UPnP strikes again in Security

UPnP strikes again in Security http://www.dslreports.com/forum/r19804960 en Wed, 10 Feb 2010 10:14:00 EDT Wed, 10 Feb 2010 10:14:00 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19824280 EGeezer :

said by article :

Aside from adding a port mapping other actions can be performed on an Internet Gateway Device, including deleting port mappings. Deleting existing portmappings can disrupt the correct working of programs.

The focus in Armijn’s paper is on the Internet Gateway Device profile in general and the WANIPConnection and WANPPPConnection profiles in particular. But there are probably a lot of other opportunities which he didn’t test. Hacks he could think about to create chaos are:

- shutting down routers by using the LANHostConfigManagement subprofile

- injecting false DNS-records by using the LANHostConfigManagement subprofile

- abuse HVAC controls with UPnP

- remotely control IP cameras, of which some seem to be using the UPnP AV profile

More detail here.

2006 paper by Armijn Hamel here.

said by paper :

With the current UPnP protocol there is an implicit trust relationship between all UPnP capable devices on the same network. Every device is a peer and there is no policy mechanism in place to check whether or not a device is allowed to make use of a specic service.

This characteristic alone makes it clear to me what the risks are for me and my customers. In keeping with a least privilege/least function security philosophy, None of my or my customers' routers or other devices have things like UpnP, SNMP, RIP or other functions not needed for use. Even my hoary old FVS318 router has UpnP capability - disabled of course.

EDIT - I do have some devices with SNMP enabled, but the community strings are long and complex like router logins. UPnP is a security brain f4rt.

--
BBR's Shooting for a Cause!]]> http://www.dslreports.com/forum/remark,19824280 Thu, 17 Jan 2008 22:57:05 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19823820 Mele20 :

said by toadlife

said by Lanik

said by Mele20

:

I'd say Microsoft has some fixing to do.

Fixing? Scrap it and re-write is what I think they should do. UPnP has more security holes then Swiss cheese.

What I meant was that FolderShare won't work if UPnP is not enabled on an approved router. Port forwarding I don't think is workable substitute like what procto says about Xbox Live. But I'm not sure as I no longer have FolderShare.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,19823820 Thu, 17 Jan 2008 21:49:03 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19819273 procto : I have renabled UpNP again on my router because Xbox Live does not work the same without it tried port forwarding and giving it a DHCP reservation on my router.

Don't play any computer games only some xbox live.

]]> http://www.dslreports.com/forum/remark,19819273 Thu, 17 Jan 2008 10:54:24 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19815529 toadlife :

said by Millenniumle

:

The forth seems to be the issue. Perhaps a more universally effective hack would be to alter DNS. All network traffic gets sent to a code injected front end to a popular site like Google. Malware site injects vulnerability if vulnerabilty exists then redirects to a real Google server via IP, bypassing the DNS.

That looks slightly more feasible that infecting a host on the LAN, but it still seems like a lot of trouble to go to when there is no guarantee that your target with have all the needed variables in place. I wonder what percentage of home routers even have the ability to forward traffic outside.]]> http://www.dslreports.com/forum/remark,19815529 Wed, 16 Jan 2008 19:04:25 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19815466 toadlife :

said by Lanik

said by Mele20

:

I'd say Microsoft has some fixing to do.

Fixing? Scrap it and re-write is what I think they should do. UPnP has more security holes then Swiss cheese.

There is really no "Fixing" UPnP. The point of UPnP is to make it so users don't have to configure their routers. If you rewrite it to have security/authetication built in then users would have to configure their routers!]]> http://www.dslreports.com/forum/remark,19815466 Wed, 16 Jan 2008 18:53:48 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19815181 tempnexus : WOW, where can I get that big_b00bies.exe ?!?!??!
That looks tempting, I wonder how big is big.]]> http://www.dslreports.com/forum/remark,19815181 Wed, 16 Jan 2008 18:04:52 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19814486 Lanik :

said by Mele20

:

I'd say Microsoft has some fixing to do.

