EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
3 edits | reply to swhx7
Re: UPnP strikes again
said by article :
Aside from adding a port mapping other actions can be performed on an Internet Gateway Device, including deleting port mappings. Deleting existing portmappings can disrupt the correct working of programs.
The focus in Armijn’s paper is on the Internet Gateway Device profile in general and the WANIPConnection and WANPPPConnection profiles in particular. But there are probably a lot of other opportunities which he didn’t test. Hacks he could think about to create chaos are:
- shutting down routers by using the LANHostConfigManagement subprofile
- injecting false DNS-records by using the LANHostConfigManagement subprofile
- abuse HVAC controls with UPnP
- remotely control IP cameras, of which some seem to be using the UPnP AV profile
More detail here.
2006 paper by Armijn Hamel here.
said by paper :
With the current UPnP protocol there is an implicit trust relationship between all UPnP capable devices on the same network. Every device is a peer and there is no policy mechanism in place to check whether or not a device is allowed to make use of a specic service.
This characteristic alone makes it clear to me what the risks are for me and my customers. In keeping with a least privilege/least function security philosophy, None of my or my customers' routers or other devices have things like UpnP, SNMP, RIP or other functions not needed for use. Even my hoary old FVS318 router has UpnP capability - disabled of course.
EDIT - I do have some devices with SNMP enabled, but the community strings are long and complex like router logins. UPnP is a security brain f4rt.
--
BBR's Shooting for a Cause! |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to toadlife
said by toadlife  :said by Lanik :said by Mele20 :I'd say Microsoft has some fixing to do. Fixing? Scrap it and re-write is what I think they should do. UPnP has more security holes then Swiss cheese. There is really no "Fixing" UPnP. The point of UPnP is to make it so users don't have to configure their routers. If you rewrite it to have security/authetication built in then users would have to configure their routers! What I meant was that FolderShare won't work if UPnP is not enabled on an approved router. Port forwarding I don't think is workable substitute like what procto says about Xbox Live. But I'm not sure as I no longer have FolderShare.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
procto
join:2004-10-02
Jasper, AL | reply to swhx7
I have renabled UpNP again on my router because Xbox Live does not work the same without it tried port forwarding and giving it a DHCP reservation on my router.
Don't play any computer games only some xbox live.
|
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
 ·AT&T Yahoo
| reply to Millenniumle
said by Millenniumle :The forth seems to be the issue. Perhaps a more universally effective hack would be to alter DNS. All network traffic gets sent to a code injected front end to a popular site like Google. Malware site injects vulnerability if vulnerabilty exists then redirects to a real Google server via IP, bypassing the DNS. That looks slightly more feasible that infecting a host on the LAN, but it still seems like a lot of trouble to go to when there is no guarantee that your target with have all the needed variables in place. I wonder what percentage of home routers even have the ability to forward traffic outside. |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| reply to Lanik
said by Lanik :said by Mele20 :I'd say Microsoft has some fixing to do. Fixing? Scrap it and re-write is what I think they should do. UPnP has more security holes then Swiss cheese. There is really no "Fixing" UPnP. The point of UPnP is to make it so users don't have to configure their routers. If you rewrite it to have security/authetication built in then users would have to configure their routers! |
|
tempnexus
Premium
join:1999-08-11
Boston, MA | reply to toadlife
WOW, where can I get that big_b00bies.exe ?!?!??!
That looks tempting, I wonder how big is big. |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area
| reply to Mele20
said by Mele20 :I'd say Microsoft has some fixing to do. Fixing? Scrap it and re-write is what I think they should do. UPnP has more security holes then Swiss cheese.
--
"If it ain't broke don't fix it." |
|
Millenniumle
join:2007-11-11
Fredonia, NY
| reply to toadlife
The first three are common. Flash updates are promted at many websites, keeping most pretty up to date. UPnP is enabled by default in most routers. Many of the most common consumer routers are 192.168.(0 or 1).1.
The forth seems to be the issue. Perhaps a more universally effective hack would be to alter DNS. All network traffic gets sent to a code injected front end to a popular site like Google. Malware site injects vulnerability if vulnerabilty exists then redirects to a real Google server via IP, bypassing the DNS. |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| reply to swhx7
said by swhx7 :...Anyone who uses Flash should turn off UPnP in their router, if they haven't already. I disagree with that.
Being able to forward a port on a remote router is cool, it does not automatically mean entry to any of the systems that are behind that router.
Actually using this "feature" of flash and UpNP to gain access to a system would require so many variables to be in place, that the practicality of using it seems almost nil.
To use this in an attack, you would need...
1) Correct version of flash installed
2) Internal router with UPnP
3) To know the IP address of the internal router (running a flood on common addresses would work I guess)
4) To know which hosts on the local network have vulnerable services listening, and what those services are.
If any one of the links in the chain fails, the whole attack scenario fails.
Why go to all the trouble, when you could just send out 100,000 emails with an tojan attachment named big_b00bies.exe?
