[HN Gopher] RCE over ham radio - Reverse shell via WinAPRS memor...
___________________________________________________________________
RCE over ham radio - Reverse shell via WinAPRS memory corruption
bug
Author : rickostuff
Score : 195 points
Date : 2022-05-31 16:25 UTC (6 hours ago)
(HTM) web link (www.coalfire.com)
(TXT) w3m dump (www.coalfire.com)
| ___8___ wrote:
| Your header image is not of a ham radio. Nice read.
| CliffStoll wrote:
| Looks like a CB radio
| randombits0 wrote:
| Our hero didn't do that, that was marketing! :)
| rickostuff wrote:
| I'm not sure if you are the same Cliff Stoll who wrote 'The
| Cuckoo's Egg', but if so I listened to the audio book in 2020
| during the first part of the pandemic and I loved it. It was
| fascinating to see how a small billing discrepancy led you
| down such a rabbit hole. I also enjoyed the various solutions
| you came up with to crack the case using the technology of
| the time. I enjoy reading about the early days of the
| Internet. I have a sort of nostalgia for it, even though I
| didn't get on the net myself until around 1997. Your book hit
| a sweet spot for me with the combination of (now) retro
| technology and security. You might guess from this ham radio
| hacking post that I enjoy that kind of thing. If you are that
| Cliff Stoll, thanks for sharing your story!
| daveevad wrote:
| Based on comment history, it looks like it's him; and also,
| it looks like he's a licensed amateur too.
|
| I would like to echo your sentiment, that book was so good
| and has made me curious about the physical and digital
| world in so many different ways.
| O__________O wrote:
| Yes, user you replied to is the author The Cuckoo's Egg
| according to this comment by the same user, which includes
| an explanation of how the book came to be:
|
| https://news.ycombinator.com/item?id=29387116
|
| Here's the wiki for those unfamiliar with it:
|
| https://en.m.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book)
| alayne wrote:
| Looks like some kind of hybrid.
| https://reviews.transmission1.net/2006/02/cobra-200-gtl-dx-s...
| rickostuff wrote:
| I spent a lot of time last year researching packet radio software
| for vulnerabilities. I found a remote code execution (RCE)
| vulnerability in WinAPRS that let me hack into a system over the
| air. The result is a reverse shell obtained over ham radio where
| the victim machine doesn't have to be connected to Ethernet at
| all, as long as they are running a WinAPRS station. Is it
| practical? Not really. But it was fun and I learned a lot. I
| always wondered if I could get RCE via ham radio through memory
| corruption and it feels good to have proved to myself that I can
| do it.
| landr0id wrote:
| Excellent work! As I learned more about digital modes and
| packet radio I had similar thoughts! This is a really cool
| writeup and I'm stoked someone looked into this.
| jacquesm wrote:
| Very neat hack!
| alimov wrote:
| Thanks for the write up and video demo
| kloch wrote:
| Another place to look is DSD/mbelib, although to exploit you
| would have to transmit on a frequency they were monitoring and
| any replies/confirmation would have to come from another path
| (Internet). Since a common use case for that software is
| monitoring public safety frequencies an exploit might actually
| be practical for law enforcement agencies.
| rickostuff wrote:
| I'm not familiar with DSD/mbelib but based on what I saw with
| a quick web search this sounds like a really interesting
| attack vector. I do want to perform some more research in
| this area, so thanks for the idea.
| jcims wrote:
| Be sure to look at both the control channel and voice
| codecs. It's been a minute but IIRC there are a few open
| source implementations for both.
|
| Finding a bug in RDS would be pretty funny -
| https://en.wikipedia.org/wiki/Radio_Data_System
| Gordonjcp wrote:
| I can't find it now, but in the olden days of the
| Internet I read an article about how an up-and-coming
| band had "hacked" RDS to switch radios to play their song
| when it was played out on the local station.
|
| The local station had a UHF link from the studio to the
| TX site that was audio only, a very common setup in the
| mid-90s, and the RDS flag on the transmitter was switched
| "in band" by sending a burst of tones over the audio
| feed, right at the start of the traffic jingle. Slap the
| traffic announce jingle cart in, hit the button, tune
| starts with just three quick DTMF digits. Uh-huh, you're
| seeing where this is going, right?
|
| So if you put those three DTMF digits at the start of
| your single... :-D
| thereddaikon wrote:
| There was an unintentional one earlier this year.
| Seattle's local NPR station bricked some Mazda
| infotainment sets by sending malformed data.
| https://arstechnica.com/cars/2022/02/radio-station-snafu-
| in-...
| GekkePrutser wrote:
| Mbelib is of questionable legality as it implements a codec
| patented by DVSI. Indeed you might trigger some vulnerability
| at a hobbyist but a professional would never use it.
|
| And public safety channels here are all encrypted so there's
| nothing to listen to, perhaps in the US that's not the case.
| xen2xen1 wrote:
| Sounds like a first, though I would not know.
| rickostuff wrote:
| I couldn't find where anyone else had done this before with
| ham radio. That was another motivating factor. It was an
| interesting new (but, actually old) attack vector. I've
| always been interested in weird attack vectors like this.
| I've read some fun research in the past about infrared
| communications, magnetic strips, etc. Things that are all
| around us but we don't really think of as attack vectors.
