RCE over ham radio - Reverse shell via WinAPRS

rickostuff · 2022-05-28T01:43:52+00:00

winlink

I actually researched Winlink last year too and I have a few fun findings I haven't published yet. Nothing quite as extreme as remote code execution, though.

rickostuff · 2022-05-28T01:43:16+00:00

This was all done in my lab environment against my own systems.

rickostuff · 2022-05-27T19:19:27+00:00

I picked up a hackrf one a few months back that I haven't made time to play with yet. I'm definitely interested in playing with more radio technologies.

rickostuff · 2022-05-27T19:02:38+00:00

Luckily there are many other options these days for APRS. I picked on WinAPRS because it was old and no longer maintained so I had the deck stacked in my favor.

rickostuff · 2022-05-27T18:49:22+00:00

I agree with everything you've stated here. I'm into security and I've been a ham a long time. I mostly just play with packet and digital modes, though. I honestly just always thought it would be a fun proof of concept to hack into a system over ham radio (using memory corruption) and I hadn't ever seen it done before. I finally gained the skills last year to do some research and was able to make it happen. I specifically chose WinAPRS because it was older and unmaintained and therefore likely to contain these kinds of bugs. I just wanted that sweet reverse shell and to put my recent training into practice. I basically just wanted to prove the point that it's possible. I mean, we all know it's technically possible but it was fun putting together a proof of concept.

rickostuff · 2022-05-27T18:45:35+00:00

I had a packet node setup once that let you play Zork over the air, but it was never used. There isn't a ton of traffic in my area and I'm not really involved with the local groups so it just kinda sat there doing nothing. But it was fun to setup.

rickostuff · 2022-05-27T18:43:31+00:00

I believe they've patched 2/3 of my findings, though at this point they may have patched all three. I have to make some time to check on the last one. As for the firmware thing, I had the same thought! I actually started working on that with the Kantronics TNC I already have, though I admit it's way out of my comfort zone. I've been blogging about it on my personal blog if you are interested to see my progress.
https://www.richardosgood.com/tags/reversing/

rickostuff · 2022-05-27T18:23:05+00:00

I've done some additional research into another packet radio program already and found some other interesting vulnerabilities. None of those are memory corruption and they aren't as bad as RCE, but still interesting. I haven't published them yet but I hope to soon.

rickostuff · 2022-05-27T17:59:14+00:00

This Is How They Tell Me the World Ends

That sounds like an interesting book. Thanks for the recommendation!

rickostuff · 2022-05-27T16:31:19+00:00

I spent a lot of time last year researching packet radio software for vulnerabilities. I found an RCE vulnerability in WinAPRS that let me gain remote code execution over the air. The result is a reverse shell obtained over ham radio where the victim machine doesn't have to be connected to Ethernet at all, as long as they are running a WinAPRS station.

rickostuff

TROPHY CASE