https://www.coalfire.com/the-coalfire-blog/hacking-ham-radio-winaprs-part-5 Coalfire Close * Home * Toggle About + Company overview + Board Advisors and Directors + Diversity and inclusion + Executive Team + Partners + Quality management + Richard E. Dakin Fund * Toggle Solutions + Toggle Cloud security o Cloud security maturity o Accelerated Cloud Engineering o Infrastructure as Code development o Cyber performance review o Product applicability guides o Secure CI/CD o Security operations and cyber dashboards + Toggle Compliance Essentials + Toggle Threat and vulnerability management o Attack surface management o Scanning services and support o Penetration testing o Red team exercise o Threat modeling and attack simulation o Vulnerability assessment + Toggle Cloud managed services o FastRAMP 360 o Accelerated Cloud Engineering services o Scanning services and support o Security operations and cyber dashboards + Toggle Strategy, privacy, and risk o Strategy+ cybersecurity program assessment o CISO program management o Privacy+ data privacy program development services o M&A cyber due diligence o Cyber risk assessment o Healthcare security risk analysis and advisory o Third-party risk management o Cyber breach services + Toggle Application security o Web application perimeter mapping o Secure code review o Program development and implementation o Instructor-led AppSec training o Security assessments o Developer champion services o Application threat modeling o ThreadFix + Toggle Compliance services o CMMC o DEA EPCS o DoD RMF o FedRAMP o StateRAMP o FFIEC o FISMA o HIPAA o HITRUST o ISO o ITAR and EAR o NIST SP 800-171 o PA-DSS/SSF o Payments services o PCI DSS assessments and advisory o PCI Forensic Investigator o PCI in the cloud o P2PE o Reports on compliance o SOC and attestations o White paper services + Toggle ThreadFix o Integrations * Toggle Industries + Cloud service providers + Federal government + Financial services + Healthcare + Higher education + Hospitality + Retail + State & local government + Technology + Utilities * Toggle Insights + Blog + Resources + News and events + Research and development * Careers * Contact * Search: [ ] [Search] Toggle navigation Application security Hacking Ham Radio: WinAPRS - Part 5 7 minute read This installment will review and demonstrate functional exploits for WinAPRS on both Windows XP SP3 and Windows 10. Key takeaways: * Windows XP is easier to exploit in this instance due to a lack of ASLR. * Windows 10 is exploitable after grooming heap memory with malicious radio packets. * WinAPRS will likely remain unpatched. In part four of this series, we built a three-stage shellcode payload to overcome problems encountered due to corrupted stack memory in the WinAPRS process. The shellcode will theoretically spawn a reverse shell and redirect its output to the ham radio's TNC where it will then be transmitted over the air. The shellcode will then listen for incoming commands from the TNC's serial port. This installment will review the final Python exploit code. The exploit will transmit the three-stage shellcode in two separate AX.25 packets. It will then listen for a response from the victim machine and allow the attacker to send commands back over ham radio. We'll then revisit Windows 10 and find a way to work around the Address Space Layout Randomization (ASLR) protections to build a working exploit for the more modern operating system. Exploit Windows XP SP3 Exploit The Python exploit code is based on a publicly available Python script called send_kiss_frame.py which allows you to generate custom AX.25 packets. The three shellcode stages are assembled separately into Python byte strings and pasted into the final exploit script. [Ham5-1] The final payload consists of KISS control characters to begin and end the malicious packet. Then there are AX.25 addressing components to ensure the packet is processed correctly by WinAPRS. The message portion of the APRS packet begins with the stage one shellcode, followed immediately by stage two. The exploit then fills in any gaps with 'A' characters, ensuring the NSEH and SEH address end up in the correct positions. Next the NSEH and SEH addresses are appended. NSEH contains jump code which will instruct the CPU to jump over the SEH address and continue execution. After the SEH address is additional jump code that will point the CPU to the beginning of the stage one shellcode. Finally, some 'C' characters are appended to the end to ensure the packet is long enough to trigger the overflow. [Ham5-2] The exploit sends the first packet immediately and then waits for user input. It takes a few seconds for the exploit to trigger and for WinAPRS to close. The attacker can then press enter to send stage three and then sit back and wait for their shell. [Ham5-3] Success! The exploit worked. I now had a functional exploit which allowed me to hack into a Windows XP SP3 computer using only ham radio. This target virtual machine did have an Ethernet connection, but this exploit would still work even if the target was not connected to a conventional network. If the system is running WinAPRS with a KISS TNC, it is still vulnerable to attack. Windows XP Video Demo Windows 10 Exploit I hinted in part three that I was able to get this exploit working on Windows 