Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

AVM FRITZ!OS HTML Injection

🗓️ 08 Jan 2016 00:00:00Reported by Dr. Daniel SchliebnerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 55 Views

AVM FRITZ!OS HTML Injection Vulnerability on VoIP Notifications allows for HTML code embedding in notification e-mails, possibly leading to CSRF attacks

Related
Code
ReporterTitlePublishedViews
Family
CNVD		AVM FRITZ!OS Cross-Site Scripting Vulnerability
15 Jan 201600:00
cnvd
CVE		CVE-2015-7242
12 Jan 201619:00
cve
Cvelist		CVE-2015-7242
12 Jan 201619:00
cvelist
EUVD		EUVD-2015-7173
7 Oct 202500:30
euvd
NVD		CVE-2015-7242
12 Jan 201619:59
nvd
OpenVAS		AVM FRITZ!OS < 6.30 Multiple Vulnerabilities
16 Sep 201800:00
openvas
Prion		Cross site scripting
12 Jan 201619:59
prion
`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Security Advisory  
=======================================================================  
Title: HTML Injection Vulnerability  
Product: AVM FRITZ!OS  
Vulnerable Version: All versions prior to 6.30  
Fixed Version: 6.30  
CVE-ID: CVE-2015-7242  
Impact: medium  
found: 2015-06-02  
by: Dr. Daniel Schliebner <[email protected]>  
http://www.ds-develop.de  
=======================================================================  
  
Vendor Description:  
- -------------------  
"AVM offers a wide range of products for high-speed broadband  
connectivity and smart home networking. With the FRITZ! product family,  
AVM is a leading manufacturer of broadband devices for ADSL, cable, and  
LTE as well as Smart Home products for wireless LAN, DECT, and Powerline  
in Germany and Europe. The FRITZ!Box is the best known brand for  
wireless routers in Germany. In 2014 the communications specialist had  
500 employees and generated a turnover of 340 million euros."  
(http://en.avm.de/about-avm/)  
  
  
Vulnerability Description:  
- --------------------------  
Current FRITZ!Box router with supported VoIP functionality have open  
port 5060 in order to send and receive SIP messages for ip telephony. In  
order to get noticed for incoming calls in absence, many such FRITZ!Box  
can be set up to send notice e-mails to a user with the callers phone  
number and its display-name (if given) inserted into the e-mail.  
  
Due to intrinsic problems with SIP communication, a user agent client  
(UAC), however, needs not to perform a VoIP call by using registrars but  
can simply initiate an SIP call to another UAC which then has the role  
of a user agent server (UAS).  
  
When the UAC sends an INVITE message to the UAS coming with a valid  
phone number, it initiates a ringing on the UAS. In this case, the  
FRITZ!Box will send a notification e-mail as described above. It uses  
the display-name and the phone number specified in the From: header for  
the "who has called" information in the notification e-mail. However,  
these information are not properly escaped so forged display-names will  
be inserted invalidated into the e-mail.  
  
This vulnerability can be exploited to perform e.g. CSRF attacks on the  
client or similar by embedding <img> or <a> tags into the display-name  
with an src attribute pointing to some malicious destination.  
  
However, the good news is that attackers need to be creative here since  
the length of the display-name is limited to 20 characters so the  
embedded HTML code needs to be very short. Using appropriate, very short  
URLs, however, can still be used to exploit this vulnerability in a  
serious manner.  
  
Informally, a possible attack would look as follows.  
  
We start by finding a valid user's phone number by trying SIP OPTIONS  
messages on the FRITZ!Box until we receive a  
  
SIP/2.0 200 OK  
  
response. We thus obtain the phone number and can send the forged INVITE  
SIP message to the FRITZ!Box. As a result, the notification e-mail to  
the end user will contain the unescaped sender's FROM display-name and  
hence possibly embedded HTML code.  
  
  
Proof of concept:  
- -----------------  
Assume a FRITZ!Box with WAN address 80.0.0.0 and an IP phone with number  
493012345678 setup.  
  
Step 1:  
Initiate TCP connection to FRITZ!Box on port 5060, e.g. using Netcat:  
  
$ nc 80.0.0.0 5060  
  
Step 2:  
Send forged SIP INVITE message as follows:  
  
INVITE sip:[email protected] SIP/2.0  
To: Alice <sip:[email protected]>;tag=123  
From: "<a href='#'>Bob</a>" <sip:[email protected]>;tag=456  
Call-ID: [email protected]  
CSeq: 123456 INVITE  
Via: SIP/2.0/TCP 80.0.0.0;branch=FOO  
Content-Length: 0  
  
  
Exploit:  
- --------  
In order to exploit the vulnerability, an attacker needs, for instance,  
to insert a HTML tag which is short enough for an appropriate URL to be  
inserted. An example would be for instance  
  
INVITE sip:[email protected] SIP/2.0  
To: Alice <sip:[email protected]>;tag=123  
From: "<img src=http:c.to>" <sip:[email protected]>;tag=456  
Call-ID: [email protected]  
CSeq: 123456 INVITE  
Via: SIP/2.0/TCP 80.0.0.0;branch=FOO  
Content-Length: 0  
  
The site c.to is here assumed to be either compromised by the attacker,  
too, or under its control. In this case the attacker then can, for  
instance redirect the user to another URL with malicious code or  
using other exploits, e.g. the recent RCE/CSRF vulnerability in  
FRITZ!OS, see [2], related to FRITZ!OS prior to 6.30.  
  
  
Vulnerable / tested versions:  
- -----------------------------  
Fritz!Box 7390 with FRITZ!OS 6.24  
Fritz!Box 7360 SL with FRITZ!OS 6.20  
  
  
Vendor contact timeline:  
- ------------------------  
2015-06-02: Contacting vendor through [email protected]  
2015-06-04: Vendor response - vulnerability will be forwarded  
2015-06-04: Vendor response - issue has now the incident-ID CID4191652  
2015-06-05: Vulnerability advisory sent to vendor  
2015-06-04: Vendor response - issue will be fixed  
2015-07-01: Vendor response - Issue is fixed in upcoming Fritz!OS  
06.25-30758  
2015-07-13: Status update - Fritz!OS 6.30 deployment begin  
2015-09-21: Contacted vendor to ask for deployment status of update  
2015-09-22: Vendor response - update not currently deployed for all products  
2016-01-07: Coordinated release of the security advisory  
  
  
Solution:  
- ---------  
Escape HTML entities within the display-name in the From: header or do  
not allow other characters than [a-z0-9\s] within the display-name.  
  
  
References  
- ----------  
[1] https://avm.de/service/sicherheitshinweise/  
[2] https://www.redteam-pentesting.de/advisories/rt-sa-2015-001  
  
  
URL  
- ---  
http://ds-develop.de/advisories/advisory-2016-01-07-1-avm.txt  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQEcBAEBAgAGBQJWjqgtAAoJEFA4WIKLTb8OS3YH/1WuuyJw5h1JZjBEW78lz23f  
4sy2n3XLBlQG5deVSjVYH1j6Sbh//5rcn0vUS12jOndOVJjtkgc8eZuM+Vsh5NXn  
qnzagwMZXSeY5mnx6w5UQqzcX4XFv4gTuDzDCfYfqnnwHGHVU6zxuN09hSmGwGBO  
psmuZCNTT9eT1BnJRYib7sPXBEBOzu+0AeL/sNuz84kIXeRbWjthaNPYCbdGMo62  
QFxxltJvnpx18LVmcpJ6bfFfnDSFWT3GFANjBJSdhvR71QcUaArJ6nDADxT/ZE/A  
eyH1IC0h5pbdUzbi2CdaPq2tdzPxHAYJJHjzX/pLkFgJgbAiWpvG5YVaCw7CWGc=  
=27k0  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Jan 2016 00:00Current
EPSS0.00255
avm fritz!oshtml injectionvoip notificationscsrf attacks
55