dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6958
share rss forum feed

MrFixit1

join:1999-11-26
Madison, WI
reply to TamaraB

Re: Security Flaws in Universal Plug-n-Play: Unplug, Don't Play

You can use »netalyzr.icsi.berkeley.edu/ to at least test for UPNP access from the wan side .
Will be near the top of the results listing ,may have to hit + to get full details .



TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless

1 recommendation

said by MrFixit1:

You can use »netalyzr.icsi.berkeley.edu/ to at least test for UPNP access from the wan side .
Will be near the top of the results listing ,may have to hit + to get full details .

Thanks. That's the first reasonable tool I've seen to test for this UPnP flaw. Now, I have to temporarily enable Java to use it Java, that other full of holes disaster area

--
"Remember, remember the fifth of November.
Gunpowder, Treason and Plot.
I see no reason why Gunpowder Treason
Should ever be forgot."

"People should not be afraid of their governments. Governments should be afraid of their people"



norwegian
Premium
join:2005-02-15
Outback

1 recommendation

reply to TamaraB

Click for full size
said by TamaraB:

said by norwegian:

To be quite honest I didn't run the tool - why would you download, install or run a program, it basically voids any test - if it was a web based probe I would understand, but install internal to the network defeats the test, unless I miss something here?

No, you didn't miss anything. The only way to know for sure if your router's UpNp implementation is accessible from the Internet is to probe it from the Internet.

I did miss a little after seeing the tool when the link above was a download tool.

If you are accessing the internet from your home network, we now offer an alternative to ScanNow and Metasploit. The Rapid7 UPnP Check is a one-click security scan for broadband and mobile users. If you are concerned about the security of your non-technical friends and family, this is a quick way for them to check their home router for UPnP vulnerabilities. The main difference between this service and ScanNow is that the UPnP Check will run a scan from the internet and can only check the external interface of your router.

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to Bill_MI

said by Bill_MI:

said by NOYB:

Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

Steve Gibson has announced he'll be adding a Shields Up scan and hopes to have it up by this weekend at »grc.com.

Steve often gets tagged as "alarmist" but may be justified in this case. He and Leo covered it rather well in today's Security Now: »twit.tv/show/security-now/389

This thing is a multi-level-fiasco. Vendors are using old code that was fixed, simplified sample code that never should be used and to top it off... it's exposed to the world by some kind of pure incompetence or neglect.

you have to blame MS for this.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18
reply to Juggernaut

said by Juggernaut:

UPnP has been disabled for years in services.msc. I've never had a problem with a device failing to work.

Of course not as you are confusing Hardware PnP (Plug aNd Play) with UPnP (Universal Plug aNd Play) and they are two completely different services.

»www.pcmag.com/encyclopedia_term/···4,00.asp
quote:
UPnP

(Universal Plug aNd Play) A family of protocols from the UPnP Forum (www.upnp.org) for automatically configuring devices, discovering services and providing peer-to-peer data transfer over an IP network. Introduced in 1999, UPnP is not PnP (Plug and Play). They are related in concept only as they both provide automatic configuration (see Plug and Play).
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?


TamaraB
Question The Current Paradigm
Premium
join:2000-11-08
Da Bronx
Reviews:
·Optimum Online
·Clearwire Wireless
reply to norwegian

said by norwegian:

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

Nor for me either. There is no Mac version. Glad to see it can test from the Internet though. If Grc adds an Internet test for this it would be great.


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI

1 edit

said by TamaraB:

said by norwegian:

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

Nor for me either. There is no Mac version. Glad to see it can test from the Internet though. If Grc adds an Internet test for this it would be great.

Wouldn't work on iOS/Safari either. Cog just spins.

Wouldn't GRC Shields Up work for this? I thought the scan pinged port 1900 UPnP.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

said by planet:

Wouldn't GRC Shields Up work for this? I thought the scan pinged port 1900 UPnP.

We need someone vulnerable to try it. To my knowledge, GRC only does TCP and this port is UDP, at least to start. I'm pretty sure Steve is isolating the scan out to be very specific and, if I know Steve, it might query for info (but maybe not, too).


norwegian
Premium
join:2005-02-15
Outback
reply to Cabal

Also Windows Worms Doors Cleaner was a handy tool for XP, I'm not sure if gkweb See Profile would review it for further advancement for Win7 and Win8.

»www.portablefreeware.com/index.php?id=861


Wily_One
Premium
join:2002-11-24
San Jose, CA
Reviews:
·AT&T U-Verse
reply to planet

said by MrFixit1:

You can use »netalyzr.icsi.berkeley.edu/ to at least test for UPNP access from the wan side .
Will be near the top of the results listing ,may have to hit + to get full details .

said by planet:

said by TamaraB:

said by norwegian:

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

Nor for me either. There is no Mac version. Glad to see it can test from the Internet though. If Grc adds an Internet test for this it would be great.