10. It takes an extra step and is less reliable, but it does work. The main problem with exploiting this vulnerability on modern versions of Windows is ASLR. WinAPRS' program memory contains a NULL byte, which means we can't point EIP to any address within WinAPRS memory. Since Windows 10 uses ASLR, there's also no reliable address to point the CPU to for a POP, POP, RET instruction in any built-in Windows modules because the base address of Windows' built-in modules changes with every reboot. There is, however, a way to determine an unreliable address containing our shellcode payload. I sent a few packets to my WinAPRS victim and searched for them in process memory using WinDbg. [Ham5-4] I found them all crammed in next to each other. I noticed that their memory address did not contain a null byte. [Ham5-5] I found that this was a 1004kB chunk of heap memory allocated by WinAPRS, apparently to store this packet data. [Ham5-6] I found that when WinAPRS restarted, this address changed. Sometimes a lot, sometimes a little bit. It seemed there are a few areas of memory Windows "liked" to start from and then the exact location varied slightly from there. For example, I saw this chunk of memory allocated in address ranges 0x03128000-0x03296000, 0x05d8a000-0x05f7d000, and 0x08102000-08301000. These areas of memory stayed consistent between reboots. This meant that the chosen heap memory address was somewhat predictable. The 1004kB memory chunk allocated was big enough to overlap large sections of each of those three primary ranges. If I could fill the entire chunk of memory with my own payloads containing POP, POP, RET instructions, I could have a somewhat decent chance of hitting one of them. I tediously ran over 30 tests manually and chose the address 0x03216170. It seemed to have the most overlap based on the data I was able to collect. The next step was to find a way to fill that heap buffer with my own packets. I wasn't about to send them over the air for every test. That would take hours per attempt. Instead, I wrote Python script that emulated a KISS TNC on Windows and sent KISS packets directly to WinAPRS, bypassing the airwaves to simply prove the concept. Through trial and error, I figured out the most bytes I could fit into my packet and have them all still show up in the buffer. I also discovered that the RET instruction (0xC3) was filtered by WinAPRS and could not be used. I therefore replaced the POP, POP, RET instructions with a JMP [esp+0x08] instruction, which had the same effect without the bad character. The rest of the payload was filled with NOPs (0x90). This is called a "NOP sled". If my hardcoded heap address hits anywhere in the NOP sled, the CPU will just skip each NOP instruction until it eventually hits my POP, POP, RET equivalent instructions at the end. I also discovered that the buffer could hold about 10,000 packets, so that's how many packets the script sends. This fills up the buffer as much as possible and gives the exploit more chances to hit the JMP [esp+0x08] instruction sequence. [Ham5-7] The first step of running the exploit against Windows 10 is to run this heap spray script against the victim. In a real-world attack, you'd have to send these 10,000 packets over the air one after another, blocking the frequency from anyone else. It could work, but it's not very practical and would certainly draw attention. This script simulates that process to save time and to prove the concept. The Windows 10 exploit then works similarly to the Windows XP exploit, with a few changes. First, there are no structures on the heap that need "fixing" by the shellcode. Also, in Windows 10 I can call most Win32 APIs right from the first payload. In Windows XP, this was not possible due to the corrupted stack memory. However, on Windows 10, I have not found a reliable memory address to obtain a handle to the COM port. This means I don't have a reliable way to access the COM port to send or receive data from the attacking machine. After a lot of trial and error, I found the easiest way to free up the COM port was to simply close the WinAPRS process. This would kill exploit payload though, so I still was stuck using multiple shellcode stages injected into external process like I did with Windows XP. Another problem is that Windows 10 is a 64-bit operating system. Explorer.exe is a 64-bit process. My shellcode is 32-bit shellcode. This means that the Windows XP technique of injecting the shellcode into explorer.exe will no longer work unless I rewrite it to use 64-bit assembly. Instead of reinventing the wheel, the stage one shellcode now calls CreateProcessA to launch a 32-bit cmd.exe process. Stage one then injects stage two into that process instead of explorer.exe which will then be used to execute stage two. The 32-bit cmd.exe process acts like a container to execute our 32-bit shellcode. The second and third stage shellcode are almost identical to the Windows XP shellcode, with one simplification. For the Windows 10 shellcode, I don't close the COM port at the end of stage two. Instead, I leave it open, and stage three just uses the same handle that stage two used. The Windows 10 exploit is less reliable than the XP exploit because it depends on Windows choosing a heap memory address that includes the hardcoded 