[aprssig] Escaping \r\n in packets for APRS-IS

Iain R. Learmonth irl at hambsd.org
Fri May 8 09:30:50 EDT 2020


Hi,

On 08/05/2020 13:36, Lynn W Deffenbaugh (Mr) wrote:
> Are you sure it is your radio adding the <CR> to the packet and not the
> IGate that is receiving it? Or where do you actually see this character
> since, as you say, it is dropped by the TNC2 format required by the
> APRS-IS interface.

It's definitely the Yaesu radio.

I've checked with both Dire Wolf and a PK-88 and they are both decoding
a 0x0d at the end of the packets, for example:

MM0ROR-7>UWPYXU,WIDE1-1,WIDE2-1:`xaRl <0x1c>[/`_ <0x0d>

It appears on the air, and being at the end of the packet anyway hasn't
caused issues.

> And further, what is the use case for needing a trailing <CR> on an APRS
> packet?

I don't need it. I suspect this to be a bug in the firmware, but that's
never going to get fixed. What I'd like to figure out is the best way to
handle this, which is likely to be the way that is most consistent with
other IGate software so as to avoid creating modifications to the packet
that other software hasn't made, leading to duplicates and loops.

Some black box testing with Dire Wolf and Xastir seems to indicate that
the common way to handle this is truncating the packets. If the packets
are not truncated then this can lead to a security issue, as it's
possible to send arbitrary additional packets that may bypass checks, or
even send filter commands that may cause an IGate to jam a channel.

If you can send a \r or \n in the middle of the packet, the data that
follows that will be interpreted by the IGate server as a new line, and
a new TNC2 formatted packet.

An example packet has a position report, where the comment is:

"Test packet\r#filter m/1000"

In my implementation where I have tried as much as possible to treat
packets as binary data and not modify them, this gets passed directly to
the server, and the server happily starts sending me all position
reports from 1000 miles around.

In my opinion this is a huge hole in the spec. Without a method of
escaping these characters, this could get missed by implementers and we
end up in a situation that could lead to abuse if systems not handling
this case are widely deployed.

I wonder if Xastir and Dire Wolf have deliberately truncated packets or
if they just got lucky, and I wonder what other IGate implementations
are out there that might not have implemented mitigations for this attack.

Thanks,
Iain MM0ROR.

-- 
https://hambsd.org/



More information about the aprssig mailing list