--
Cufk, Tish, Sips |
|
TwKs
join:2007-04-29 | reply to swhx7
I have UPnP disabled in my router and on my Windows installs- I personally have no use for it and its too big a security issue to have it enabled. |
|
NoUPNP
@cox.net
| reply to Millenniumle
quote:
My Vonage router works fine behind another router that has UPnP disabled.
Same for my AT&T CallVantage router. In fact my router does not have uPnP on it at all. It isn't hard to do the application (VoIP in this case) correctly and not require uPnP or other security breaking hacks. |
|
Jomsviking
join:2007-12-28
| reply to ModemHead
ModemHead: Thanks for clearing that up.
So, if someone knows (or can setup) a - trusted - webpage where an example of such coding is embedded, let us know.
Mele20, I understand what you mean about the FolderShare problems. Many people in the security/computer business lose track of reality and start thinking that everyone is a computer/security freak and can easily deal with these problems. Some do of course realize that it's not so in the real world, but they just don't care. This has been microsoft's stance many times.
The fact is, manual port forwarding is not a trivial issue for most (meaning almost all) people, whether we like it or not, and that is not going to change in the near future.
So, instead of just thinking that everyone will disable UPnP and move on happily with manual port forwarding for their IMs and torrents, measures should be taken to prevent this exploit from affecting UPnP until authentication measures are deployed.
|
|
Millenniumle
join:2007-11-11
Fredonia, NY | reply to Jomsviking
My Vonage router works fine behind another router that has UPnP disabled. Nothing needed to be setup. Just plug it in and go. Perhaps Vonage equipment checks the system for calls rather than relying on a notification of a call from the system. |
|
ModemHead
hmmm... what does this do?
Premium
join:2006-01-22
Apex, NC
| reply to Jomsviking
The proof-of-concept at this page is simply a sample piece of code and is not a "click-to-test" kind of thing. To prove the concept you would have to download the code, compile it with Adobe Flex and build a page with an embedded Flash object. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | reply to Jomsviking
1. Has been disabled since Day 1
2. Already done with Noscript
Same results as Lanik.
Text code only. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Lanik
I'd say Microsoft has some fixing to do. They heavily promote using UPnP for FolderShare. I would daresay that the majority of users currently using FolderShare would have no idea how to use it if they turned off UPnP. Microsoft has detailed instructions on exactly which routers are able to have UPnP enabled on them and which routers cannot have it enabled and they give step by step how to set up FolderShare with enabling UPnP on routers that allow that. They show how to do it on each router. Are all these folks expected now to disable UPnP and know how to manually set up things in the router so they can continue using FolderShare?
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Jomsviking
What am I supposed to do with this?
import flash.net.*;
etc.
I guess that means Fx isn't vulnerable?
On my virtual machine, where I have Flash installed on IE6, this POC does NOT work. I just get a page of code like what I get on Fx.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
Bay Area
| reply to Jomsviking
1. I wouldn't agree entirely with you there. Yes its easy to enable UPnP and let it do all the work for you, isn't that what got us here in the first place? Or one can properly secure their hardware and not have to worry about that. Obviously the non-tech savvy will have problems with that one. IMO self education and research goes a long way.
2. In IE you can block flash using IE7Pro: »www.ie7pro.com
The POC has no effect for me all I'm seeing is just the code. No UPnP here and Fx with NoScript. 
--
"If it ain't broke don't fix it." |
|
Jomsviking
join:2007-12-28
| reply to Mele20
#Let's discuss immediate solutions to the problem.
1- Disable UPnP on the router.
OK, but UPnP is very convenient regarding IM clients, some VOIP software, p2p clients, gaming consoles, online gaming etc... Most people are not network savvy and will not know how to fix static IPs and do manual port forwarding. Let's be realistic.
2- Block flash. (NoScript for Firefox, Opera policy, IE add-on (?))
Already said above that sites we deem as trusted may be hacked without us knowing, and that this UPnP hack may be doable with other web content soft like Java etc...
#So, I think it's important to ask: What can security software do ? From what I seem to understand reading GNUCitizen's explanation, not much. But still, try your firewalls, HIPS and Sandboxes on the POC which is located here:
»www.gnucitizen.org/blog/hacking-···nterwebs
and post your results.
PS- For those who want to know more about these "wonderful" flash features that are a vehicle for this UPnP problem, read:
»livedocs.adobe.com/flex/2/langre···ateToURL
|
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to swhx7
Your link to the front page news doesn't work and when I go directly to the front page, I can't find the article. The front page is so messy now that I never go there.
My router came with UPnP DISabled so I have no idea what is meant by remarks that routers come with it enabled. I never had it enabled until I tried Microsoft's Live Folder (or whatever they call it) last summer and I had to enable UPnP. Doing that locked me out of my router's interface due to a bug in this Linksy router. The only way to get into the interface is to do a factory reset and then find the beta firmware I must use and then flash it again. That is so much trouble that I have just left it with my being unable to access the router.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