Wouldn't work on iOS/Safari either. Cog just spins.

Neither Netalyzr or the Rapid7 net scans work, period. I tried them on Win7/IE9, WinXP/IE8 and WinXP/Firefox. On some it does nothing, on others the scan runs all the way through and continually repeats, never taking you to the Results.


planet

join:2001-11-05
Oz
kudos:1
Reviews:
·Cox HSI

Click for full size
The scan worked with FireFox on XP for me.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

2 recommendations

reply to Cabal

The GRC Public Test is up

It's on the regular ShieldsUp! link here: »www.grc.com/default.htm

I'm SUPER GLAD to see Steve is seeing the inability to directly link is really clumsy so look for that to change soon.

There's bad assumptions about what it does and right now the button is named named "GRC's Instant uPnP Exposure Test". It's looking for the specific bad case when an internet connection responds to the uPnP query like a router would on the LAN. It does NOT detect if uPnP is on and working normally on the LAN, as it should only be. Exposure of this to the world (the WAN side) was never intended and represents a total botching of uPnP implemented on a device.

Anyone see a positive scan? It should reveal the uPnP details of the device that responds.

Last... Steve continues to tweak as we speak. So don't be surprised if it burps.



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2

No probs on the scan, it's locked down.

edit-bad link.



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

Um... not really. It's a time-sensitive link for your instance. See the jibberish on the end? A different jibberish is sent to everyone. This is what I'm hoping Steve will abolish for good.

EDIT: Ah! I see you removed it. I hope we'll have better links soon.



Wily_One
Premium
join:2002-11-24
San Jose, CA
Reviews:
·AT&T U-Verse

1 edit

1 recommendation

reply to Bill_MI

Click for full size
said by Bill_MI:

It's on the regular ShieldsUp! link here: »www.grc.com/default.htm

Thanks for that. That scan worked, no problem. And it works without requiring Java (itself known for being vulnerability-infested) so that's a big +1.


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2

Great! Notice there's more than one place to munge the IP.



Wily_One
Premium
join:2002-11-24
San Jose, CA

LOL - thanks.



Mangix

join:2012-02-16
united state

1 edit
reply to Cabal

Re: Security Flaws in Universal Plug-n-Play: Unplug, Don't Play

Let me try demystifying a couple of things since I didn't see them mentioned here:

Most of the issue surrounding this report deals with the fact that the firmware on some routers opens the UPnP port on the WAN side and as such makes in accessible by anyone.

While it's true that this is a rather big issue, the fact is that 99.9% of the routers being sold today do not do this. They only expose UPnP on the LAN side, which is where it should be.

There is also the issue of exploits that were shown in the report. The fact is, if UPnP is not exposed on the WAN side, you'd have to break into the LAN, which is easier said than done. But at that point, might as well be game over anyways. The security of modern routers at the LAN side is absolutely terrible and this will not improve anytime soon.

The best recommendation I have is if your router supports it, flash it to dd-wrt, tomato, openwrt, gargoyle, w/e. Any third party firmware should be safe. At least if it's a recent version anyways.

And while on the topic, tomato does provide some extra security in that regard. See: »dl.dropbox.com/u/102011983/Tomat···upnp.png

Secure Mode is enabled by default while UPnP is disabled by default.

Having UPnP disabled is rather inconvenient while having it enabled does not lower security too much. Especially given tomato's implementation(miniupnpd 1.6)



Wily_One
Premium
join:2002-11-24
San Jose, CA
Reviews:
·AT&T U-Verse

said by Mangix:

Most of the issue surrounding this report deals with the fact that the firmware on some routers opens the UPnP port on the WAN side and as such makes in accessible by anyone.

While it's true that this is a rather big issue, the fact is that 99.9% of the routers being sold today do not do this. They only expose UPnP on the LAN side, which is where it should be.

Good point, and exactly why the only test I was interested in was the external test.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Wily_One

I've use netalyzr for many years on XP and now Win 8. On XP, I sometimes had problems with it not starting but that is because it didn't like my old version of Java which eventually would run only on IE6 and so both IE and Java were too old for it. It was fine once I finally updated Java.

