Severe UPnP Flaw Allows Router Hijacking

Discussion in 'other security issues & news' started by ronjor, Jan 15, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Story
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks, this sounds pretty serious. I just rechecked and I have UPnP disabled in my router :).
     
  3. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    The original research is here:

    http://www.gnucitizen.org/blog/hacking-the-interwebs

    Following many questions and misunderstandings on the subject, GNUCitizen has added a FAQ about this problem:

    http://www.gnucitizen.org/blog/flash-upnp-attack-faq

    Some main points:

    - OS independent; possible in every system that runs flash

    - Even if the OS has effective security software, we are still at risk: UPnP may be used to change the router settings, including wifi configuration, DNS servers [directed to pishing exploits], channeling of crap through specific ports etc... Basically, a big problem.

    - Only known for flash (works for the current version, and for any browser that allow flash), but it's highly probable that this hack can be performed using other dynamic content software such as Java etc...although no techniques have yet been made public.

    - If we block flash, for example through the use of NoScript, we still face the possibility that some of our trusted sites may somehow be infected.

    On the other side, people who disable UPnP on the router will have to be able to fix their IP and manually forward ports for certain software to work, like instant messengers and P2P clients. Gaming consoles and VOIP [though not Skype, theoretically] will also suffer.

    Having UPnP off may be safer, but it will also bring its share of problems to many people who can not, know not or have better things to do than getting lost in these $#!!'|** internet problems...

    QUESTION: What can security software do about this communication between flash and the router ? It will probably not report anything.
    This dynamic internet content stuff is getting to a point where the security vendors must do something and start forbiding what java, flash etc... can do.
    One may say that security apps will not want to do this due to fear of losing market share, but they should at least offer some specifically directed, easily appliable plugin-restriction options.
    Now there's an idea for a security app, maybe an enhanced sandbox: "web-content neutering".
     
    Last edited: Jan 15, 2008
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So does a sandbox will prevent it?
    Any test/ POC etc?
     
  5. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    From what I'm reading, a sandbox will NOT prevent this. It seems that the exploit uses flash to activate certain protocols in the TCPIP stack (that make up UPnP) to reconfigure the router.

    I did the same thing! :D
     
  6. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    # The authors state that UPnP and flash are working the way they normally should and that this is not a security flaw per se but an implementation design error.
    Well, the way I see it, an implementation design error which leads to potential security problems is a security flaw. Call it what you will...

    aigle, the (harmless) POC is right at:

    http://www.gnucitizen.org/blog/hacking-the-interwebs

    Could you perform some tests?

    Let's analyze solutions to this problem:

    1- Block flash through use of Opera or NoScript for Firefox, or some IE add-on.

    Problems: - allowed trusted sites can be hacked without our knowledge
    - other web content plattforms such as Java etc... may also be used to perform this thing with UPnP.

    2- New flash design without this security flaw.

    Problem: - Is it going to happen ? Hardly. Even if so, when then?

    3- New UPnP implementation with strong authentication measures.

    Problem: - Is it going to happen? When ?

    4- Turn off UPnP on the router.

    Problem: - UPnP is highly convenient for many applications such as IM clients, VOIP software, p2p clients etc, gaming consoles and more. To the vaaaaaaaaast majority, turning off UPnP and going the static IP/ manual port forward route will prove daunting.

    So the most important is: what can security software do at this point ?
    Throw your suites, sandboxes, HIPS at it, see what comes up. The POC is in the link I gave above.

    (I am on very restricted setup for the time being and can not perform tests)

    For those knowledgeable on flash stuff, here is a link about the workings of one of the flash features that is involved in this UPnP mess:

    http://livedocs.adobe.com/flex/2/langref/flash/net/package.html#navigateToURL

    Let the testing begin.
     
  7. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Will disabling UPnP do the trick of preventing this exploit?
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    I don't see what the big deal is. Use manual configuration of ports, as Internet Gods intended. UPnP is for lazy people.
    Mrk

    P.S. My router came with UPnP disabled.
     
  9. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    @ acr1965: Yes, disabling UPnP on the router will prevent this exploit.

    @ Mrk: Not everyone who doesn't give a s**t about port forwarding, static IPs, network slang etc... can be considered lazy. Some people have better things to do than get lost on the marvellous world of internet complications.
    The idea behind UPnP is valid and, provided strong authentication measures are in place (which is not the case, unfortunately), UPnP can really make life easier.

    Anyway, from member ModemHead at DSL forums:

    "The proof-of-concept at this page is simply a sample piece of code and is not a "click-to-test" kind of thing. To prove the concept you would have to download the code, compile it with Adobe Flex and build a page with an embedded Flash object."

    So if someone knows of a - safe - page where such a test is embedded, let us know. Me, I know less than 0 on flash programming (and I couldn't care less, as I hate dynamical content), so I can not help here.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    I have always believed that computer usage should require a valid test and license. Just like driving. Not everyone can drive. Not everyone should use the computer.
    Mrk
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks, huangker & Jomsviking
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    me two! i double checked and my idiot router had it enabled by default. so i disabled it.
     
  13. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    LOL! Users definitely need to be educated. Look at storm worm, all social engineering.
     
  14. Dogbiscuit

    Dogbiscuit Guest

    Comrade Mrkvonic,

    These ideas will not be popular, but you have never courted popularity. ;)
     
  15. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    I fully agree with you.
    Sadly, it will never happen; too much $$$ to be made exploiting people's ignorance/naïvity/good will/ lack of knowledge...
     
  16. herbalist

    herbalist Guest

    UPnP is also enabled on many DSL modems. Many of them are combined modem/router units. The last 2 modems my ISP supplied came with UPnP enabled. The same attack vector applies.

    Blocking flash is not the answer. It's probable that many active contents like Java, ActiveX, etc can be used for this. Users might not want the hassle of disabling UPnP and setting up static IPs, but that's the only real way to fix the problem. With anything less, you take your chances.

    Just so users understand what the consequences of malicious DNS can be, your browser, NoScript, etc will not realize that the site you're directed to by a malicious DNS server is not the trusted site it's supposed to be. The result is the same as hacking the trusted site itself.
    Rick
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    So it would appear that disabling UPnP in the router is the only way to go. I checked the other day, and mine is already disabled. Guess I did that a few years ago when I set it up.
     
  18. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I have never uses upnp in my life. Could it really be that useful?
     
    Last edited: Jan 21, 2008
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Hi,

    I don´t have a router (only a DSL modem) and the UPnP service has been disabled for years on my machine, so do I have to worry, am I still at risk?
     
  20. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    what about just disabling the UPnP in services of Vista?
     
  21. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    No, even with this service disabled, your windows box can still configure a upnp enabled router.
     
  22. Jomsviking

    Jomsviking Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    55
    The router's UPnP implementation and Windows' own UPnP implementation are two different things.
    The security problem we discuss here takes advantage of the router's UPnP implementation weaknesses (no authentication etc...), and will in principle not be affected by disabling the UPnP framework services in windows (SSDP Discovery Service and UPnP Device Host).
    So, to defeat this security problem, measures must be taken at the router level.

    Rasheed187, I think you are safe.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    OK thanks for the info, so if you haven´t got a router you´re not at risk at all? I wonder why some people made it sound like it was the end of the world then, without even mentioning this fact. :rolleyes:
     
  24. herbalist

    herbalist Guest

    DSL and cable modems often have routers built into them. This is not limited to free standing routers only. Anything that uses UPnP is also vulnerable. This includes ISP supplied equipment over which you have not have any control.
    Rick
     
Loading...
Thread Status:
Not open for further replies.