Our web honeypots picked up some exploit attempts for a remote command execution vulnerability in FRITZ!Box, a series of routers produced by AVM. This exploit targets router firmware issues, and we're seeing an increase in this type of activity.
Here is PoC vulnerability details from Exploit-DB
![8908_40d47238-bf55-4de0-bcc8-c10175bd9317](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/8908_40d47238-bf55-4de0-bcc8-c10175bd9317.webp?width=690&height=120&name=8908_40d47238-bf55-4de0-bcc8-c10175bd9317.webp)
Honeypot Attack Example
One of our web honeypot systems located in Boston, USA received an attack from a system in the Netherlands:
![10694_94ded7ac-d9c9-4c93-a0e8-750ddca0ff06](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/10694_94ded7ac-d9c9-4c93-a0e8-750ddca0ff06.webp?width=690&height=239&name=10694_94ded7ac-d9c9-4c93-a0e8-750ddca0ff06.webp)
Here is a screenshot from the ModSecurity audit log entry for the attack:
![10521_8da38919-f3f1-4c9f-9d6a-e22941e30835](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/10521_8da38919-f3f1-4c9f-9d6a-e22941e30835.webp?width=690&height=80&name=10521_8da38919-f3f1-4c9f-9d6a-e22941e30835.webp)
The yellow highlighted section shows the source IP which is a CentOS system known for producing spam. The green highlighted section is the payload of the attack.
Here is what the payload looks like once it is url-decoded. The green highlighted section shows the command that will be executed.
//cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=& allcfgconv -C voip -c -o - ../../../../../var/tmp/voip.cfg &
The attacker attempts to run allcfgconv, which is an executable that is shipped with Fritz!Box. The executable is documented at the following URL: http://www.wehavemorefun.de/fritzbox/Allcfgconv. The particular flag in use specifies that the VoIP passwords should be extracted, in plain text, and saved to /var/tmp/voip.cfg. Although we did not see it, it is suspected that if successful the attacker would then fetch the file in question.
Use a Web Application Firewall (WAF)
As we showed from the honeypot alert, using a WAF can help to prevent zero-day exploits such as this one by generically identifying attack payloads that have:
- OS Command Injections
- Directory Traversal
Trustwave WAF and ModSecurity can both identify and block these types of attacks.