Our web honeypots picked up some exploit attempts for a remote command execution vulnerability in FRITZ!Box, a series of routers produced by AVM. This exploit targets router firmware issues, and we're seeing an increase in this type of activity.
Here is PoC vulnerability details from Exploit-DB
Honeypot Attack Example
One of our web honeypot systems located in Boston, USA received an attack from a system in the Netherlands:
Here is a screenshot from the ModSecurity audit log entry for the attack:
The yellow highlighted section shows the source IP which is a CentOS system known for producing spam. The green highlighted section is the payload of the attack.
Here is what the payload looks like once it is url-decoded. The green highlighted section shows the command that will be executed.
//cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=& allcfgconv -C voip -c -o - ../../../../../var/tmp/voip.cfg &
The attacker attempts to run allcfgconv, which is an executable that is shipped with Fritz!Box. The executable is documented at the following URL: http://www.wehavemorefun.de/fritzbox/Allcfgconv. The particular flag in use specifies that the VoIP passwords should be extracted, in plain text, and saved to /var/tmp/voip.cfg. Although we did not see it, it is suspected that if successful the attacker would then fetch the file in question.
Use a Web Application Firewall (WAF)
As we showed from the honeypot alert, using a WAF can help to prevent zero-day exploits such as this one by generically identifying attack payloads that have:
- OS Command Injections
- Directory Traversal
Trustwave WAF and ModSecurity can both identify and block these types of attacks.