Vulnerability in a router or as accidentally "spoil" the image of the company
There is such a fairly popular line of routers in Europe - AVM Fritz! Box. This router and mini PBX for VOIP- and for analog or ISDN-telephony and media server, and in general all you want in one.
Especially top models of AVM have always been distinguished by “intelligence and wit” (TM). Up to the point that some models have a "smart home" system (based on the FHEM server) and a bunch of other goodies.
I will say right away - the vulnerability is putting it mildly - this is just a huge hole. And in my humble opinion, in this whole story, AVM did not quite behave, let’s say, adequately.
It all started a couple of weeks ago (I don’t set the dates - it’s not important). So, the history is in order, so to speak, laid out on the shelves and I think (if memory serves) chronologically true:
But after all a little more something was possible?
I am companions naturally indignant and not at all satisfied. In short, the keyboard in the mouth - begins its own investigation.
')
Unfortunately, for ethical reasons, I will not bore a respected habrasoobrazhestvuyu search details (do not forget tens of millions still in flight, many probably did not even think to update - I have many friends who did it with their hands).
When everything is done, somehow later I will post the second article with details.
- you surf in the browser and accidentally get on the "bad" page, leaving there besides everything by the way your dynamic (and much worse if static) remote_addr, through which, with open remote access, the criminals climbed into the Fritz console;
- but you also need a password;
- and here is the most interesting thing: each box is able from the web console to save all its “settings” as a file from the web console;
- in a special way having generated a certain ajax request for a specific Fritz URL, the attacker feeds your browser through this page and, indirectly, Fritz, which can merge the settings file to the owner of the bad page, and you will not notice anything.
And there for a minute - all the passwords, including the system, all your calls, phone book, etc. etc. I, for example, have a pair of keys for my DynDNS (well, that only for this). In short, if you dig there, you can find a lot of things.
Theoretically, you can for example (through FHEM) open someone's garage or worse apartment. This is of course with open remote access (but otherwise the “smart home” is only from home, which IMHO is not comfortable).
For other scenarios of malicious use of data from the received dump, remote access is absolutely unimportant.
As already mentioned, for ethical reasons, so far without specifics - I have already burned so much.
No one is insured, and everyone makes mistakes, and by the way, we must pay tribute, AVM fixed them very quickly. But no, I didn’t quite fix it - I didn’t have enough truth. Total - the sediment remained very, very unpleasant. You can even say that in this way, the company, which stood in my eyes really high, literally lostto the level of the plinth just a few days, lost all the years over, authority. Companions share my opinion completely and completely - i.e. I like as not a pedant, it turns out.
How to live?
Good night everyone, and don't forget to upgrade if you suddenly have a Fritz! Box.
[UPD] here here is uv. Mirasch is thesecond comment on the Habré opened and poked his nose accused of plagiarism. So I throw a link to the type of " source ". However, in German you must be strong, in order to comprehend the fall of my depth.
[UPD] For those who suddenly need to chew, try to voice my understanding of the situation:
Especially top models of AVM have always been distinguished by “intelligence and wit” (TM). Up to the point that some models have a "smart home" system (based on the FHEM server) and a bunch of other goodies.
Same call redirection feature, for example.
Your humble servant tightly hooked on Fritz years dtsat ago and never regretted (until recently).For example, a call from a cellular phone from Germany to Russia is usually very expensive, but Fritz can be configured so that the incoming call to one of the lines will redirect (via another VOIP line) to the Russian number dialed then. Thus, you can call “through the house” abroad from a mobile phone two orders of magnitude cheaper ...
I will say right away - the vulnerability is putting it mildly - this is just a huge hole. And in my humble opinion, in this whole story, AVM did not quite behave, let’s say, adequately.
It all started a couple of weeks ago (I don’t set the dates - it’s not important). So, the history is in order, so to speak, laid out on the shelves and I think (if memory serves) chronologically true:
- The “yellow” scandal “A lot of people got money” flared up in the media, and it was at their expense that very expensive calls were made, sometimes in the amount of very good money.
