dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
22
share rss forum feed


NOYB
St. John 3.16
Premium
join:2005-12-15
Forest Grove, OR
kudos:1
reply to TamaraB

Re: Security Flaws in Universal Plug-n-Play: Unplug, Don't Play


Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

2 recommendations

said by NOYB:

Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

Steve Gibson has announced he'll be adding a Shields Up scan and hopes to have it up by this weekend at »grc.com.

Steve often gets tagged as "alarmist" but may be justified in this case. He and Leo covered it rather well in today's Security Now: »twit.tv/show/security-now/389

This thing is a multi-level-fiasco. Vendors are using old code that was fixed, simplified sample code that never should be used and to top it off... it's exposed to the world by some kind of pure incompetence or neglect.

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to NOYB

said by NOYB:


Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

I understand your desire to test it with some an automatic tool. But personally I don't see a way to automate that process. UPnP by design allows local applications to make port forwarding and open firewall for them. That could create security problem, but it's done by design and UPnP is just a tool for nefarious program, that you allowed to run inside your network.

In order to check UPnP for flaws you probably have to:
1. Scan router for all opened ports. If there is one - check to what service it's directed. If it's legal redirection (configured manually or via UPnP protocol) - no problem. If it's not - here is a potential security flaw, that you'd want to investigate further.

2. Always watch UPnP table of current port redirections. If you see some strange and unexpected one - go for the program that has requested it. If it's legitimate request? Then it's fine. If it's not, you have perhaps a trojan in your local network, which may use UPnP as one of the ways to do its dirty job. It's not a problem or (or with) UPnP. UPnP will just indicate potential problem with your local network.

3. If, as a result of p1 test or p2 watch, you'll find an opened port / forwarding to a host, that is not requested by any program -- now that could be considered as a flaw in UPnP. But first, it's hard to discover... and second, even in this case, it could be a problem with some program, that had requested that service and did not turn it off after it was done, and, therefore, it's not an actual problem with UPnP.

But in any case, begin with p1 test...
--
Keep it simple, it'll become complex by itself...


Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2

1 recommendation

Hi OZO. I think you're assuming the uPnP is confined to the LAN. One of the "you have to be kidding" in this is how millions of routers are apparently and incorrectly exposing uPnP on the WAN side. They're responding to UDP port 1900 on the net!


OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

Yes, of course. I presume that:
1. Any security aware and sane user will never allow to configure UPnP from WAN side.
2. Opened port / service that will allow to do that (configuration form WAN side) will be discovered in p1 test.
--
Keep it simple, it'll become complex by itself...



Juggernaut
Irreverent or irrelevant?
Premium
join:2006-09-05
Kelowna, BC
kudos:2
reply to Bill_MI

This is why this thread is discussing turning off UPnP. Both on a machine (LAN), and in the router (WAN). Those are the main vectors of vulnerability, right?
--
"I fear the day that technology will surpass our human interaction. The world will have a generation of idiots." ~ Albert Einstein



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

1 edit

1 recommendation

said by Juggernaut:

This is why this thread is discussing turning off UPnP. Both on a machine (LAN), and in the router (WAN). Those are the main vectors of vulnerability, right?

There's several layers of problems here. 1) uPnP has no intended function to EVER be on a router's WAN. Never! Makes no sense. Yet by something right out of a horror flick - it is! And by the millions. 2) These uPnP routers are also full of vulnerable code, much of which has been known for some time but never patched.

I'm not worried about my personal case. My compiled OpenWrt has no sign of any uPnP module, never has, and never will. BETTER than turning it off is not having it in the first place.

EDIT: Sorry, I think at least one of us (me) got confused in terminology.

The router's LAN responds to uPnP client requests and includes all sorts of functions. uPnP Clients such as XBox, TVs, Windows machines, etc. control the router this way. This LAN part of the router was never intended to be on the WAN of that same router... yet has been found there by the millions.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to Bill_MI

said by Bill_MI:

said by NOYB:

Wonder if there will be a BBR / DSL Reports tool for testing for UPnP security flaws.

Steve Gibson has announced he'll be adding a Shields Up scan and hopes to have it up by this weekend at »grc.com.

Steve often gets tagged as "alarmist" but may be justified in this case. He and Leo covered it rather well in today's Security Now: »twit.tv/show/security-now/389

This thing is a multi-level-fiasco. Vendors are using old code that was fixed, simplified sample code that never should be used and to top it off... it's exposed to the world by some kind of pure incompetence or neglect.

you have to blame MS for this.
--
* seek help if having trouble coping
--Standard disclaimers apply.--