Fixing? Scrap it and re-write is what I think they should do. UPnP has more security holes then Swiss cheese.
--
"If it ain't broke don't fix it."]]> http://www.dslreports.com/forum/remark,19814486 Wed, 16 Jan 2008 16:15:49 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19813975 Millenniumle : The first three are common. Flash updates are promted at many websites, keeping most pretty up to date. UPnP is enabled by default in most routers. Many of the most common consumer routers are 192.168.(0 or 1).1.

The forth seems to be the issue. Perhaps a more universally effective hack would be to alter DNS. All network traffic gets sent to a code injected front end to a popular site like Google. Malware site injects vulnerability if vulnerabilty exists then redirects to a real Google server via IP, bypassing the DNS. ]]> http://www.dslreports.com/forum/remark,19813975 Wed, 16 Jan 2008 15:05:08 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19813682 toadlife :

said by swhx7

:

...Anyone who uses Flash should turn off UPnP in their router, if they haven't already.

I disagree with that.

Being able to forward a port on a remote router is cool, it does not automatically mean entry to any of the systems that are behind that router.

Actually using this "feature" of flash and UpNP to gain access to a system would require so many variables to be in place, that the practicality of using it seems almost nil.

To use this in an attack, you would need...

1) Correct version of flash installed
2) Internal router with UPnP
3) To know the IP address of the internal router (running a flood on common addresses would work I guess)
4) To know which hosts on the local network have vulnerable services listening, and what those services are.

If any one of the links in the chain fails, the whole attack scenario fails.

Why go to all the trouble, when you could just send out 100,000 emails with an tojan attachment named big_b00bies.exe?
--
Cufk, Tish, Sips]]> http://www.dslreports.com/forum/remark,19813682 Wed, 16 Jan 2008 14:21:54 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19813488 TwKs : I have UPnP disabled in my router and on my Windows installs- I personally have no use for it and its too big a security issue to have it enabled. ]]> http://www.dslreports.com/forum/remark,19813488 Wed, 16 Jan 2008 13:52:49 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19813292 anon :

quote:
My Vonage router works fine behind another router that has UPnP disabled.

Same for my AT&T CallVantage router. In fact my router does not have uPnP on it at all. It isn't hard to do the application (VoIP in this case) correctly and not require uPnP or other security breaking hacks.]]> http://www.dslreports.com/forum/remark,19813292 Wed, 16 Jan 2008 13:22:23 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19813089 Jomsviking : ModemHead: Thanks for clearing that up.

So, if someone knows (or can setup) a - trusted - webpage where an example of such coding is embedded, let us know.

Mele20, I understand what you mean about the FolderShare problems. Many people in the security/computer business lose track of reality and start thinking that everyone is a computer/security freak and can easily deal with these problems. Some do of course realize that it's not so in the real world, but they just don't care. This has been microsoft's stance many times.
The fact is, manual port forwarding is not a trivial issue for most (meaning almost all) people, whether we like it or not, and that is not going to change in the near future.
So, instead of just thinking that everyone will disable UPnP and move on happily with manual port forwarding for their IMs and torrents, measures should be taken to prevent this exploit from affecting UPnP until authentication measures are deployed.

]]> http://www.dslreports.com/forum/remark,19813089 Wed, 16 Jan 2008 12:56:09 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19812166 Millenniumle : My Vonage router works fine behind another router that has UPnP disabled. Nothing needed to be setup. Just plug it in and go. Perhaps Vonage equipment checks the system for calls rather than relying on a notification of a call from the system.]]> http://www.dslreports.com/forum/remark,19812166 Wed, 16 Jan 2008 10:29:58 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19811953 ModemHead :

said by Jomsviking

:

... But still, try your firewalls, HIPS and Sandboxes on the POC which is located here:

»www.gnucitizen.org/blog/hacking-···nterwebs

and post your results.

