Advisory: AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated Firmware Images The firmware upgrade process of the FRITZ!Box 7490 is flawed. Specially crafted firmware images can overwrite critical files. Arbitrary code can get executed if an attempt is made to install such a manipulated firmware. Details ======= Product: AVM FRITZ!Box 7490, possibly others Affected Versions: versions prior to 6.30 [0] Fixed Versions: >= 6.30 [0] Vulnerability Type: Authenticated Code Execution Security Risk: medium Vendor URL: http://avm.de/ Vendor Status: fixed version released Advisory URL: http://ift.tt/1PgCNA2 Advisory Status: published CVE: CVE-2014-8886 CVE URL: http://ift.tt/1JwdkWA Introduction ============ FRITZ!Box is the brand name of SOHO routers/CPE manufactured by AVM GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a wifi access point, routing, VoIP, NAS and DECT. More Details ============ AVM regularly publishes firmware updates to address bugs and to introduce new features. The firmware image can either be uploaded manually or the FRITZ!Box downloads it semi-automatically from http://download.avm.de/ via unencrypted HTTP if a new version is available. Technically, AVM firmware images are tar files: $ tar --list --file FRITZ.Box_7490.113.06.20.image ./var/ ./var/install ./var/chksum ./var/info.txt ./var/tmp/ ./var/tmp/filesystem.image ./var/tmp/kernel.image ./var/regelex ./var/signature When transferred to the FRITZ!Box, updates are extracted to the root directory before their cryptographic signature is verified. Thus, critical files can be overwritten by specially crafted firmware images. Attackers can use this weakness to execute arbitrary code. For example, the root directory of the web interface is located at /var/html (ramdisk), which is a symlink that points to /usr/www/avm (read-only squashfs). If the victim uploads a tar file that contains a symlink called ./var/html, the web server's root directory is relocated to whatever the malicious symlink points to, e.g. ./var/redteam. There, attackers can place arbitrary content, such as CGIs. Once invoked by a browser, arbitrary code can be executed. As the signature check will inevitably fail, the victim will be asked whether the unsigned firmware image should be processed or not. That confirmation page is formatted by CSS. As a result, the victim's browser will try to reload the main.css, which is now under the control of the attacker. The attacker can manipulate the main.css to trick the victim's browser into loading an attacker-controlled CGI. In total, the upload of a manipulated firmware image can immediately lead to code execution without the need of further action by the victim. Proof of Concept ================ The following command generates a firmware image that leads to code execution when uploaded to a FRITZ!Box 7490. As soon as the FRITZ!Box reports the signature mismatch, a password-less telnetd listening on port 9999 will be started.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment