JS8Call and JS8Call-Improved Stack-Based Buffer Overflow Vulnerability via APRS GRID Transmission
Vulnerability
A stack-based buffer overflow vulnerability has been identified in JS8Call versions prior to 2.3.1 and in JS8Call-improved versions prior to 3.0. The issue arises in the 'grid2deg' function within 'APRSISClient.cpp', where the application processes APRS GRID messages. The vulnerability can be exploited by sending a long Maidenhead locator after the '@APRSIS GRID' command, leading to a crash of the application. This exploitation can occur remotely through radio transmissions.
Impact
Exploitation of this vulnerability causes the application to crash, disrupting any ongoing processes or communications.
Reproduction
To reproduce this vulnerability, send an APRS GRID message containing a long Maidenhead locator over the radio. The JS8Call application will process this input, leading to a stack-based buffer overflow and causing the application to crash.
Remediation
Users can upgrade to JS8Call version 3.0 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.