| ImpulseGuided wrote:
| >I've read some fun research in the past about infrared
| communications, magnetic strips, etc. Things that are all
| around us but we don't really think of as attack vectors.
|
| Any particular source that you would recommend to start
| learning about these vectors?
| rickostuff wrote:
| The resources that come to mind are actually all videos
| of Defcon talks by the same person (Major Malfunction aka
| Adam Laurie). They are pretty old now, but still
| interesting.
|
| Infrared Hacking: https://www.youtube.com/watch?v=61Fo-
| zg-DqI
|
| Magstripe Hacking:
| https://www.youtube.com/watch?v=ITihB1c3dHw
|
| Satellite Hacking:
| https://www.youtube.com/watch?v=PyXZX63etog
|
| These all hit the sweet spot for me of technologies we
| use all the time but don't really consider the security
| implications.
| ImpulseGuided wrote:
| Thank you very much for linking these.
|
| By the way, did you catch yesterday's thread on the Hack-
| a-Sat(ellite) CTF?
|
| >https://news.ycombinator.com/item?id=31559117
|
| Also congratulations on passing the OSED. Reading your
| 5-part report it looks like you got your money's worth.
|
| Did you study for the OSED full-time or did you manage to
| complete all studying and tasks after work?
| rickostuff wrote:
| Thanks! I actually took three OffSec courses last year.
| The first one I did was the OSWP (wifi) as a sort of warm
| up because it's the easiest course they offer and I knew
| I could knock that out pretty quick. Then I took the OSEP
| course which was a ton of content. Finally I took the
| OSED which was another ton of content and the most
| technical of those three. My work gave me 40 hours of in-
| office time to last year for training. I can't recall if
| I used that 40 hours for the OSEP or OSED, but I know I
| used it for one of those two. However, I still put in a
| ton of hours on my own time too. It's just a lot of
| content to go through. 40 hours isn't enough time for
| either of those courses in my opinion. Having no children
| (and an understanding spouse) made it easier for me to
| dedicate a lot of personal time on the training. I love
| OffSec's stuff though and recommend it to anyone who is
| into offensive security and wants practical training.
| amatecha wrote:
| Yeah, I've thought about this a lot with the increased
| popularity of digital modes. Especially those small
| programs made by one or two people, just as you identified.
| I mean, I crashed a friend's radio simply by sending him an
| SMS over DMR (seems like a known issue/limitation with the
| radio firmware). Even well-established products are
| susceptible to attacks. No different from any other modern
| tech I guess :)
| rickostuff wrote:
| I'd like to spend some time digging into radio/tnc
| firmware for vulnerabilities but that's a bit over my
| head. I've managed to dump the firmware from my TNC but I
| haven't found a good way to get it disassembled yet. I've
| got a partial disassembly, but that's it. Unfortunately,
| I won't have more time to work on that for a few months.
| _joel wrote:
| Excellent write up, bonus points if you can do an RCE via ISS
| repeater :D
| rurcliped wrote:
| With CVEs for ham radio, clearly the next step is to add ATT&CK
| tactics and techniques. If you compromise a PC that's connected
| to a ham radio, you might be able to transmit maliciously, or
| interfere with the radio owner's ability to transmit or receive.
| But it turns out that ham radio isn't only about communicating
| with other ham radio people - it's also about using PKI to store
| details of who you communicated with: https://lotw.arrl.org/lotw-
| help/developer-pki/
|
| Private key disclosure seems catastrophic because of their
| scorched-earth security policy https://lotw.arrl.org/lotw-
| help/certificatesecurity/ where the server admins plan to
| invalidate all signed data, even if the same data had been
| sitting on the central server for years before the compromise
| happened. Yet, the docs don't recommend a password for the
| private key except on "shared or public computers." The adversary
| just looks for -----BEGIN PRIVATE KEY----- in a text file in a
| keys directory (the filename is the call letters).
|
| In other words, although executing cmd.exe is a wonderful
| accomplishment, there's also the possibility of 1. wait for the
| PC and radio to be idle, 2. tune the radio to a clear frequency,
| 3. open the victim's private key file, 4. transmit the private
| key with Morse code.
| jacquesm wrote:
| I think the idea here is to prove that it could be done, not to
| show that you can do even more damage once you have RCE.
| darig wrote:
| imperialdrive wrote:
| As someone who spent time working on radio towers and assisting
| an operator, this was a very warm read. Thank you.
| O__________O wrote:
| Per the article: "Unfortunately, the author no longer has an
| environment configured to develop WinAPRS, so the bugs are
| unlikely to ever be fixed."
|
| Possible I am missing something, but seems like at the very least
| they should add a warning to the download page found here:
|
| https://www.winaprs.com/downloads/
| Bytewave81 wrote:
| I still don't understand why the amateur radio community has
| this disdain for open source. It feels like a majority of the
| popular amateur radio software tools out there are closed
| source freeware projects.
| haswell wrote:
| I'm not sure that it's disdain. I think it might just be more
| that it's a niche that matured in a different era, and the
| solutions are "good enough" to not warrant the recreation of
| these tools from scratch.
|
| The amateur radio community isn't enormous, and the overlap
| between operator and developer doesn't always exist.
___________________________________________________________________
(page generated 2022-05-31 23:00 UTC)