[aprssig] Secutiry for the aprs protocol and software

Scott Miller scott at opentrac.org
Wed Aug 26 18:32:24 EDT 2009 

And basically we just have to hope that Roger was as vigilant with 
UI-View, since we don't have any way to check.

In my experience, MOST programmers haven't had any real exposure to this 
stuff.  A lot of it isn't obvious.  How many of us have used printf(foo) 
without a second thought?  I think the first format string exploit was 
only about 10 years ago.

There's a lot of string parsing going on in an APRS client, and lots of 
rules and exceptions to rules to follow.  That makes a lot of possible 
targets for data driven attacks.

If I was going to connect a sensitive machine to the APRS IS (and 
assuming I was only listening) I'd probably use another server to 
connect to the IS, sanitize the data a bit (remove unprintable 
characters not needed for mic-e, nulls, etc) and spit it out to the 
secure machine over a one-way serial link.  Doesn't stop the secure 
machine from getting hacked, but it makes it a lot more difficult to do 
anything if there's no other network path back.  We used to pull the TX 
pins on AUI adapters for intrusion detection machines for just that 
reason.  It's hard to hack what you can't see.

Some aspects of the system just don't lend themselves to securing.  For 
example, you can generate a packet on the air that has a CR/LF pair and 
a fake second packet in TNC-2 format grafted on.  By the time it gets to 
an IS client, there's no way to tell that it wasn't two legitimate 
packets.  Not that that really matters since you can spoof packets all 
day anyway, but it might at least get you past filters on an IGate.

Scott
N1VG

Curt, WE7U wrote:
> On Tue, 25 Aug 2009, Scott Miller wrote:
> 
>> I'm not convinced that it's THAT impossible, but you're right, it'd be 
>> entirely dependent on the client software.  Has anyone ever looked 
>> closely at potential buffer overflows in APRS clients?
> 
> Yes.  I gave a crack at fixing such in Xastir several years back
> which resulted in hundreds of changes in string handling routines.
>

More information about the aprssig mailing list