maZZoo maZZoo's blog
very low frequency tech postings  -  security/FritzBox_DoS.writeback
    home
    blog
    feed
    eyes
    info

    code [12]
    dect [4]
    hard [8]
    meta [5]
    security [5]

Thu, 18 Jan 2007

Fritz!Box 7050 (and others) DoS
Sending a zero-length UDP packet to port 5060 (SIP) of a Fritz!Box will crash the VoIP-telephony application. This works from any IP-interface, including the DSL line.
The vendor AVM was notified almost six month ago, he stated he had a fix still on that same day, but failed to release any firmware updates containing the fix. Nevertheless AVM did release a new (vulnerable) firmware version 14.04.25 in December 2006, and later they had sent me a firmware image in January to test against the DoS. I couldn't test that Jan-image as it kept bricking my 7050 whenever I configured the DSL internet interface.
I had sent a report of various tests I did with the Jan-image to AVM, and got ... no reaction. The only thing I noticed is that they have removed the December 2006 image..?!

Here's my personal DECT paranoia conspiracy theory: the kernels of the Dec. and Jan. images contain the string "DECT+AnnexA", and AVM had to remove it for license issues. AVM going DECT?

obviously the firmware images still contain a linux kernel with the respective license, so here they are. Source code to be obtained from AVM.



still awaiting a fix very soon.
Update:
  • AVM advises not to use the above images, as they contain bugs. They may brick your Fritz!box, as I did with mine. Restoring older FW is still possible with the recovery tool.
  • AVM is going DECT

29 writebacks

writebacks...

khorben wrote
FD and BQ
Did you submit this to full disclusure and bugtraq?
maZZoo wrote
Re: FD and BQ
I'm probably 6 month late to call it "full disclosure". The reason I didn't post it there is mainly that I am using the box myself as my day-to-day telephone and its so simple, quick and stealth to switch off Fritz!boxes of a whole ISP.
collin wrote
I wonder howlong it taks until...
we here about a massive attack against AVM boxes.
FastBlind wrote

Guter Fund, aber grausame Farbe der Website.
C64 wrote

@FastBlind Not old enough? the good old time :)
Fischauge wrote

Hi all, about 2 years ago, I also had a problem with AVM: AFAIR my DBOX2 sent out an BOOTP-Request on every startup and this caused the DHCP of the Fritz!Box to hang every time! I told this to AVM and they answered: "This is not our Problem! Becaus these Satellite Receuivers got a new Software, the FritzBox doesn't need to work with them!" Unbelievable... Many months later the Problem was fixed AFAIR because the DHCP also had other problems.
blubbi wrote

Hi! I've got a FRITZ!Box Fon 5140, Firmware-Version 43.04.25 If I send a zero length UDP packet, the VoIP-telephony application doesn't crash. sendip -p ipv4 -p udp -us 3423 -ud 5060 -ul 0 fritz.box
maZZoo wrote
@blubbi
the command line you provide sends out something, but I wouldn't call it UDP. It's only something that almost looks like UDP.

A "zero-length UDP packet" is something else...
Augenkrebs wrote
Ist ja furchtbar
eine solche Hintergrundfarbe zu wählen -- kaum lesbar
Jan wrote
Other boxes?
My box, FRITZ!Box Fon WLAN 7170 (UI), Firmware Labor-Version 29.04.28-5702 seems not to be affected, at least hping.exe --udp -p 5060 [boxip] did not hurt it in any way. Do you know anything about this exploit on other boxes and/or the "Labor" (beta) firmwares?
ano wrote

@Jan hping.exe --udp -p 5060 [boxip] is bullshit! This wont send a zero-length UDP packet. It isnt possible to send zero-length UDP packets with hping. you have to use s.th. like Sendip or write a own program.
blubbi wrote

@maZZoo So, you mean with a payload size of 0? "hping -2 -d 0 -p 5060 fritz.box" doest work neither.
Moosbrugger wrote
@FastBlind
einfach alles markieren (== invertieren !) dann kann man auch solche seiten lesen mfg
nobody wrote

inst it possible to change the port on the fritzbox? Or add an iptables filter for 0 byte udp packets ? Is there any workaround for this Problem ?
mazzoo wrote
@nobody
yes, if you install iptables which includes <a href="https://events.ccc.de/congress/2006/Fahrplan/events/1622.en.html"> voiding the warranty</a> and write the rule. But I want AVM to fix their problem. The boxes are widespread, but it's unlikely today's grandparents will type a propper iptables rule.

so it may be a fix for you, yes.
mazzoo wrote
@blubbi
the packets of your last hping command look correct, and I tested it with hping3, and your command works!

Maybe a 5140 is safe?
Alexander wrote
5140 seems to be safe
I just tried out "hping3 -2 -d 0 -p 5060 fritz.box" with my 1&1 Fritz!Box 5140 (43.04.25), and it did not cause any trouble.
iQ wrote
I doubt iptables will help...
I myself own a 50xx-AVM Fritzbox and what I've seen on a shell there is, they don't use the linux-kernel for the networking-setup. What I understand is, that not only the VoIP-stuff but also the firewalling, routing, webserver, and dhcp are all provided with the big binary blob you find on this box. so even if you get an iptables-binary on that box, it probably won't work...
hotti wrote
"another" 14.04.25 firmware problem
to whom it may concern: the 14.04.25 firmware version crashes the "call-through" function - insufficient phone support by AVM to recover the older version -
Jo wrote
DECT for sure
AVM is selling the 7150 including a DECT Handset. So yes they go that way. http://www.avm.de/de/Presse/Informationen/2006/2006_11_21.php3?linkident=titel
mazzoo wrote
@Jo
jip, I just saw that after my blogpost, so my conspiracy theory is gone :(

Still a surprise to see the string inside the "classic" Fritz!boxes...
PChaos wrote
DECT
I am pretty sure they just have one general Build for the Firmware and differences between teh different modells are just different modules and settings for hardware support as well as some config stuff. Not to mention possibly diferent sizes of flash memory.
avvvmer wrote

Hello, but what can I do to repair my box, because I can't call without my fritz-box. Thank you for answering.
Carsten wrote

Update from AVM: http://www.avm.de/files/fritz.box/fritzbox.fon_wlan_7050/firmware/info.txt
mazzoo wrote
@avvvmer
If just calling is impossible you only need to reboot the box (pull/plug power). If you bricked the box (no network interface reacts in any way) restore it with the windows recovery tool tool
AustriaRoman wrote
New Firmware 14.04.26
New AVM Firmware for 7050 annex A is aviable for download via the AVM FTP Server.
Holzspielzeug TIMBaER wrote
AVM rockz
Hallo Danke für diese Information. Ich bin großer Fan von AVM, die stellen einfach die Besten Router her. Die Farbe von dem Blog würde ich aber mal über arbeiten. Ist echt grausam zu lesen.
alambre wrote
AVM
Huh, arg blauer Hintergrund mit schwarzer Schrift ist aber nicht gut zu lesen :( Sonst denke ich aber auch, AVM ist best!
kapatcha wrote
AVM my best friend
For me AVM does a great job, i never had problems with my AVM Router. Just easily to configure.

comment...

 
Name:
URL/Email: (optional)
Title: (optional)
Comments:
Save my Name and URL/Email for next time

validate HTML