Security Advisory ================ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Security Advisory ======================================================================= Title: HTML Injection Vulnerability Product: AVM FRITZ!OS Vulnerable Version: All versions prior to 6.30 Fixed Version: 6.30 CVE-ID: CVE-2015-7242 Impact: medium found: 2015-06-02 by: Dr. Daniel Schliebner <firstname.lastname@example.org> http://www.ds-develop.de =======================================================================
Vendor Description: - ------------------- "AVM offers a wide range of products for high-speed broadband connectivity and smart home networking. With the FRITZ! product family, AVM is a leading manufacturer of broadband devices for ADSL, cable, and LTE as well as Smart Home products for wireless LAN, DECT, and Powerline in Germany and Europe. The FRITZ!Box is the best known brand for wireless routers in Germany. In 2014 the communications specialist had 500 employees and generated a turnover of 340 million euros." (http://en.avm.de/about-avm/)
Vulnerability Description: - -------------------------- Current FRITZ!Box router with supported VoIP functionality have open port 5060 in order to send and receive SIP messages for ip telephony. In order to get noticed for incoming calls in absence, many such FRITZ!Box can be set up to send notice e-mails to a user with the callers phone number and its display-name (if given) inserted into the e-mail.
Due to intrinsic problems with SIP communication, a user agent client (UAC), however, needs not to perform a VoIP call by using registrars but can simply initiate an SIP call to another UAC which then has the role of a user agent server (UAS).
When the UAC sends an INVITE message to the UAS coming with a valid phone number, it initiates a ringing on the UAS. In this case, the FRITZ!Box will send a notification e-mail as described above. It uses the display-name and the phone number specified in the From: header for the "who has called" information in the notification e-mail. However, these information are not properly escaped so forged display-names will be inserted invalidated into the e-mail.
This vulnerability can be exploited to perform e.g. CSRF attacks on the client or similar by embedding <img> or <a> tags into the display-name with an src attribute pointing to some malicious destination.
However, the good news is that attackers need to be creative here since the length of the display-name is limited to 20 characters so the embedded HTML code needs to be very short. Using appropriate, very short URLs, however, can still be used to exploit this vulnerability in a serious manner.
Informally, a possible attack would look as follows.
We start by finding a valid user's phone number by trying SIP OPTIONS messages on the FRITZ!Box until we receive a
SIP/2.0 200 OK
response. We thus obtain the phone number and can send the forged INVITE SIP message to the FRITZ!Box. As a result, the notification e-mail to the end user will contain the unescaped sender's FROM display-name and hence possibly embedded HTML code.
Proof of concept: - ----------------- Assume a FRITZ!Box with WAN address 184.108.40.206 and an IP phone with number 493012345678 setup.
Step 1: Initiate TCP connection to FRITZ!Box on port 5060, e.g. using Netcat:
$ nc 220.127.116.11 5060
Step 2: Send forged SIP INVITE message as follows:
INVITE sip:email@example.com SIP/2.0 To: Alice <sip:firstname.lastname@example.org>;tag=123 From: "<a href='#'>Bob</a>" <sip:email@example.com>;tag=456 Call-ID: firstname.lastname@example.org CSeq: 123456 INVITE Via: SIP/2.0/TCP 18.104.22.168;branch=FOO Content-Length: 0
Exploit: - -------- In order to exploit the vulnerability, an attacker needs, for instance, to insert a HTML tag which is short enough for an appropriate URL to be inserted. An example would be for instance
INVITE sip:email@example.com SIP/2.0 To: Alice <sip:firstname.lastname@example.org>;tag=123 From: "<img src=http:c.to>" <sip:email@example.com>;tag=456 Call-ID: firstname.lastname@example.org CSeq: 123456 INVITE Via: SIP/2.0/TCP 22.214.171.124;branch=FOO Content-Length: 0
The site c.to is here assumed to be either compromised by the attacker, too, or under its control. In this case the attacker then can, for instance redirect the user to another URL with malicious code or using other exploits, e.g. the recent RCE/CSRF vulnerability in FRITZ!OS, see , related to FRITZ!OS prior to 6.30.
Vulnerable / tested versions: - ----------------------------- Fritz!Box 7390 with FRITZ!OS 6.24 Fritz!Box 7360 SL with FRITZ!OS 6.20
Vendor contact timeline: - ------------------------ 2015-06-02: Contacting vendor through email@example.com 2015-06-04: Vendor response - vulnerability will be forwarded 2015-06-04: Vendor response - issue has now the incident-ID CID4191652 2015-06-05: Vulnerability advisory sent to vendor 2015-06-04: Vendor response - issue will be fixed 2015-07-01: Vendor response - Issue is fixed in upcoming Fritz!OS 06.25-30758 2015-07-13: Status update - Fritz!OS 6.30 deployment begin 2015-09-21: Contacted vendor to ask for deployment status of update 2015-09-22: Vendor response - update not currently deployed for all products 2016-01-07: Coordinated release of the security advisory
Solution: - --------- Escape HTML entities within the display-name in the From: header or do not allow other characters than [a-z0-9s] within the display-name.