dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
84

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Cabal

Premium Member

to Cabal

Re: Security Flaws in Universal Plug-n-Play: Unplug, Don't Play

Is there a remote test to determine if your Upnp implementation is vulnerable?

Everything posted so far here requires installing test software on a windows PC. None of them run on Mac. I have an airport extreme (Time Capsule) router and run Upnp for Vonage and for back to my Mac.

skeechan
Ai Otsukaholic
Premium Member
join:2012-01-26
AA169|170

4 edits

skeechan

Premium Member

I'm not seeing any Apple products, the ABES, TC, etc on any of the hardware lists unless I am missing something. I'm assuming because Apple uses NAT-PMP.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB

Premium Member

said by skeechan:

I'm not seeing any Apple products, the ABES, TC, etc on any of the hardware lists unless I am missing something.

Thanks. What hardware vulnerability "lists" are you referring to?

skeechan
Ai Otsukaholic
Premium Member
join:2012-01-26
AA169|170

skeechan

Premium Member

The ones linked to in the whitepaper.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to TamaraB

Premium Member

to TamaraB
said by TamaraB:

Is there a remote test to determine if your Upnp implementation is vulnerable?

To be quite honest I didn't run the tool - why would you download, install or run a program, it basically voids any test - if it was a web based probe I would understand, but install internal to the network defeats the test, unless I miss something here?

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

1 recommendation

TamaraB

Premium Member

said by norwegian:

To be quite honest I didn't run the tool - why would you download, install or run a program, it basically voids any test - if it was a web based probe I would understand, but install internal to the network defeats the test, unless I miss something here?

No, you didn't miss anything. The only way to know for sure if your router's UpNp implementation is accessible from the Internet is to probe it from the Internet.

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

Cartel

Premium Member

US Government Warns of Hack Threat to Network Gear

CERT in turn has tried to contact the more than 200 companies whose products Rapid7 have identified as being vulnerable to attack, including Belkin, D-Link, Cisco Systems Inc's Linksys division and Netgear.

Belkin, D-Link and Netgear did not respond to requests for comment.

»www.voanews.com/content/ ··· 376.html

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

NOYB to TamaraB

Premium Member

to TamaraB

Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 recommendation

Mele20 to Cartel

Premium Member

to Cartel
said by Cartel:

US Government Warns of Hack Threat to Network Gear

I see this near constant interference by DHS with the internet as very OMINOUS.

Damn shame.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

2 recommendations

Bill_MI to NOYB

MVM

to NOYB
said by NOYB:

Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

Steve Gibson has announced he'll be adding a Shields Up scan and hopes to have it up by this weekend at »grc.com.

Steve often gets tagged as "alarmist" but may be justified in this case. He and Leo covered it rather well in today's Security Now: »twit.tv/show/security-now/389

This thing is a multi-level-fiasco. Vendors are using old code that was fixed, simplified sample code that never should be used and to top it off... it's exposed to the world by some kind of pure incompetence or neglect.
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO to NOYB

Premium Member

to NOYB
said by NOYB:


Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

I understand your desire to test it with some an automatic tool. But personally I don't see a way to automate that process. UPnP by design allows local applications to make port forwarding and open firewall for them. That could create security problem, but it's done by design and UPnP is just a tool for nefarious program, that you allowed to run inside your network.

In order to check UPnP for flaws you probably have to:
1. Scan router for all opened ports. If there is one - check to what service it's directed. If it's legal redirection (configured manually or via UPnP protocol) - no problem. If it's not - here is a potential security flaw, that you'd want to investigate further.

2. Always watch UPnP table of current port redirections. If you see some strange and unexpected one - go for the program that has requested it. If it's legitimate request? Then it's fine. If it's not, you have perhaps a trojan in your local network, which may use UPnP as one of the ways to do its dirty job. It's not a problem or (or with) UPnP. UPnP will just indicate potential problem with your local network.

3. If, as a result of p1 test or p2 watch, you'll find an opened port / forwarding to a host, that is not requested by any program -- now that could be considered as a flaw in UPnP. But first, it's hard to discover... and second, even in this case, it could be a problem with some program, that had requested that service and did not turn it off after it was done, and, therefore, it's not an actual problem with UPnP.

But in any case, begin with p1 test...

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI

1 recommendation

Bill_MI

MVM

Hi OZO. I think you're assuming the uPnP is confined to the LAN. One of the "you have to be kidding" in this is how millions of routers are apparently and incorrectly exposing uPnP on the WAN side. They're responding to UDP port 1900 on the net!
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO

Premium Member

Yes, of course. I presume that:
1. Any security aware and sane user will never allow to configure UPnP from WAN side.
2. Opened port / service that will allow to do that (configuration form WAN side) will be discovered in p1 test.

Juggernaut
Irreverent or irrelevant?
Premium Member
join:2006-09-05
Kelowna, BC

Juggernaut to Bill_MI

Premium Member

to Bill_MI
This is why this thread is discussing turning off UPnP. Both on a machine (LAN), and in the router (WAN). Those are the main vectors of vulnerability, right?

