I was in close contact with AVM the last two days and they did a good and quick job; I had gotten that firmare this morning already but only found time now to test it. It IS fixed :)
So to AVM I need to say: thanks for all the Fritz! And for the rest of you who might still be disappointed about the long time it took from my first report to the fix, one of the remarkable statements from AVM was that because there was no remote execution vulnerability or any danger of information leakage at any time they just planned to fix the DoS condition in the next feature release. Real security threats will still be handled immediatly. Hope the day for proof doesn't come :P
Sending a zero-length UDP packet to port 5060 (SIP) of a Fritz!Box will crash the VoIP-telephony application. This works from any IP-interface, including the DSL line.
The vendor AVM was notified almost six month ago, he stated he had a fix still on that same day, but failed to release any firmware updates containing the fix. Nevertheless AVM did release a new (vulnerable) firmware version 14.04.25 in December 2006, and later they had sent me a firmware image in January to test against the DoS. I couldn't test that Jan-image as it kept bricking my 7050 whenever I configured the DSL internet interface.
I had sent a report of various tests I did with the Jan-image to AVM, and got ... no reaction. The only thing I noticed is that they have removed the December 2006 image..?!
Here's my personal DECT paranoia conspiracy theory: the kernels of the Dec. and Jan. images contain the string "DECT+AnnexA", and AVM had to remove it for license issues. AVM going DECT?
obviously the firmware images still contain a linux kernel with the respective license, so here they are. Source code to be obtained from AVM.
actually I had preferred to title this blog post "update your Fritz! box now"...
about a year ago in Jan 2006 I had discovered a very simple DoS against the telephone application in my Fritz! box 7050. It is triggered by a single UDP packet and works from the internal LAN, as well as from the internet. For the less technichally inclined reader: UDP means the packet can be even spoofed, which leaves the victim blind about who the attacker was...
The effect is that outgoing phonecalls won't work anymore.
I kept updating my Fritz! box with various firmware releases from AVM, but the bug wasn't fixed. So on July 21st 2006 I contacted AVM about the bug, and they stated were able to reproduce and fix the bug within the same day (hey, and they did that on a friday afternoon!).
I tried to be kind and told them I wanted a fix within two month, and that I will not disclose the bug within that timeframe. AVM was even kinder and sent me a T-Shirt plus some more HW bakshish (including that same vulnerability :), and the promise that the bug will be fixed with the 2nd-next firmware-release, as the subsequent release was in the next week, and it was too late to include the fix...
Then there simply were no more firmware updates for monthes. Now on December 13th 2006 a new firmware version 14.04.25 was released. I tested it this morning, but guess what? 14.04.25 is still vulnerable.
So I contacted AVM again, this time with a strict time constraint of 14 days, after that I will disclose what that UDP packet looks like.
BTW: I didn't look at the details, but it "feels" as if this bug doesn't lead to remote execution.
Read more on Jan 17th here...
I am at ICMP3 a nice hacker's event meeting nice people and having fun with lots of HW and SW. I will give a speech tomorrow, for which I still have to prepare some slides.
I was assuming I can find a lot of VoIP/SIP HW here to play around with, but I was a little bit disappointed not to find too much. I had prepared a piece of SW to stress VoIP phones (later there will be more on this), I also had success on all of them (as in crashing them).
The only exception is a Cisco 7905 SIP phone, where I couldn't even get to the point of attacking the SIP stack or codecs. The market leader in IP networking HW has implemented a remote reboot procedure: