dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1598
share rss forum feed

ruiner

join:2012-03-10
Canada

1 edit

UPnP Vulnerability

quote:
During the security analysis, we have discovered remote preauth format string vulnerability in Broadcom UPnP stack. Vulnerability can be exploited to write arbitrary values to arbitrary memory address, and also to remotely read router memory. When properly exploited, it allows unauthenticated attacker to execute arbitrary code under root account.

Source:
»news.softpedia.com/news/DefenseC···31.shtml

So now we know why the Actiontec's firmware is so terrible. Telus is trying to protect us by having the UPnP daemon crash so that we can't be hacked.

Anyone who knows how to port forward who is using UPnP may want to look at disabling UPnP and forwarding any ports you need instead. The Actiontec is on the list of vulnerable hardware.


Tornado15550

join:2012-12-16
Canada

Will Telus be releasing a firmware update for the V1000H to patch this vulnerability?



jtl999
CEO of Actiontec Dev Team

join:2012-11-24
In the GVRD
kudos:4
reply to ruiner

Let's just get our own modems.



pfak
Premium
join:2002-12-29
Vancouver, BC
reply to Tornado15550

said by Tornado15550:

Will Telus be releasing a firmware update for the V1000H to patch this vulnerability?

In 6 months time ..
--
The more I C, the less I see.


nss_tech

join:2007-07-29
Edmonton AB
reply to ruiner

@jtl999 - Aren't you still with Shaw?
@pfak - It takes that amount of time just for the red tape



ohnoohnoohno

@telus.net
reply to ruiner

I so do hate certain 'automated' things for computing. Some things are so simple, yet they add a 'convenience button' to make it so tech support doesn't have to come and hold the consumers hand everyday. And its these magic buttons that they keep finding security flaws with.

Idiocracy, we are almost there.
»www.imdb.com/title/tt0387808/

Hey it could be worse, Some ISPs in the U.S. are now charging a fee for 'wireless' on the gateway(modem/router) units.

But at least when you refuse to pay the wireless 'fee' they bridge the gateway so you can easily use your own router, until a system glitch disables the bridge.


StarBuck

join:2011-01-16
Port Coquitlam, BC
reply to ruiner

People still use Universal Plug and Pray ?
Hasn't it been a known hole for years? Since 2003 .....
First thing I always do with new equipment is to disable it ( upnp) and I thought everyone did that.
Oh and lets not forget about SSDP....



Tornado15550

join:2012-12-16
Canada

I thought that was with WPS.
I disabled WPS as soon as I got my V1000H as it too has a vulnerability, right? And that should also be patched in the next firmware update!!



jtl999
CEO of Actiontec Dev Team

join:2012-11-24
In the GVRD
kudos:4
reply to nss_tech

Switching soon when TekSavvy DSL has 50mbps. It appears that will happen in the worst case in the summer according to several employees.


BadMagpie

join:2011-02-05
reply to pfak

said by pfak:

said by Tornado15550:

Will Telus be releasing a firmware update for the V1000H to patch this vulnerability?

In 6 months time ..

Will that allow for a faster than 76/12 sync with PhyR on?


Exand

join:2001-10-28
Canada
reply to ruiner

You can run a scan to see if your UPnP is vulnerable:
»www.grc.com/default.htm
(Halfway down the page, UPnP Exposure Test)



Tornado15550

join:2012-12-16
Canada
Reviews:
·TELUS

"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)"

Running Actiontec V1000H with latest unmodified firmware, and UPnP enabled.



umm

@videotron.ca
reply to Exand

said by Exand:

You can run a scan to see if your UPnP is vulnerable:
»www.grc.com/default.htm
(Halfway down the page, UPnP Exposure Test)

That test is *not* meant for this specific upnp exploit.

peternm22

join:2006-08-20
Salmon Arm, BC

said by umm :

That test is *not* meant for this specific upnp exploit.

Yes it is. A new test was recently added to the Shields Up page to test specifically for this exploit (not to be confused with GRC's earlier Unplug n' Play utility, which is designed for UPNP on a Windows system not the router)


Exand

join:2001-10-28
Canada
reply to umm

said by umm :

That test is *not* meant for this specific upnp exploit.

As peternm22 said, it's been updated since the old version.

ruiner

join:2012-03-10
Canada
reply to Tornado15550

The DefenseCode article said the Actiontec is vulnerable and that a lot of routers expose UPnP on their WAN interface. They didn't specifically say which routers do though, so that is good to know.

My Actiontec is bridged with UPnP disabled already before the bridge so I couldn't test it. Being a LAN side exploit reduces the severity a lot.



Tornado15550

join:2012-12-16
Canada

Very true, but actually patching the vulnerability completely, would provide a peace of mind for a lot of users. Of course, IF the V1000H model is vulnerable (as you said, they didn't specify the router models that were affected).