0x03216170 address in the exploit. If Windows chooses a heap memory location too far away from there, we won't hit our NOP sled and WinAPRS will simply crash. I've found this technique to be successful approximately one third of the time, probably a bit less. It also requires that the attacker spend a few hours spamming packets at the victim to groom the heap. But it goes to show that an attacker with enough determination can still exploit this vulnerability on a modern operating system. [Ham5-8] Windows 10 Video Demo Disclosure I disclosed this bug and several others to the software authors on December 28, 2020. I wasn't sure if I would receive a reply since the software hadn't been updated since 2013, but was surprised to hear back from them almost immediately. I had a great conversation with the author about the bug I found and other security vulnerability categories they were interested in related to a new project they were working on. I even inspired them to search for overflow bugs in their new project! Unfortunately, the author no longer has an environment configured to develop WinAPRS, so the bugs are unlikely to ever be fixed. Luckily there are many other more modern options for APRS software on Windows, so it is simple to switch to something new. CVEs were obtained on February 9, 2022. * CVE-2022-24702 * CVE-2022-24701 * CVE-2022-24700 Coalfire is publicly disclosing this bug in accordance with our vulnerability disclosure policy. Full details can be found here: https://www.coalfire.com/vulnerability-disclosure-policy Full source code for these exploits can be found here: https:// github.com/Coalfire-Research/WinAPRS-Exploits A PDF version of this blog series can be found here: /documents/blog/ Hacking-Ham-Radio-WinAPRS Authors Rick Osgood Rick Osgood Senior Security Consultant, Labs Related articles * Hacking Ham Radio: WinAPRS - Part 1 * Hacking Ham Radio: WinAPRS - Part 2 * Hacking Ham Radio: WinAPRS - Part 3 Related resources * Penetration Risk Report report * Threat and Vulnerability Management white paper * Managed services for attack surface management data sheet Related solutions * Red team exercise * Attack surface management * Threat modeling and attack simulation Share Solutions * Cloud security * Compliance Essentials * Threat and vulnerability management * Strategy, privacy, and risk * Cloud managed services * Application security * Compliance services * ThreadFix --------------------------------------------------------------------- Industries About * Company overview * Board Advisors and Directors * Diversity and inclusion * Executive Team * Quality management * Richard E. Dakin Fund * Partners Insights * Blog * Resources * News and events --------------------------------------------------------------------- Certificate program Careers Contact us Under attack? Take immediate action with our digital forensics services. * USA/CAN: (877) 224-8077 * FEDERAL: (703) 760-3801 * UK/EMEA: +44 161 537 1280 Copyright (c) Coalfire. All Rights Reserved. Privacy Policy and disclaimers Vulnerability discourse policy * Facebook * Twitter * LinkedIn * YouTube CoalfireOne login * About + Company overview + Board Advisors and Directors + Diversity and inclusion + Executive Team + Partners + Quality management + Richard E. Dakin Fund {%DocumentName%} Image Since 2001, Coalfire has worked at the cutting edge of technology to help public and private sector organizations solve their toughest cybersecurity problems and fuel their overall success. Company overview Image Coalfire helps organizations comply with global financial, government, industry and healthcare mandates while helping build the IT infrastructure and security systems that will protect their business from security breaches and data theft. The company is a leading provider of IT advisory services for security in retail, payments, healthcare, financial services, higher education, hospitality, government and utilities. Board Advisors and Directors Image The Coalfire Board of Directors provides invaluable guidance for the organization and reflects Coalfire's dedication to achieving success for our customers. Diversity and inclusion Image Coalfire is committed to creating a culture that fosters diversity, inclusion, belonging, and equity. Executive Team Image Coalfire's executive leadership team comprises some of the most knowledgeable professionals in cybersecurity, representing many decades of experience leading and developing teams to outperform in meeting the security challenges of commercial and government clients. With diverse backgrounds in IT systems security, governmental security, compliance, and reducing risk while implementing the latest enabling technologies (such as the Cloud and IoT), our leaders understand the challenges customers face. Partners Image Security is a team game. If your organization values both independence and security, perhaps we should become partners. Quality management Image With a passion for quality, Coalfire uses a process-driven quality approach to improve the customer experience and deliver unparalleled results. Richard E. Dakin Fund Image Created in honor of the late co-founder of Coalfire, the Richard E. Dakin Fund at The Denver Foundation is supporting scholarship programs at several universities for promising college students