On Win 8, it works fine on Fx 10 ESR, Opera 12 and IE 10. It is an excellent tool to analyze your network connection. It tells me some bad stuff about my connection that concerns me more than UPnP which I already knew about anyway.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Mangix

Gee, you must think everyone has new, or relatively new routers, to be telling them to flash them to WRT or something. My router will be 10 years old in October. It is vulnerable. Linksy has stated that all their older routers have the vulnerability. I don't want a new router because Linksy has been sold to Belkin (ugh) and I don't like Netgear, DLink, etc. I'll have to get a new router eventually whenever TWC finally turns on IPv6 and I am not looking forward to that day.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Mangix

join:2012-02-16
united state

dd-wrt has very wide hardware support. The original WRT54G is still supported by dd-wrt. Not sure what your router is though.


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Yes, it does have wide support but ONLY for newer routers. A lot of people have OLD routers. I got mine in 2003. The Oceanic TWC foreman has a Linksy router that is 12 years old...my friends have 7-10 year old routers. NONE of them are new enough to run third party software. Plus, you can't run it until your warranty (2-3 years) is over unless the word warranty is meaningless to you.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Frodo

join:2006-05-05

1 edit

said by Mele20:

A lot of people have OLD routers.

You could try a workaround. Someone in this thread said that the UPnP uses port 1900 UDP. So, one thing I would try is to port forward UDP 1900 in the router to a non-existent Lan IP, to some internal UPD port, say 65535 and run the test again to see if you're still vunerability.

Not saying it is going to work, but that would be the kind of thing I would try. If Linksys didn't intend the UPnP to work from the Lan Wan side, the port forward might be a way to bypass the vulnerability. Good luck.

edit: fix the side I was talking about

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

My problem is that I cannot access my router for years now. There is a bad bug that Linksy didn't bother telling about until us users stumbled on it and that was too late. I didn't insert the password TWICE on something...I have forgotten what exactly...that I was changing in the router interface and because I only inserted the password once (logical thing to do) and was not told to insert it again...that caused the router to create a RANDOM password and lock me out. I found lots of Linksy router users with the same problem...no password suggested in Linksy forums would unlock the random password.

So, I had beta firmware from Linksy Europe FTP server...never was offered in the USA because Linksy told me USA customers were too stupid to flash the beta firmware properly and too stupid to even understand they needed it. Linksy customer service was awful even when the router was new). Without the beta firmware, I can't use Ping Plotter Pro. I don't think I have a copy of the firmware on my old XP machine. So, I can't reset the router to factory default as then I can't use Ping Plotter Pro. I have to have this beta firmware. Plus, I don't want to mess with an old router resetting to factory default and then the various (this was the fifth beta firmware I installed) beta firmwares. It might kill the router or definitely mess up my network which has problems anyway and I don't need any more). Linksy was bad long before Cisco bought them. The Ping Plotter author and I both contacted them back then and they could care less...they didn't even suggest the beta firmware we found that allowed Ping Plotter to work with the router.

So, I can't turn off UPnP because I can't get into the router interface. I enabled it years ago for some Microsoft something that had to have it. Irony...huh?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



huh

@verizon.net
reply to Mele20

I have a ~10 year old linksys wrt54g v2 that is still supported by openwrt, ddwrt and tomato.

These days a router that supports ddwrt costs about $20. I would think in this case buying a new router would be better than keeping an old buggy one that's life has likely run its course. I mean $20 over 10-12 years? That's $2 a year and you get 802.11n support too.



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to MrFixit1

Click for full size
said by MrFixit1:

You can use »netalyzr.icsi.berkeley.edu/ to at least test for UPNP access from the wan side .
Will be near the top of the results listing ,may have to hit + to get full details .

You won't need to worry about upnp if you install JAVA!!

Berkeley have their head up their ass?

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Cabal

said by Bill_MI:

It's on the regular ShieldsUp! link here: »www.grc.com/default.htm

Quick test confirmed UPNP not open on my end... thanks be for that.

said by MrFixit1:

You can use »netalyzr.icsi.berkeley.edu/ to at least test for UPNP access from the wan side .
Will be near the top of the results listing ,may have to hit + to get full details .

netalyzer, while the output was interesting on a technical level, didn't see an option about UPNP... or am I missing something?
Someone able to screenshot their results for reference?

Going to be interesting to watch this one... bets on this being the biggest 2013 security brouhaha?

Regards

MrFixit1

join:1999-11-26
Madison, WI
reply to Cartel

Do not disagree with you Sindows ,the nice thing about Firefox is how easy it is to turn Java on and off . Since I normally run the test with only one instance of FF running , and then turn Java back off , not too worried about it.


MrFixit1

join:1999-11-26
Madison, WI
reply to HELLFIRE

Didn't want to take the time to clean up a screen image ,this is where to look.
Address-based Tests + –
NAT detection (?): NAT Detected +
Local Network Interfaces (?): OK +
DNS-based host information (?): OK +
NAT support for Universal Plug and Play (UPnP) (?): Not found +

Should add that since GRC has it running , use that one .