what you don't know can hurt you


Posted Jan 8, 2016
Authored by Dr. Daniel Schliebner | Site ds-develop.de

AVM FRITZ!OS versions prior to 6.30 suffer from an html injection vulnerability.

tags | exploit, xss
advisories | CVE-2015-7242
MD5 | dcd16a580d0499a6e3647aac49072c65


Change Mirror Download

Hash: SHA1

Security Advisory
Title: HTML Injection Vulnerability
Vulnerable Version: All versions prior to 6.30
Fixed Version: 6.30
CVE-ID: CVE-2015-7242
Impact: medium
found: 2015-06-02
by: Dr. Daniel Schliebner <mail@ds-develop.de>

Vendor Description:
- -------------------
"AVM offers a wide range of products for high-speed broadband
connectivity and smart home networking. With the FRITZ! product family,
AVM is a leading manufacturer of broadband devices for ADSL, cable, and
LTE as well as Smart Home products for wireless LAN, DECT, and Powerline
in Germany and Europe. The FRITZ!Box is the best known brand for
wireless routers in Germany. In 2014 the communications specialist had
500 employees and generated a turnover of 340 million euros."

Vulnerability Description:
- --------------------------
Current FRITZ!Box router with supported VoIP functionality have open
port 5060 in order to send and receive SIP messages for ip telephony. In
order to get noticed for incoming calls in absence, many such FRITZ!Box
can be set up to send notice e-mails to a user with the callers phone
number and its display-name (if given) inserted into the e-mail.

Due to intrinsic problems with SIP communication, a user agent client
(UAC), however, needs not to perform a VoIP call by using registrars but
can simply initiate an SIP call to another UAC which then has the role
of a user agent server (UAS).

When the UAC sends an INVITE message to the UAS coming with a valid
phone number, it initiates a ringing on the UAS. In this case, the
FRITZ!Box will send a notification e-mail as described above. It uses
the display-name and the phone number specified in the From: header for
the "who has called" information in the notification e-mail. However,
these information are not properly escaped so forged display-names will
be inserted invalidated into the e-mail.

This vulnerability can be exploited to perform e.g. CSRF attacks on the
client or similar by embedding <img> or <a> tags into the display-name
with an src attribute pointing to some malicious destination.

However, the good news is that attackers need to be creative here since
the length of the display-name is limited to 20 characters so the
embedded HTML code needs to be very short. Using appropriate, very short
URLs, however, can still be used to exploit this vulnerability in a
serious manner.

Informally, a possible attack would look as follows.

We start by finding a valid user's phone number by trying SIP OPTIONS
messages on the FRITZ!Box until we receive a

SIP/2.0 200 OK

response. We thus obtain the phone number and can send the forged INVITE
SIP message to the FRITZ!Box. As a result, the notification e-mail to
the end user will contain the unescaped sender's FROM display-name and
hence possibly embedded HTML code.

Proof of concept:
- -----------------
Assume a FRITZ!Box with WAN address and an IP phone with number
493012345678 setup.

Step 1:
Initiate TCP connection to FRITZ!Box on port 5060, e.g. using Netcat:

$ nc 5060

Step 2:
Send forged SIP INVITE message as follows:

INVITE sip:493012345678@ SIP/2.0
To: Alice <sip:493012345678@>;tag=123
From: "<a href='#'>Bob</a>" <sip:4930111111111@sip.net>;tag=456
Call-ID: abc@foo.com
CSeq: 123456 INVITE
Via: SIP/2.0/TCP;branch=FOO
Content-Length: 0

- --------
In order to exploit the vulnerability, an attacker needs, for instance,
to insert a HTML tag which is short enough for an appropriate URL to be
inserted. An example would be for instance

INVITE sip:493012345678@ SIP/2.0
To: Alice <sip:493012345678@>;tag=123
From: "<img src=http:c.to>" <sip:4930111111111@sip.net>;tag=456
Call-ID: abc@foo.com
CSeq: 123456 INVITE
Via: SIP/2.0/TCP;branch=FOO
Content-Length: 0

The site c.to is here assumed to be either compromised by the attacker,
too, or under its control. In this case the attacker then can, for
instance redirect the user to another URL with malicious code or
using other exploits, e.g. the recent RCE/CSRF vulnerability in
FRITZ!OS, see [2], related to FRITZ!OS prior to 6.30.

Vulnerable / tested versions:
- -----------------------------
Fritz!Box 7390 with FRITZ!OS 6.24
Fritz!Box 7360 SL with FRITZ!OS 6.20

Vendor contact timeline:
- ------------------------
2015-06-02: Contacting vendor through info@avm.de
2015-06-04: Vendor response - vulnerability will be forwarded
2015-06-04: Vendor response - issue has now the incident-ID CID4191652
2015-06-05: Vulnerability advisory sent to vendor
2015-06-04: Vendor response - issue will be fixed
2015-07-01: Vendor response - Issue is fixed in upcoming Fritz!OS
2015-07-13: Status update - Fritz!OS 6.30 deployment begin
2015-09-21: Contacted vendor to ask for deployment status of update
2015-09-22: Vendor response - update not currently deployed for all products
2016-01-07: Coordinated release of the security advisory

- ---------
Escape HTML entities within the display-name in the From: header or do
not allow other characters than [a-z0-9\s] within the display-name.

- ----------
[1] https://avm.de/service/sicherheitshinweise/
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2015-001

- ---
Version: GnuPG v2

Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By