ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
<http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/

   Security mavens have uncovered a design flaw in most home routers
   [actually in UPnP] that allows attackers to remotely control the
   devices by luring an attached computer to a booby-trapped website.

   The weakness could allow attackers to redirect victims to fraudulent
   destinations that masquerade as trusted sites belonging to banks,
   ecommerce companies or health care organizations. The exploit works
   even if a user has changed the default password of the router. And it
   works regardless the operating system or browser the computer
   connected to the device is running, as long as it has a recent
   version of Adobe Flash installed.

   "This is a huge problem," Adrian Pastor, of the prolific hacking
   organization GNUCitizen, said in an instant message.

   The problem resides in Universal Plug and Play, a feature built in to
   most routers used for home networks so machines running games,
   instant messaging programs and other applications will work
   seamlessly with the devices. By exposing an end user to a malicious
   Flash file lurking on a website, attackers can use UPnP, as the
   technology is usually called, to make significant modifications to
   the router.

   The most serious change that's possible is changing the the server
   PCs connected to the router use to access websites. That might cause
   a victim trying to access eBay or Bank of America to see spoofed
   pages that steal their login credentials.

   The hack could also allow attackers to open ports on a victim's
   router. That would be useful in turning a router into what would
   amount to a zombie machine by forwarding ports to an external server.

   The weakness, which works using the navigatetoURL function and
   URLRequest object specified in Flash, isn't a security flaw within
   Flash, the researches say. Rather they are design flaws in UPnP,
   which doesn't use authentication. PCs using virtually any platform
   and browser will change router settings, as long as they run version
   8 or higher of Flash.

   Routers made by Linksys, Dlink and SpeedTouch have been confirmed to
   be vulnerable, and other manufacturers' products are also likely
   susceptible to attack, the researchers said. Most routers have UPnP
   turned on by default. The only way to prevent the attack is to turn
   the feature off, something that is possible with some, but not all,
   devices.

"Flash UPnP Attack FAQ"
<http://www.gnucitizen.org/blog/flash-upnp-attack-faq

   How would you rate the issue?
   HIGHLY SEVERE! Turn UPnP off!

"Hacking The Interwebs"
<http://www.gnucitizen.org/blog/hacking-the-interwebs


Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!

Quoted text here. Click to load it
Thanks.

If anyone's interested: To turn off UPnP in the Linksys router, logon to your
router's
Administration, Management section with Internet Explorer,
check the box, UPnP Disable, and click the "Save Settings" button.
Direct link - <http://192.168.1.1/Manage.htm

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
John Navas wrote:

Quoted text here. Click to load it

I said that the first time when I heard MS developed UPnP and how it
would allow anything to automatically reconfigure a router.



Quoted text here. Click to load it

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!

Quoted text here. Click to load it

Microsoft, the company you love to hate, isn't the issue.  UPnP does
have security, but implementing that security is a bit complex, so most
hardware vendors don't bother.

--
Best regards,   FAQ for Wireless Internet: <http://Wireless.wikia.com
John Navas      FAQ for Wi-Fi:  <http://wireless.wikia.com/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.wikia.com/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.wikia.com/wiki/Wi-Fi_Fixes

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
John Navas wrote:
Quoted text here. Click to load it

As far as I'm concerned, their research could have stopped right there.
uPnP is a huge massive flaw in itself, a hole waiting to be crawled
into. Weaknesses in the protocol or implementation wan into
insignificance...

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
On Wed, 16 Jan 2008 20:32:12 +0000, Mark McIntyre

Quoted text here. Click to load it

UPnP can actually be made quite secure.  The problem is that most
hardware companies don't bother.

--
Best regards,   FAQ for Wireless Internet: <http://Wireless.wikia.com
John Navas      FAQ for Wi-Fi:  <http://wireless.wikia.com/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.wikia.com/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.wikia.com/wiki/Wi-Fi_Fixes

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
Quoted text here. Click to load it



OK. I just turned it off on our router.  Does this mean that I will
simply have to do manual port forwarding from now on for each and
every user and program?  And what about DHCP?  Should I also assign
all addreses?

PITA, but...

Any other suggestions for how to manage this for a dozen users on a
router?

Steve

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
On Thu, 17 Jan 2008 03:42:12 -0800 (PST), seaweedsteve


Quoted text here. Click to load it


Yes, but only if needed, which usually is only the case for (illicit)
filesharing.  Automatic router operation works fine for the vast
majority of applications.

Quoted text here. Click to load it

DHCP isn't affected.

Quoted text here. Click to load it

You probably won't notice at all that UPnP has been turned off unless
someone complains about filesharing not working as well.

Quoted text here. Click to load it

Be relieved that you've protected both you and the dozen users.

--
Best regards,   FAQ for Wireless Internet: <http://Wireless.wikia.com
John Navas      FAQ for Wi-Fi:  <http://wireless.wikia.com/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.wikia.com/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.wikia.com/wiki/Wi-Fi_Fixes

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
seaweedsteve wrote:
Quoted text here. Click to load it

99.999% of programmes don't need port forwarding - you only need that if
some remote application is trying to connect to you, without you first
asking it to.

For instance I have port forwarding set up for the mailserver,
webserver, voip gateway and thats it. No other app I or any of my family
or even our lodger uses requires ports to be forwarded.

Quoted text here. Click to load it

Not relevant to DHCP.

Quoted text here. Click to load it

Don't let them waste your bandwidth with dodgy P2P?

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
OK. Thanks guys.  I seemed to have seen some other stuff besides p2p,
but I forget.

The reason I was asking about DHCP is because if I want to do port
forwarding, I need a fixed IP to forward too?

Aw, I don't have the patience to worry about this now, it's a non-
problem.

But I do appreciate the heads up on turning off UPnP.

Steve

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
On Fri, 18 Jan 2008 21:06:00 -0800 (PST), seaweedsteve

Quoted text here. Click to load it

UPnP is not needed for that kind of port forwarding.  Just get a router
that allows setting a fixed DHCP address for your server, and manual
configuration of port forwarding to that address.  This is all handled
in the router configuration, protected by password, not UPnP, which is
more for P2P filesharing.

--
Best regards,   FAQ for Wireless Internet: <http://Wireless.wikia.com
John Navas      FAQ for Wi-Fi:  <http://wireless.wikia.com/wiki/Wi-Fi
           Wi-Fi How To:  <http://wireless.wikia.com/wiki/Wi-Fi_HowTo
Fixes to Wi-Fi Problems:  <http://wireless.wikia.com/wiki/Wi-Fi_Fixes

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
seaweedsteve wrote:
Quoted text here. Click to load it

Yes, but thats trivial to do. Most routers let you define "static" DHCP
addresses where the router will try very hard to give your PC the same
address every time. Even if not, unless you have a /lot/ of devices on
your lan, your PC will probably still get the same address each time.

Re: ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!
X-No-Archive: yes
Quoted text here. Click to load it

You mean security like this?  SOAP is too hard, the security is BS!

<http://www.upnp.org/standardizeddcps/security.asp

<chessucat twitches>

Site Timeline