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

1 edit

1 recommendation

Bill_MI

MVM

said by Juggernaut:

This is why this thread is discussing turning off UPnP. Both on a machine (LAN), and in the router (WAN). Those are the main vectors of vulnerability, right?

There's several layers of problems here. 1) uPnP has no intended function to EVER be on a router's WAN. Never! Makes no sense. Yet by something right out of a horror flick - it is! And by the millions. 2) These uPnP routers are also full of vulnerable code, much of which has been known for some time but never patched.

I'm not worried about my personal case. My compiled OpenWrt has no sign of any uPnP module, never has, and never will. BETTER than turning it off is not having it in the first place.

EDIT: Sorry, I think at least one of us (me) got confused in terminology.

The router's LAN responds to uPnP client requests and includes all sorts of functions. uPnP Clients such as XBox, TVs, Windows machines, etc. control the router this way. This LAN part of the router was never intended to be on the WAN of that same router... yet has been found there by the millions.

norwegian
Premium Member
join:2005-02-15
Outback

1 recommendation

norwegian to TamaraB

Premium Member

to TamaraB
Click for full size
said by TamaraB:

said by norwegian:

To be quite honest I didn't run the tool - why would you download, install or run a program, it basically voids any test - if it was a web based probe I would understand, but install internal to the network defeats the test, unless I miss something here?

No, you didn't miss anything. The only way to know for sure if your router's UpNp implementation is accessible from the Internet is to probe it from the Internet.

I did miss a little after seeing the tool when the link above was a download tool.

If you are accessing the internet from your home network, we now offer an alternative to ScanNow and Metasploit. The Rapid7 UPnP Check is a one-click security scan for broadband and mobile users. If you are concerned about the security of your non-technical friends and family, this is a quick way for them to check their home router for UPnP vulnerabilities. The main difference between this service and ScanNow is that the UPnP Check will run a scan from the internet and can only check the external interface of your router.

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD to Bill_MI

Premium Member

to Bill_MI
said by Bill_MI:

said by NOYB:

Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

Steve Gibson has announced he'll be adding a Shields Up scan and hopes to have it up by this weekend at »grc.com.

Steve often gets tagged as "alarmist" but may be justified in this case. He and Leo covered it rather well in today's Security Now: »twit.tv/show/security-now/389

This thing is a multi-level-fiasco. Vendors are using old code that was fixed, simplified sample code that never should be used and to top it off... it's exposed to the world by some kind of pure incompetence or neglect.

you have to blame MS for this.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to norwegian

Premium Member

to norwegian
said by norwegian:

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

Nor for me either. There is no Mac version. Glad to see it can test from the Internet though. If Grc adds an Internet test for this it would be great.

planet
join:2001-11-05
Oz

1 edit

planet

Member

said by TamaraB:

said by norwegian:

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

Nor for me either. There is no Mac version. Glad to see it can test from the Internet though. If Grc adds an Internet test for this it would be great.

Wouldn't work on iOS/Safari either. Cog just spins.

Wouldn't GRC Shields Up work for this? I thought the scan pinged port 1900 UPnP.

Bill_MI
Bill In Michigan
MVM
join:2001-01-03
Royal Oak, MI
TP-Link Archer C7
Linksys WRT54GS
Linksys WRT54G v4

Bill_MI

MVM

said by planet:

Wouldn't GRC Shields Up work for this? I thought the scan pinged port 1900 UPnP.

We need someone vulnerable to try it. To my knowledge, GRC only does TCP and this port is UDP, at least to start. I'm pretty sure Steve is isolating the scan out to be very specific and, if I know Steve, it might query for info (but maybe not, too).

Wily_One
Premium Member
join:2002-11-24
San Jose, CA

Wily_One to planet

Premium Member

to planet
said by MrFixit1:

You can use »netalyzr.icsi.berkeley.edu/ to at least test for UPNP access from the wan side .
Will be near the top of the results listing ,may have to hit + to get full details .

said by planet:

said by TamaraB:

said by norwegian:

It doesn't work for me though. Chrome had a cog turning, IE9 doesn't do anything.

Nor for me either. There is no Mac version. Glad to see it can test from the Internet though. If Grc adds an Internet test for this it would be great.

Wouldn't work on iOS/Safari either. Cog just spins.

Neither Netalyzr or the Rapid7 net scans work, period. I tried them on Win7/IE9, WinXP/IE8 and WinXP/Firefox. On some it does nothing, on others the scan runs all the way through and continually repeats, never taking you to the Results.

planet
join:2001-11-05
Oz

planet

Member

Click for full size
The scan worked with FireFox on XP for me.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20 to Wily_One

Premium Member

to Wily_One
I've use netalyzr for many years on XP and now Win 8. On XP, I sometimes had problems with it not starting but that is because it didn't like my old version of Java which eventually would run only on IE6 and so both IE and Java were too old for it. It was fine once I finally updated Java.

On Win 8, it works fine on Fx 10 ESR, Opera 12 and IE 10. It is an excellent tool to analyze your network connection. It tells me some bad stuff about my connection that concerns me more than UPnP which I already knew about anyway.