Thu, 18 Jan 2007
Fritz!Box 7050 (and others) DoS
Sending a zero-length UDP packet to port 5060 (SIP) of a Fritz!Box will crash the VoIP-telephony application. This works from any IP-interface, including the DSL line.
The vendor AVM was notified almost six month ago, he stated he had a fix still on that same day, but failed to release any firmware updates containing the fix. Nevertheless AVM did release a new (vulnerable) firmware version 14.04.25 in December 2006, and later they had sent me a firmware image in January to test against the DoS. I couldn't test that Jan-image as it kept bricking my 7050 whenever I configured the DSL internet interface.
I had sent a report of various tests I did with the Jan-image to AVM, and got ... no reaction. The only thing I noticed is that they have removed the December 2006 image..?!
Here's my personal DECT paranoia conspiracy theory: the kernels of the Dec. and Jan. images contain the string "DECT+AnnexA", and AVM had to remove it for license issues. AVM going DECT?
obviously the firmware images still contain a linux kernel with the respective license, so here they are. Source code to be obtained from AVM.
still awaiting a fix very soon.
- AVM advises not to use the above images, as they contain bugs. They may brick your Fritz!box, as I did with mine. Restoring older FW is still possible with the recovery tool.
- AVM is going DECT
FD and BQ
Did you submit this to full disclusure and bugtraq?
Re: FD and BQ
I'm probably 6 month late to call it "full disclosure". The reason I didn't post it there is mainly that I am using the box myself as my day-to-day telephone and its so simple, quick and stealth to switch off Fritz!boxes of a whole ISP.
I wonder howlong it taks until...
we here about a massive attack against AVM boxes.
Guter Fund, aber grausame Farbe der Website.
Not old enough? the good old time :)
Hi all, about 2 years ago, I also had a problem with AVM: AFAIR my DBOX2 sent out an BOOTP-Request on every startup and this caused the DHCP of the Fritz!Box to hang every time! I told this to AVM and they answered: "This is not our Problem! Becaus these Satellite Receuivers got a new Software, the FritzBox doesn't need to work with them!"
Many months later the Problem was fixed AFAIR because the DHCP also had other problems.
I've got a FRITZ!Box Fon 5140, Firmware-Version 43.04.25
If I send a zero length UDP packet, the VoIP-telephony application doesn't crash.
sendip -p ipv4 -p udp -us 3423 -ud 5060 -ul 0 fritz.box
the command line you provide sends out something, but I wouldn't call it UDP. It's only something that almost looks like UDP.
A "zero-length UDP packet" is something else...
Ist ja furchtbar
eine solche Hintergrundfarbe zu wählen -- kaum lesbar
My box, FRITZ!Box Fon WLAN 7170 (UI), Firmware Labor-Version 29.04.28-5702 seems not to be affected, at least hping.exe --udp -p 5060 [boxip] did not hurt it in any way. Do you know anything about this exploit on other boxes and/or the "Labor" (beta) firmwares?
hping.exe --udp -p 5060 [boxip]
This wont send a zero-length UDP packet. It isnt possible to send zero-length UDP packets with hping. you have to use s.th. like Sendip or write a own program.
So, you mean with a payload size of 0?
"hping -2 -d 0 -p 5060 fritz.box"
doest work neither.
einfach alles markieren (== invertieren !)
dann kann man auch solche seiten lesen
inst it possible to change the port on the fritzbox?
Or add an iptables filter for 0 byte udp packets ?
Is there any workaround for this Problem ?
yes, if you install iptables which includes <a href="https://events.ccc.de/congress/2006/Fahrplan/events/1622.en.html"> voiding the warranty</a> and write the rule. But I want AVM to fix their problem. The boxes are widespread, but it's unlikely today's grandparents will type a propper iptables rule.
so it may be a fix for you, yes.
the packets of your last hping command look correct, and I tested it with hping3, and your command works!
Maybe a 5140 is safe?
5140 seems to be safe
I just tried out "hping3 -2 -d 0 -p 5060 fritz.box" with my 1&1 Fritz!Box 5140 (43.04.25), and it did not cause any trouble.
I doubt iptables will help...
I myself own a 50xx-AVM Fritzbox and what I've seen on a shell there is, they don't use the linux-kernel for the networking-setup.
What I understand is, that not only the VoIP-stuff but also the firewalling, routing, webserver, and dhcp are all provided with the big binary blob you find on this box.
so even if you get an iptables-binary on that box, it probably won't work...
"another" 14.04.25 firmware problem
to whom it may concern: the 14.04.25 firmware version crashes the "call-through" function - insufficient phone support by AVM to recover the older version -
DECT for sure
AVM is selling the 7150 including a DECT Handset. So yes they go that way.
jip, I just saw that after my blogpost, so my conspiracy theory is gone :(
Still a surprise to see the string inside the "classic" Fritz!boxes...
I am pretty sure they just have one general Build for the Firmware and differences between teh different modells are just different modules and settings for hardware support as well as some config stuff. Not to mention possibly diferent sizes of flash memory.
but what can I do to repair my box, because I can't call without my fritz-box.
Thank you for answering.
Update from AVM:
If just calling is impossible you only need to reboot the box (pull/plug power). If you bricked the box (no network interface reacts in any way) restore it with the windows recovery tool tool
New Firmware 14.04.26
Holzspielzeug TIMBaER wrote
New AVM Firmware for 7050 annex A is aviable for download via the AVM FTP Server.
Hallo Danke für diese Information. Ich bin großer Fan von AVM, die stellen einfach die Besten Router her.
Die Farbe von dem Blog würde ich aber mal über arbeiten. Ist echt grausam zu lesen.
Huh, arg blauer Hintergrund mit schwarzer Schrift ist aber nicht gut zu lesen :(
Sonst denke ich aber auch, AVM ist best!
AVM my best friend
For me AVM does a great job, i never had problems with my AVM Router. Just easily to configure.