[Honeypot Alert] Fritz!Box – Remote Command Execution Exploit Attempt

Our web honeypots picked up some exploit attempts for a remote command execution vulnerability in FRITZ!Box, a series of routers produced by AVM. This exploit targets router firmware issues, and we're seeing an increase in this type of activity.

Here is PoC vulnerability details from Exploit-DB

Honeypot Attack Example

One of our web honeypot systems located in Boston, USA received an attack from a system in the Netherlands:

Here is a screenshot from the ModSecurity audit log entry for the attack:

The yellow highlighted section shows the source IP which is a CentOS system known for producing spam. The green highlighted section is the payload of the attack.

Here is what the payload looks like once it is url-decoded. The green highlighted section shows the command that will be executed.

//cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=& allcfgconv -C voip -c -o - ../../../../../var/tmp/voip.cfg &

The attacker attempts to run allcfgconv, which is an executable that is shipped with Fritz!Box. The executable is documented at the following URL: http://www.wehavemorefun.de/fritzbox/Allcfgconv. The particular flag in use specifies that the VoIP passwords should be extracted, in plain text, and saved to /var/tmp/voip.cfg. Although we did not see it, it is suspected that if successful the attacker would then fetch the file in question.

Use a Web Application Firewall (WAF)

As we showed from the honeypot alert, using a WAF can help to prevent zero-day exploits such as this one by generically identifying attack payloads that have:

• OS Command Injections
• Directory Traversal

Trustwave WAF and ModSecurity can both identify and block these types of attacks.