dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23
reply to hardly

Re: [Security] UPNP vulnerability

For folks running TomatoUSB firmwares, I've done a brief write-up stating that present-day TomatoUSB is not impacted by this due to use of MiniUPnP 1.6:

»www.linksysinfo.org/index.php?th···t-221915

Folks who want to read the full details should read (not skim) the disclosure paper mentioned within my aforementioned link. The disclosure covers multiple UPnP implementations (Intel SDK / libupnp, MiniUPnP, and some proprietary implementations), so it's hard to follow.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

1 edit

Good job, and I can see how this raw data, especially the spreadsheet, is going to make for conclusion jumping.

For example, a very few uPnP Tomato firmwares apparently responded publicly (from the master spreadsheet). I see they're MiniUPnP versions 1.4 and 1.5.

If I read this right 1) These VERY FEW in the world (they scanned the entire IPv4 net) Tomato routers are probably misconfigured/misconnected to expose uPnP like that. 2) They are older versions and not using version 1.6 and 3) The reliability of the reporting can be questioned in the first place.

Am I reading this right?



koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

You got it, Bill_MI See Profile.

It's been a while since I've worked with the original/stock Tomato source, but from what I've read, it runs MiniUPnP 1.4. Present-day TomatoUSB derivatives run 1.6, or possibly (slightly older) 1.5. Versions prior to 1.4 did have pretty major security holes.

With both stock Tomato and TomatoUSB, the firewall rules are configured properly -- more specific: even though miniupnpd listens on INADDR_ANY, the stock/default firewall rules do not allow new inbound TCP connections or UDP packets to make it to miniupnpd on the WAN interface.

Obviously all bets are off if you've customised firewall rules on the routers -- which a lot of people do, and do so wrongly at that -- or override some of the defaults. My opinion is that the very few responses shown in the spreadsheet are a result of people having messed with their firewall rules, or have a unique network configuration (also increasingly common). Take a peek over at the www.linksysinfo.org forums sometime to see all the utterly insane stuff people try to do. The more people screw around and make a mess (in effect avoid KISS principle), the more likely they're exposed.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

1 recommendation

Thanks, we're thinking very much the same.

I think it was a total of 6 responses identifying themselves as Tomato. But these guys scanned the entire 16 billion IPv4 space! Six is an absolutely meaningless number being so low. I'm surprised there weren't more in the world misconfiguring things than just 6!

Of course, my whole point is how inclusion in the spreadsheet means little without such context. Thanks again.



koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

said by Bill_MI:

I think it was a total of 6 responses identifying themselves as Tomato. But these guys scanned the entire 16 billion IPv4 space! Six is an absolutely meaningless number being so low. I'm surprised there weren't more in the world misconfiguring things than just 6!

Here are two posts (one post, one thread) where an individual did exactly what I said (re: "the more people screw around, ... the more likely they're exposed"):

»www.linksysinfo.org/index.php?th···x.68094/
»www.linksysinfo.org/index.php?th···t-222422

So like I said, as long as people keep it simple and don't try to get all crazy with their Tomato/TomatoUSB routers and use them "normally" (i.e. as a simple home NAT router providing Internet access to their home PCs and laptops), they're secure. It's when people begin to go balls-to-the-walls that problems get introduced (like in the above thread, where the individual quite literally had every single daemon on his router publicly accessible to the Internet -- his UPnP instance was probably one of the few which was detected!). KISS wins again.
--
Making life hard for others since 1977.
I speak for myself and not my employer/affiliates of my employer.


heirloom

@lessnetworking.net

said by koitsu:

Here are two posts (one post, one thread) where an individual did exactly what I said (re: "the more people screw around, ... the more likely they're exposed"):

»www.linksysinfo.org/index.php?th···x.68094/
»www.linksysinfo.org/index.php?th···t-222422

So like I said, as long as people keep it simple and don't try to get all crazy with their Tomato/TomatoUSB routers and use them "normally" (i.e. as a simple home NAT router providing Internet access to their home PCs and laptops), they're secure. It's when people begin to go balls-to-the-walls that problems get introduced (like in the above thread, where the individual quite literally had every single daemon on his router publicly accessible to the Internet -- his UPnP instance was probably one of the few which was detected!). KISS wins again.

Whoaaaa. Your message is unreasonable. Here is why.

You can't honestly believe it is reasonable that someone would purchase an expensive powerful "open" router, find a release of Tomato that has a full set of VPN features, go through the trouble of flashing the router, jump through a pile of hoops to make certain the configuration has been wiped correctly, then use the device as a simple NAT gateway? Really? Anyone could achieve that result buying a $15 device and just plug it into their network.

Saying that applying and using a VPN is "all crazy" is just a bizarre statement. To further suggest suggest "begin to go balls-to-the-walls that problems get introduced" is silly. Using a VPN is nothing of the sort.

The issue that was uncovered was simply because using a Tomato PPTP Client VPN will cause the remote end to have complete access to the processes running on the Tomato router. Nothing more complicated than that. No other factors were at play. Not customized firewall rules. Not NAT.

The stock/default firewall rules do in fact allow new inbound TCP connections or UDP packets to make it to local processes on the WAN ppp0 interface when using the PPTP Client VPN. Its something for which all users of the Tomato client VPN feature should be aware.

See here:
»repo.or.cz/w/tomato.git/commit/6···ad81115c

If you wish to characterize use of that feature as "all crazy" then you do a disservice to the community. The use of VPNs is expected to rise globally 4% over the period 2012-2016. Home use of VPNs will exceed that figure. Helping to secure Tomato is a valuable contribution. Ranting and misleading statements are not.


koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

If you feel I'm doing a disservice, I'm glad to hear it. *blank stare* There's nothing misleading about the fact that the user has 1) uses private network addressing spaces, 2) uses multiple layers of NAT, 3) uses a VPN. This configuration is uncommon, and I can assure you, will not become more common over the next 4 years.

I was simply showing Bill_MI See Profile a real example of how a user's overly complex environment resulted in UPnP being accessible via the Internet.