studying cybersecurity and related fields. * Solutions + Cloud security + Compliance Essentials + Threat and vulnerability management + Strategy, privacy, and risk + Cloud managed services + Application security + Compliance services + ThreadFix {%DocumentName%} Image Move forward, faster with solutions that span the entire cybersecurity lifecycle. Our experts help you develop a business-aligned strategy, build and operate an effective program, assess its effectiveness, and validate compliance with applicable regulations. + Cloud security maturity Adopt our cloud security model as a safeguard + Accelerated Cloud Engineering Streamline cloud development with compliant-ready environments + Infrastructure as Code development Build in cybersecurity right from the start + Cyber performance review Secure your cloud and IT perimeter with the latest boundary protection techniques + Product applicability guides Increase customer confidence by promoting your security story + Secure CI/CD Successfully incorporate security into your DevOps program + Security operations and cyber dashboards Make smart, strategic, and informed decisions about security events Compliance Essentials Image A next-generation cybersecurity solution for managing compliance, assessments, and risk more easily and efficiently. + Attack surface management Providing you unparalleled visibility into your security posture + Scanning services and support Confirm system protection by quickly and easily running internal and external scans + Penetration testing Discover and remediate critical vulnerabilities before they're exploited + Red team exercise Boost your defenses by simulating a real-world attack + Threat modeling and attack simulation Maximize security investments and prove their effectiveness + Vulnerability assessment Strengthen your risk and compliance postures with a proactive approach to security + Strategy+ cybersecurity program assessment Drive business success through cybersecurity strategy + CISO program management Strengthen your program by putting our experts to work + Privacy+ data privacy program development services Turn privacy into a competitive advantage + M&A cyber due diligence Know what risks you're facing with a merger or acquisition + Cyber risk assessment Uncover the risks present in your organization + Healthcare security risk analysis and advisory Safeguard protected health information and medical devices + Third-party risk management Hold vendors and partners to your security standards + Cyber breach services Don't waste critical response time. Prepare for incidents before they happen. + FastRAMP 360 The comprehensive approach to a smarter, faster, and simplified FedRAMP journey + Accelerated Cloud Engineering services Reduce the operational burden associated with maintaining your FedRAMP boundary + Scanning services and support Confirm system protection by quickly and easily running internal and external scans + Security operations and cyber dashboards Make smart, strategic, and informed decisions about security events + Web application perimeter mapping Providing you critical visibility and actionable insight into the risk of your organization's entire external web application perimeter + Secure code review Equipping you with the proactive insight required to prevent production-based reactions + Program development and implementation Giving you the ability to drive successful application security implementations across development, security, and operations + Instructor-led AppSec training Build baseline application security fundamentals inside your development teams with additional education and training resources + Security assessments Comprehensive testing and assessment of modern, legacy, hybrid, and mobile applications and IoT devices + Developer champion services Working with you to help reproduce vulnerabilities and provide guidance and input on proposed remediation or mitigation strategies + Application threat modeling Helping you identify and control threats across your entire application at any stage + ThreadFix Address your security risks and reduce your time to remediation on one platform + CMMC Navigate your path to Cybersecurity Maturity Model Certification + DEA EPCS Simplify and streamline DEA EPCS compliance + DoD RMF Assess your systems to DoD RMF standards + FedRAMP Get advisory and assessment services from the leading 3PAO + StateRAMP Expert guidance and advisory services for CSPs that want to achieve StateRAMP authorization + FFIEC Reduce IT security risk in financial services + FISMA Meet your FISMA authorization needs + HIPAA Protect health data from threats and vulnerabilities + HITRUST Receive guidance from an original HITRUST CSF Assessor firm + ISO Build a management system that complies with ISO standards + ITAR and EAR Understand and address ITAR and EAR security obligations + NIST SP 800-171 Protect controlled unclassified information + PA-DSS/SSF Validate the security of your payment applications + Payments services Shape your overall payments program for current and future security + PCI DSS assessments and advisory Protect cardholder data from cyber attacks and breaches + PCI Forensic Investigator Suspect a cardholder data breach? Contact us now. + PCI in the cloud Simplify and optimize PCI compliance in the