The proof-of-concept at this page is simply a sample piece of code and is not a "click-to-test" kind of thing. To prove the concept you would have to download the code, compile it with Adobe Flex and build a page with an embedded Flash object.]]> http://www.dslreports.com/forum/remark,19811953 Wed, 16 Jan 2008 09:49:44 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19811857 Grail Knight : 1. Has been disabled since Day 1

2. Already done with Noscript

Same results as Lanik.
Text code only.]]> http://www.dslreports.com/forum/remark,19811857 Wed, 16 Jan 2008 09:33:27 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19811717 Mele20 : I'd say Microsoft has some fixing to do. They heavily promote using UPnP for FolderShare. I would daresay that the majority of users currently using FolderShare would have no idea how to use it if they turned off UPnP. Microsoft has detailed instructions on exactly which routers are able to have UPnP enabled on them and which routers cannot have it enabled and they give step by step how to set up FolderShare with enabling UPnP on routers that allow that. They show how to do it on each router. Are all these folks expected now to disable UPnP and know how to manually set up things in the router so they can continue using FolderShare?
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,19811717 Wed, 16 Jan 2008 09:04:16 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19811701 Mele20 : What am I supposed to do with this?

import flash.net.*;

etc.

I guess that means Fx isn't vulnerable?

On my virtual machine, where I have Flash installed on IE6, this POC does NOT work. I just get a page of code like what I get on Fx.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,19811701 Wed, 16 Jan 2008 08:59:18 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19811456 Lanik : 1. I wouldn't agree entirely with you there. Yes its easy to enable UPnP and let it do all the work for you, isn't that what got us here in the first place? Or one can properly secure their hardware and not have to worry about that. Obviously the non-tech savvy will have problems with that one. IMO self education and research goes a long way.

2. In IE you can block flash using IE7Pro: »www.ie7pro.com

The POC has no effect for me all I'm seeing is just the code. No UPnP here and Fx with NoScript. ;)
--
"If it ain't broke don't fix it."]]> http://www.dslreports.com/forum/remark,19811456 Wed, 16 Jan 2008 07:56:52 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19811433 Jomsviking : #Let's discuss immediate solutions to the problem.

1- Disable UPnP on the router.

OK, but UPnP is very convenient regarding IM clients, some VOIP software, p2p clients, gaming consoles, online gaming etc... Most people are not network savvy and will not know how to fix static IPs and do manual port forwarding. Let's be realistic.

2- Block flash. (NoScript for Firefox, Opera policy, IE add-on (?))

Already said above that sites we deem as trusted may be hacked without us knowing, and that this UPnP hack may be doable with other web content soft like Java etc...

#So, I think it's important to ask: What can security software do ? From what I seem to understand reading GNUCitizen's explanation, not much. But still, try your firewalls, HIPS and Sandboxes on the POC which is located here:

»www.gnucitizen.org/blog/hacking-···nterwebs

and post your results.

PS- For those who want to know more about these "wonderful" flash features that are a vehicle for this UPnP problem, read:

»livedocs.adobe.com/flex/2/langre···ateToURL

]]> http://www.dslreports.com/forum/remark,19811433 Wed, 16 Jan 2008 07:48:39 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19809196 Mele20 : Your link to the front page news doesn't work and when I go directly to the front page, I can't find the article. The front page is so messy now that I never go there.

My router came with UPnP DISabled so I have no idea what is meant by remarks that routers come with it enabled. I never had it enabled until I tried Microsoft's Live Folder (or whatever they call it) last summer and I had to enable UPnP. Doing that locked me out of my router's interface due to a bug in this Linksy router. The only way to get into the interface is to do a factory reset and then find the beta firmware I must use and then flash it again. That is so much trouble that I have just left it with my being unable to access the router.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason]]> http://www.dslreports.com/forum/remark,19809196 Tue, 15 Jan 2008 20:53:19 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19808711 anon : Does having a software firewall mitigate any of this?]]> http://www.dslreports.com/forum/remark,19808711 Tue, 15 Jan 2008 19:42:41 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19808464 Jomsviking : Due to the many questions and wrong interpretations of their discoveries, GNUCitizen has added an FAQ about this topic:

»www.gnucitizen.org/blog/flash-up···tack-faq

Interesting to note that Petkov himself, in the discussion following the FAQ, states:

"Many of you say that it is ok to turn UPnP off. Well, I am not sure about that. As a security guy I recommend turning UPnP off. Though, I can clearly see how this can turn into a problem. People does use it. Go explain to our grandma how to add a portforward through the admin interface so that she is secure when using whatever program she might have in mind. She would rather leave that decision to the computer, I guess. So let’s not be ignorant."

