Information leakage found in FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 7490) [DTC-A-20170323-001]

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#36">By Date</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#36">By Thread</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Information leakage found in FRITZ!OS 6.83 &amp; 6.80 (AVM DSL Router Fritz!Box 7490) [DTC-A-20170323-001]</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: &lt;CERT () telekom de&gt;


<em>Date</em>: Thu, 17 Oct 2019 07:20:04 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Deutsche Telekom CERT Advisory [DTC-A-20170323-001]

 

Summary:

CVE-2017-8087: Information leakage found in FRITZ!OS 6.83 &amp; 6.80 (AVM DSL
Router Fritz!Box 7490)

 

Recommendation:

Update to the newest Version of FRITZ!OS

 

Details:

a) application

b) problem

c) CVSS

d) detailed description

e) credits

 

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------

 

a) FRITZ!OS 6.83 &amp; 6.80 (AVM DSL Router Fritz!Box 7490)

 

b) Memory leakage within the PPPoE/PPP padding 

 

c) 4.7 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/RL:U

 

d)  

Multiple DSL access router (aka Homegateway / CPE) handle PPPoE frame
padding incorrectly.

Instead of padding frames with zeroes, frames are padded with random memory,
allowing an attacker (with physical access to wire between PPPoE endpoints)
to view slices of previously transmitted packets or portions of kernel
memory.

This seems to be similar to
<a rel="nofollow" href="http://www.securiteam.com/securitynews/5BP01208UO.html">http://www.securiteam.com/securitynews/5BP01208UO.html</a>.

 

AVM DSL Router Fritz!Box 7490 (tested with FRITZ!OS 6.83 &amp; 6.80) sends
portion of memory within PPPoE Discovery protocol PADT frames because
arbitrary memory is used in the padding to reach the minimum Ethernet frame
length.

 

Further research shows that “short” PPP LCP frames are also padded with
random memory.

 

e) Christian Kagerhuber 

 

Mit freundlichen Grüßen / Kind regards, 

Deutsche Telekom CERT

 

T-SYSTEMS INTERNATIONAL GMBH

Telekom Security

Cyber Defense Reponse

E-Mail:  &lt;<a rel="nofollow" href="mailto:cert">mailto:cert</a> () telekom de&gt; cert () telekom de

PGP:
&lt;<a rel="nofollow" href="https://www.telekom.com/de/verantwortung/datenschutz-und-datensicherheit/si">https://www.telekom.com/de/verantwortung/datenschutz-und-datensicherheit/si</a>
cherheit/sicherheit/rfc-2350-deutsche-telekom-cert-342710&gt; 0xA8FF58B4

 

You can find the compulsory statement on:
&lt;<a rel="nofollow" href="http://www.t-systems.com/compulsory-statement">http://www.t-systems.com/compulsory-statement</a>&gt;
www.t-systems.com/compulsory-statement

 

</pre><p><strong>Attachment:
<a href="att-36/smime_p7s.bin"><tt>smime.p7s</tt></a></strong>

<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#36">By Date</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="35"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#36">By Thread</a>
<a href="37"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Information leakage found in FRITZ!OS 6.83 &amp; 6.80 (AVM DSL Router Fritz!Box 7490) [DTC-A-20170323-001]</strong> <em>CERT (Oct 18)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>