cloud + P2PE Secure data as soon as it's entered into a point device + Reports on compliance Provide the strongest validation of your PCI program + SOC and attestations Maintain trust and confidence across your organization's security and financial controls + White paper services Demonstrate your commitment to cybersecurity ThreadFix Image Spend less time manually correlating results and more time addressing security risks and vulnerabilities. * Industries + Cloud service providers + Federal government + Financial services + Healthcare + Higher education + Hospitality + Retail + State & local government + Technology + Utilities {%DocumentName%} Image While cybersecurity is a priority for enterprises worldwide, requirements differ greatly from one industry to the next. Coalfire understands industry nuances; we work with leading organizations in the cloud and technology, financial services, government, healthcare, and retail markets. Cloud service providers Image Coalfire can help cloud service providers prioritize the cyber risks to the company, and find the right cyber risk management and compliance efforts that keeps customer data secure, and helps differentiate products. Federal government Image "Success" at a government entity looks different at a commercial organization. Create cybersecurity solutions to support your mission goals with a team that understands your unique requirements. Financial services Image The financial services industry was built upon security and privacy. As cyber-attacks become more sophisticated, a strong vault and a guard at the door won't offer any protection against phishing, DDoS attacks and IT infrastructure breaches. Healthcare Image The continuum of care is a concept involving an integrated system of care that guides and tracks patients over time through a comprehensive array of health services spanning all levels of care. Interoperability is the central idea to this care continuum making it possible to have the right information at the right time for the right people to make the right decisions. Higher education Image Maintaining network and data security in any large organization is a major challenge for information systems departments. However, in the higher education environment, the protection of IT assets and sensitive information must be balanced with the need for 'openness' and academic freedom; making this a more difficult and complex task. Hospitality Image When it comes to cyber threats, the hospitality industry is not a friendly place. Hotels and resorts have proven to be a favorite target for cyber criminals who are looking for high transaction volume, large databases and low barriers to entry. Retail Image The global retail industry has become the top target for cyber terrorists, and the impact of this onslaught has been staggering to merchants. To secure the complex IT infrastructure of a retail environment, merchants must embrace enterprise-wide cyber risk management practices that reduces risk, minimizes costs and provides security to their customers and their bottom line. State & local government Image Private enterprises serving government and state agencies need to be upheld to the same information management practices and standards as the organizations they serve. Coalfire has over 16 years of experience helping companies navigate increasing complex governance and risk standards for public institutions and their IT vendors. Technology Image Technology innovations are enabling new methods for corporations and governments to operate and driving changes in consumer behavior. The companies delivering these technology products are facilitating business transformation that provides new operating models, increased efficiency and engagement with consumers as businesses seek a competitive advantage. Utilities Image Cybersecurity has entered the list of the top five concerns for U.S. electric utilities, and with good reason. According to the Department of Homeland Security, attacks on the utilities industry are rising "at an alarming rate". * Insights + Blog + Resources + News and events + Research and development {%DocumentName%} Image Get valuable insight into what matters most in cybersecurity, cloud, and compliance. Here you'll find resources - including research reports, white papers, case studies, the Coalfire blog, and more - along with recent Coalfire news and upcoming events. Blog Image Written by Coalfire's leadership team and our security experts, the Coalfire Blog covers the most important issues in cloud security, cybersecurity, and compliance. Resources Image Find information that can help you approach cybersecurity programmatically. Explore our research reports, white papers, on-demand webinars, videos, case studies, and more. News and events Image Stay up-to-date with all things Coalfire. Find upcoming events and webinars. See what's new with your cybersecurity partner. And read the latest media coverage. Research and development Image The Coalfire Research and Development (R&D) team creates cutting-edge, open-source security tools that provide our clients with more realistic adversary simulations and advance operational tradecraft for the security industry. * Careers {%DocumentName%} Image * Contact + Locations {%DocumentName%} Image * Search for: [ ] [Search] Close Top