Severe UPnP Flaw Allows Router Hijacking

Thanks, this sounds pretty serious. I just rechecked and I have UPnP disabled in my router .

 

The original research is here:

http://www.gnucitizen.org/blog/hacking-the-interwebs

Following many questions and misunderstandings on the subject, GNUCitizen has added a FAQ about this problem:

http://www.gnucitizen.org/blog/flash-upnp-attack-faq

Some main points:

- OS independent; possible in every system that runs flash

- Even if the OS has effective security software, we are still at risk: UPnP may be used to change the router settings, including wifi configuration, DNS servers [directed to pishing exploits], channeling of crap through specific ports etc... Basically, a big problem.

- Only known for flash (works for the current version, and for any browser that allow flash), but it's highly probable that this hack can be performed using other dynamic content software such as Java etc...although no techniques have yet been made public.

- If we block flash, for example through the use of NoScript, we still face the possibility that some of our trusted sites may somehow be infected.

On the other side, people who disable UPnP on the router will have to be able to fix their IP and manually forward ports for certain software to work, like instant messengers and P2P clients. Gaming consoles and VOIP [though not Skype, theoretically] will also suffer.

Having UPnP off may be safer, but it will also bring its share of problems to many people who can not, know not or have better things to do than getting lost in these $#!!'|** internet problems...

QUESTION: What can security software do about this communication between flash and the router ? It will probably not report anything.
This dynamic internet content stuff is getting to a point where the security vendors must do something and start forbiding what java, flash etc... can do.
One may say that security apps will not want to do this due to fear of losing market share, but they should at least offer some specifically directed, easily appliable plugin-restriction options.
Now there's an idea for a security app, maybe an enhanced sandbox: "web-content neutering".

 

So does a sandbox will prevent it?
Any test/ POC etc?

 

From what I'm reading, a sandbox will NOT prevent this. It seems that the exploit uses flash to activate certain protocols in the TCPIP stack (that make up UPnP) to reconfigure the router.

I did the same thing!

 

# The authors state that UPnP and flash are working the way they normally should and that this is not a security flaw per se but an implementation design error.
Well, the way I see it, an implementation design error which leads to potential security problems is a security flaw. Call it what you will...

aigle, the (harmless) POC is right at:

http://www.gnucitizen.org/blog/hacking-the-interwebs

Could you perform some tests?

Let's analyze solutions to this problem:

1- Block flash through use of Opera or NoScript for Firefox, or some IE add-on.

Problems: - allowed trusted sites can be hacked without our knowledge
- other web content plattforms such as Java etc... may also be used to perform this thing with UPnP.

2- New flash design without this security flaw.

Problem: - Is it going to happen ? Hardly. Even if so, when then?

3- New UPnP implementation with strong authentication measures.

Problem: - Is it going to happen? When ?

4- Turn off UPnP on the router.

Problem: - UPnP is highly convenient for many applications such as IM clients, VOIP software, p2p clients etc, gaming consoles and more. To the vaaaaaaaaast majority, turning off UPnP and going the static IP/ manual port forward route will prove daunting.

So the most important is: what can security software do at this point ?
Throw your suites, sandboxes, HIPS at it, see what comes up. The POC is in the link I gave above.
(I am on very restricted setup for the time being and can not perform tests)

For those knowledgeable on flash stuff, here is a link about the workings of one of the flash features that is involved in this UPnP mess:

http://livedocs.adobe.com/flex/2/langref/flash/net/package.html#navigateToURL

Let the testing begin.

 

Will disabling UPnP do the trick of preventing this exploit?

 

Hello,
I don't see what the big deal is. Use manual configuration of ports, as Internet Gods intended. UPnP is for lazy people.
Mrk

P.S. My router came with UPnP disabled.

 

@ acr1965: Yes, disabling UPnP on the router will prevent this exploit.

@ Mrk: Not everyone who doesn't give a s**t about port forwarding, static IPs, network slang etc... can be considered lazy. Some people have better things to do than get lost on the marvellous world of internet complications.
The idea behind UPnP is valid and, provided strong authentication measures are in place (which is not the case, unfortunately), UPnP can really make life easier.

Anyway, from member ModemHead at DSL forums:

"The proof-of-concept at this page is simply a sample piece of code and is not a "click-to-test" kind of thing. To prove the concept you would have to download the code, compile it with Adobe Flex and build a page with an embedded Flash object."

So if someone knows of a - safe - page where such a test is embedded, let us know. Me, I know less than 0 on flash programming (and I couldn't care less, as I hate dynamical content), so I can not help here.

 

Hello,
I have always believed that computer usage should require a valid test and license. Just like driving. Not everyone can drive. Not everyone should use the computer.
Mrk

 

Thanks, huangker & Jomsviking

 

me two! i double checked and my idiot router had it enabled by default. so i disabled it.

 

LOL! Users definitely need to be educated. Look at storm worm, all social engineering.

 

Comrade Mrkvonic,

These ideas will not be popular, but you have never courted popularity.

 

I fully agree with you.
Sadly, it will never happen; too much $$$ to be made exploiting people's ignorance/naïvity/good will/ lack of knowledge...

 

UPnP is also enabled on many DSL modems. Many of them are combined modem/router units. The last 2 modems my ISP supplied came with UPnP enabled. The same attack vector applies.

Blocking flash is not the answer. It's probable that many active contents like Java, ActiveX, etc can be used for this. Users might not want the hassle of disabling UPnP and setting up static IPs, but that's the only real way to fix the problem. With anything less, you take your chances.

Just so users understand what the consequences of malicious DNS can be, your browser, NoScript, etc will not realize that the site you're directed to by a malicious DNS server is not the trusted site it's supposed to be. The result is the same as hacking the trusted site itself.
Rick

 

So it would appear that disabling UPnP in the router is the only way to go. I checked the other day, and mine is already disabled. Guess I did that a few years ago when I set it up.

 

I have never uses upnp in my life. Could it really be that useful?

 

Hi,

I don´t have a router (only a DSL modem) and the UPnP service has been disabled for years on my machine, so do I have to worry, am I still at risk?

 

what about just disabling the UPnP in services of Vista?

 

No, even with this service disabled, your windows box can still configure a upnp enabled router.

 

The router's UPnP implementation and Windows' own UPnP implementation are two different things.
The security problem we discuss here takes advantage of the router's UPnP implementation weaknesses (no authentication etc...), and will in principle not be affected by disabling the UPnP framework services in windows (SSDP Discovery Service and UPnP Device Host).
So, to defeat this security problem, measures must be taken at the router level.

Rasheed187, I think you are safe.

 

OK thanks for the info, so if you haven´t got a router you´re not at risk at all? I wonder why some people made it sound like it was the end of the world then, without even mentioning this fact.

 

DSL and cable modems often have routers built into them. This is not limited to free standing routers only. Anything that uses UPnP is also vulnerable. This includes ISP supplied equipment over which you have not have any control.
Rick