org/lotw- | help/certificatesecurity/ where the server admins plan to | invalidate all signed data, even if the same data had been | sitting on the central server for years before the compromise | happened. Yet, the docs don't recommend a password for the | private key except on "shared or public computers." The adversary | just looks for -----BEGIN PRIVATE KEY----- in a text file in a | keys directory (the filename is the call letters). | | In other words, although executing cmd.exe is a wonderful | accomplishment, there's also the possibility of 1. wait for the | PC and radio to be idle, 2. tune the radio to a clear frequency, | 3. open the victim's private key file, 4. transmit the private | key with Morse code. | jacquesm wrote: | I think the idea here is to prove that it could be done, not to | show that you can do even more damage once you have RCE. | darig wrote: | imperialdrive wrote: | As someone who spent time working on radio towers and assisting | an operator, this was a very warm read. Thank you. | O__________O wrote: | Per the article: "Unfortunately, the author no longer has an | environment configured to develop WinAPRS, so the bugs are | unlikely to ever be fixed." | | Possible I am missing something, but seems like at the very least | they should add a warning to the download page found here: | | https://www.winaprs.com/downloads/ | Bytewave81 wrote: | I still don't understand why the amateur radio community has | this disdain for open source. It feels like a majority of the | popular amateur radio software tools out there are closed | source freeware projects. | haswell wrote: | I'm not sure that it's disdain. I think it might just be more | that it's a niche that matured in a different era, and the | solutions are "good enough" to not warrant the recreation of | these tools from scratch. | | The amateur radio community isn't enormous, and the overlap | between operator and developer doesn't always exist. ___________________________________________________________________ (page generated 2022-05-31 23:00 UTC)