- providers are declared the culprit, until (relatively quickly by the way) they find the true reason - namely, the vulnerability in the Fritz! Box;
- AVM "recognizes" the possibility of vulnerability.
- AVM recognizes the presence of a vulnerability and declares that the vulnerability has been found, it is very meager and, in my opinion, it is not entirely successful that an attempt is made to fall on the included remote access to the router. While they are analyzing and they have not fixed the vulnerability, it is recommended to turn it off.
For a minute, there are several Fritz ones (remote accesses):
1) via VPN (disabled by default)
2) via https to the web management console (disabled by default)
3) according to a special protocol for fine tuning by the provider (enabled by default) - AVM clarifies that this https access to the web console is full access to all functions. But does not explain what it is fraught with.
- A day later, very little, after all, is explained by what it is fraught with. And it is recommended to change all passwords (system, voip, etc.), check logs and every other trifle. On the hole again, no specifics
- AVM rolls out the update for about 30 models. My 7390 (standing out) is updated automatically, probably after the "forcing" by some signal from the provider. I update the second (internal) 7270, just in case, manually in the evening, after dropping the old firmware onto the disk.
- Rumors in certain circles ply about the vulnerability, but AVM, apart from the “vulnerability in access to the web console”, goes beyond any specifics. Although, in part, this is understandable - in Germany alone, tens of millions of sold (or "received" from providers) copies.
But after all a little more something was possible?
I am companions naturally indignant and not at all satisfied. In short, the keyboard in the mouth - begins its own investigation.
')
Unfortunately, for ethical reasons, I will not bore a respected habrasoobrazhestvuyu search details (do not forget tens of millions still in flight, many probably did not even think to update - I have many friends who did it with their hands).
When everything is done, somehow later I will post the second article with details.
In the meantime, only the following information about the "hacking" of Fritz! Boxes:
- you surf in the browser and accidentally get on the "bad" page, leaving there besides everything by the way your dynamic (and much worse if static) remote_addr, through which, with open remote access, the criminals climbed into the Fritz console;
- but you also need a password;
- and here is the most interesting thing: each box is able from the web console to save all its “settings” as a file from the web console;
- in a special way having generated a certain ajax request for a specific Fritz URL, the attacker feeds your browser through this page and, indirectly, Fritz, which can merge the settings file to the owner of the bad page, and you will not notice anything.
And there for a minute - all the passwords, including the system, all your calls, phone book, etc. etc. I, for example, have a pair of keys for my DynDNS (well, that only for this). In short, if you dig there, you can find a lot of things.
Theoretically, you can for example (through FHEM) open someone's garage or worse apartment. This is of course with open remote access (but otherwise the “smart home” is only from home, which IMHO is not comfortable).
For other scenarios of malicious use of data from the received dump, remote access is absolutely unimportant.
As already mentioned, for ethical reasons, so far without specifics - I have already burned so much.
No one is insured, and everyone makes mistakes, and by the way, we must pay tribute, AVM fixed them very quickly. But no, I didn’t quite fix it - I didn’t have enough truth. Total - the sediment remained very, very unpleasant. You can even say that in this way, the company, which stood in my eyes really high, literally lost
Good night everyone, and don't forget to upgrade if you suddenly have a Fritz! Box.
[UPD] here here is uv. Mirasch is the
[UPD] For those who suddenly need to chew, try to voice my understanding of the situation:
- AVM says: the vulnerability is in remote access (which is closed for “normal” people, and geeks means they are to blame);
- Was there a boy? Vulnerability is not quite or rather not at all there;
- Through this hole, you can really merge everything and everyone at all (and not just geeks, as you might expect), without using remote access at all
- As an example, one of the possible scenarios — an attacker organizes a voip connection using data from a merged dump — and the
profit iscracking for hours on the phone with very expensive girls; - Questions that interest us:
What else was not (before) said?
What has been done so that this does not happen again?
How can they “look into the eyes” of millions of customers?
Just stupid, and not to look for an alternative?
Source: https://habr.com/ru/post/213101/
All Articles