ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!

Security mavens have uncovered a design flaw in most home routers [actually in UPnP] that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website.

The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed.

"This is a huge problem," Adrian Pastor, of the prolific hacking organization GNUCitizen, said in an instant message.

The problem resides in Universal Plug and Play, a feature built in to most routers used for home networks so machines running games, instant messaging programs and other applications will work seamlessly with the devices. By exposing an end user to a malicious Flash file lurking on a website, attackers can use UPnP, as the technology is usually called, to make significant modifications to the router.

The most serious change that's possible is changing the the server PCs connected to the router use to access websites. That might cause a victim trying to access eBay or Bank of America to see spoofed pages that steal their login credentials.

The hack could also allow attackers to open ports on a victim's router. That would be useful in turning a router into what would amount to a zombie machine by forwarding ports to an external server.

The weakness, which works using the navigatetoURL function and URLRequest object specified in Flash, isn't a security flaw within Flash, the researches say. Rather they are design flaws in UPnP, which doesn't use authentication. PCs using virtually any platform and browser will change router settings, as long as they run version 8 or higher of Flash.

Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers' products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices.

"Flash UPnP Attack FAQ"

How would you rate the issue? HIGHLY SEVERE! Turn UPnP off!

"Hacking The Interwebs"

Reply to
John Navas
Loading thread data ...

Thanks.

If anyone's interested: To turn off UPnP in the Linksys router, logon to your router's Administration, Management section with Internet Explorer, check the box, UPnP Disable, and click the "Save Settings" button. Direct link -

Reply to
Unk

I said that the first time when I heard MS developed UPnP and how it would allow anything to automatically reconfigure a router.

Reply to
George

As far as I'm concerned, their research could have stopped right there. uPnP is a huge massive flaw in itself, a hole waiting to be crawled into. Weaknesses in the protocol or implementation wan into insignificance...

Reply to
Mark McIntyre

On Wed, 16 Jan 2008 14:03:06 -0500, George wrote in :

Microsoft, the company you love to hate, isn't the issue. UPnP does have security, but implementing that security is a bit complex, so most hardware vendors don't bother.

Reply to
John Navas

On Wed, 16 Jan 2008 20:32:12 +0000, Mark McIntyre wrote in :

UPnP can actually be made quite secure. The problem is that most hardware companies don't bother.

Reply to
John Navas

OK. I just turned it off on our router. Does this mean that I will simply have to do manual port forwarding from now on for each and every user and program? And what about DHCP? Should I also assign all addreses?

PITA, but...

Any other suggestions for how to manage this for a dozen users on a router?

Steve

Reply to
seaweedsteve

On Thu, 17 Jan 2008 03:42:12 -0800 (PST), seaweedsteve wrote in :

Yes, but only if needed, which usually is only the case for (illicit) filesharing. Automatic router operation works fine for the vast majority of applications.

DHCP isn't affected.

You probably won't notice at all that UPnP has been turned off unless someone complains about filesharing not working as well.

Be relieved that you've protected both you and the dozen users.

Reply to
John Navas

99.999% of programmes don't need port forwarding - you only need that if some remote application is trying to connect to you, without you first asking it to.

For instance I have port forwarding set up for the mailserver, webserver, voip gateway and thats it. No other app I or any of my family or even our lodger uses requires ports to be forwarded.

Not relevant to DHCP.

Don't let them waste your bandwidth with dodgy P2P?

Reply to
Mark McIntyre

You mean security like this? SOAP is too hard, the security is BS!

Reply to
chessucat

OK. Thanks guys. I seemed to have seen some other stuff besides p2p, but I forget.

The reason I was asking about DHCP is because if I want to do port forwarding, I need a fixed IP to forward too?

Aw, I don't have the patience to worry about this now, it's a non- problem.

But I do appreciate the heads up on turning off UPnP.

Steve

Reply to
seaweedsteve

On Fri, 18 Jan 2008 21:06:00 -0800 (PST), seaweedsteve wrote in :

UPnP is not needed for that kind of port forwarding. Just get a router that allows setting a fixed DHCP address for your server, and manual configuration of port forwarding to that address. This is all handled in the router configuration, protected by password, not UPnP, which is more for P2P filesharing.

Reply to
John Navas

Yes, but thats trivial to do. Most routers let you define "static" DHCP addresses where the router will try very hard to give your PC the same address every time. Even if not, unless you have a /lot/ of devices on your lan, your PC will probably still get the same address each time.

Reply to
Mark McIntyre

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.