home
    blog
    feed
    eyes
    info

Thu, 18 Jan 2007

Fritz!Box 7050 (and others) DoS

Sending a zero-length UDP packet to port 5060 (SIP) of a Fritz!Box will crash the VoIP-telephony application. This works from any IP-interface, including the DSL line.
The vendor AVM was notified almost six month ago, he stated he had a fix still on that same day, but failed to release any firmware updates containing the fix. Nevertheless AVM did release a new (vulnerable) firmware version 14.04.25 in December 2006, and later they had sent me a firmware image in January to test against the DoS. I couldn't test that Jan-image as it kept bricking my 7050 whenever I configured the DSL internet interface.
I had sent a report of various tests I did with the Jan-image to AVM, and got ... no reaction. The only thing I noticed is that they have removed the December 2006 image..?!

Here's my personal DECT paranoia conspiracy theory: the kernels of the Dec. and Jan. images contain the string "DECT+AnnexA", and AVM had to remove it for license issues. AVM going DECT?

obviously the firmware images still contain a linux kernel with the respective license, so here they are. Source code to be obtained from AVM.

• the official december image: fritz.box_fon_wlan_7050.14.04.25.image
• the inoffial image I received in january: firmware-avm-1und1-14.04.25-release-build_1251-5644M-FRITZ.Box_Fon_WLAN_7050.image

• AVM advises not to use the above images, as they contain bugs. They may brick your Fritz!box, as I did with mine. Restoring older FW is still possible with the recovery tool.
• AVM is going DECT

validate HTML