UPnP takes a blow, that is for sure, but most people won't even know about this problem. And even for those who know, fixing a static IP and doing port forwarding manually may be difficult and pose a number of problems. Instant Messaging/VOIP functionality going to hell, for example.

[Skype does NAT-traversality, but not specifically through an UPnP implementation, so it will, in principle, still work if you disable UPnP in your router]

Those who think that they can disable flash (ex: use of the NoScript add-on for Firefox) and keep UPnP on will have two problems at least:
- this hack might prove doable with Java or other web technologies. Just a matter of time, probably.
- Even if we block flash by default, we always have to allow it sometime in some sites we see as trusted; but those sites can be compromised without our knowledge and then...
And more and more sites are requiring this [crap] dynamical content to be displayed in order to function properly.

Either coders of web content plattforms start becoming security conscious [no way in hell that will happen] or UPnP implementation is changed to provide strong authentication measures, which will not be happening anytime soon....

So meanwhile we have a problem in our hands of convenience x security, which is not necessarily trivial.]]> http://www.dslreports.com/forum/remark,19808464 Tue, 15 Jan 2008 19:00:42 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19807902 swhx7 : Port forwarding is fine as long as you do it deliberately. If you want a particular service to accept incoming connections, forward its port to whichever computer is running the service.

UPnP is intended to save users the trouble of doing this, or save vendors the trouble of explaining to non-technical users how to do it. That way they can use VOIP, for example, very easily.

Unfortunately UPnP has been a locus of security problems both in Windows (which has a UPnP service) and on routers. If you are knowledgable enough to be reading this, you can turn it off and use port forwarding instead.]]> http://www.dslreports.com/forum/remark,19807902 Tue, 15 Jan 2008 17:44:43 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19807117 procto : thanx will do what about port forwarding security issues?

regards procto]]> http://www.dslreports.com/forum/remark,19807117 Tue, 15 Jan 2008 16:02:35 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19806169 Cabal :

said by procto

:

what do I need to do to tighten up security on my router

Turn off UPnP, period. A network with UPnP enabled can be blown wide open with the scripting language of your choice. It has zero authentication, it allows in arbitrary ports, and many implementations even allow port forwarding to machines outside the LAN.
--
Interested in open source engine management for your Subaru?]]> http://www.dslreports.com/forum/remark,19806169 Tue, 15 Jan 2008 14:06:04 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19806019 procto : I have changed my password
turned off remote assistance
UpNP is on this router but in previous routers were turned off but for Xbox Live UpNP works well

what do I need to do to tighten up security on my router]]> http://www.dslreports.com/forum/remark,19806019 Tue, 15 Jan 2008 13:44:32 EDT Re: UPnP strikes again http://www.dslreports.com/forum/remark,19805012 Woody79_00 : i have had upnp turned off on my router since i bought it

i knew it was a security risk then. ]]> http://www.dslreports.com/forum/remark,19805012 Tue, 15 Jan 2008 11:28:30 EDT UPnP strikes again http://www.dslreports.com/forum/remark,19804960 swhx7 : From the news yesterday, and DSLR front page today: "Security flaw found in most routers". Basically, a malicious Flash file can make arbitrary requests with SOAP headers set - and this can open ports into a local service.

The full explanation is here: »www.gnucitizen.org/blog/hacking-···nterwebs

This is standard AJAX behavior plus the capability of Flash to set headers as well as do POSTs, and UPnP which is on by default in most routers.

Anyone who uses Flash should turn off UPnP in their router, if they haven't already.]]> http://www.dslreports.com/forum/remark,19804960 Tue, 15 Jan 2008 11:21:19 EDT