Advisory: AVM FRITZ!Box: Firmware Signature Bypass The signature check of FRITZ!Box firmware images is flawed. Malicious code can be injected into firmware images without breaking the RSA signature. The code will be executed either if a manipulated firmware image is uploaded by the victim or if the victim confirms an update on the webinterface during a MITM attack. Details ======= Product: AVM FRITZ!Box 7490, 7390, 7270v3 and other models Affected Versions: FRITZ!Box 6810 LTE, since firmware 5.22, FRITZ!Box 6840 LTE, since firmware 5.23, other models, since firmware 5.50 Fixed Versions: FRITZ!Box 7270, since firmware 6.05, FRITZ!Box 7270v3, since firmware 6.05, FRITZ!Box 7240, since firmware 6.05, other models, since firmware 6.20 Vulnerability Type: Improper Verification of Cryptographic Signature Security Risk: medium Vendor URL: http://avm.de Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-010 Advisory Status: published CVE: CVE-2014-8872 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8872 Introduction ============ FRITZ!Box is the brand name of SOHO routers/CPEs manufactured by AVM GmbH. The FRITZ!Box usually combines features such as an xDSL modem functionality, routing, wifi access, VoIP, NAS and DECT. More Details ============ AVM regularly publishes firmware updates to address bugs and to introduce new features. Those updates are cryptographically signed to avoid tampering. The firmware image can either be uploaded manually or the FRITZ!Box downloads it semi-automatically from http://download.avm.de via unencrypted HTTP if a new version is available. Technically, AVM firmware images are tar files. $ tar --list --file FRITZ.Box_7490.113.06.05.image ./var/ ./var/regelex ./var/install ./var/info.txt ./var/tmp/ ./var/tmp/filesystem.image ./var/tmp/kernel.image ./var/chksum ./var/signature The firmware image contains a shell script called ./var/install, which will be invoked after successful verification of the image. It is responsible for flashing the new firmware. In a tar archive, each file is described by a 512 byte header followed by n*512 bytes of file content. The end of a tar archive is represented by 1024 null bytes after the last content block. In some cases, AVM appends up to 8 KiB of excess null bytes. The whole tar archive, including these additional null bytes, is covered by a cryptographic signature that is stored in the file ./var/signature within the archive. The file contains a 1024 bit RSA decrypted MD5 hash of the firmware image. 1024 bytes of space (tar header+content) are normally allocated to the signature file. When calculating the MD5 hash, that space is treated as null bytes. The library libfwsign.so is responsible for the detection of the signature file in the tar header of the uploaded firmware image. It uses the strstr() function of the C standard library like this: if (strstr(filename, "/var/signature")) { // signature file found. // update hash with 512 + n*512 null bytes. } else { // signature file not found. // update hash with tar header and content of current file. } Therefore, any of the following names will be treated as a signature file and null bytes instead of the real content will be fed to the MD5 hash function: ./var/signature /var/signature /tmp/var/signature/example ./var/signature/.././var/install If such a file is placed after the last legitimate content block (where at least 1024 signed null bytes reside), the library libfwsign.so will compute the same MD5 hash as it would do for an unmodified firmware image. As a result, the modified firmware image will pass the signature verification. The fourth file name, ./var/signature/.././var/install, contains a directory traversal. When parsed by tar, a warning will be generated and anything from the start of the file name up to /../ will be omitted. The content of the file will be extracted to ./var/install and the original ./var/install file will be overwritten. Thus, an attacker could easily inject malicious code into ./var/install, which will be executed after the manipulated firmware image has passed the signature verification. Proof of Concept ================ The following command manipulates the latest firmware image for the FRITZ!Box 7490. When uploaded to a vulnerable FRITZ!Box 7490, all LEDs of the device will flash constantly to indicate that code execution has occured. ------------------------------------------------------------------------ $ xxd -r - FRITZ.Box_7490.113.06.20.image < /var/flash/d 17f28a0: 6562 7567 2e63 6667 0a65 7869 7420 310a ebug.cfg.exit 1. 17f28b0: 2345 4f46 0a00 0000 0000 0000 0000 0000 #EOF............ 17f28c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ * 17f29f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ EOF ------------------------------------------------------------------------ Workaround ========== Check each firmware image manually for multiple occurrences of the string "/var/signature" in file names using tar --list. Fix === Upgrade to a fixed firmware version. Before upgrading, check the new firmware image for suspicious file names (see "Workaround"). AVM should secure the distribution of firmware images with TLS to prevent MITM attacks. Security Risk ============= This vulnerability allows an attacker to inject arbitrary code into AVM firmware images while maintaining its cryptographic signature. If the attacker is able to perform a Man-in-the-Middle attack between the AVM FRITZ!Box and http://download.avm.de/, firmware images can be manipulated in transit. Otherwise, attackers need to trick their victims into installing a malicious firmware image. While successful attacks result in the full compromise of a device, they would typically require an attacker in a very strong position. The vulnerability is therefore considered to pose a medium risk. Timeline ======== 2014-03-10 Vulnerability identified 2014-03-12 Vendor notified 2014-05-27 Vendor released fixed version for FRITZ!Box 7270v3 2014-08-12 Vendor released fixed version for FRITZ!Box 7490 2014-09-09 Vendor released fixed version for FRITZ!Box 7390 2014-11-14 CVE number assigned 2014-12-08 Vendor provided updated list of affected and fixed models/versions 2014-12-15 Vendor finished releasing fixed versions for all current models 2015-01-21 Advisory released RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen