1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Alert] Flash UPnP Attack

Discussion in 'General Discussion' started by bokh, Jan 15, 2008.

  1. bokh

    bokh Network Guru Member

    FYI - read the http://www.gnucitizen.org/blog/flash-upnp-attack-faq

    From this FAQ I quote what might be important to know for Linksys-users:

    UPnP hacking is extremely serious discipline which often lead to a catastrophic effect. The following is possible with UPnP:
    • portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network)
    • portforward the router web administration interface to the external facing side.
    • port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are)
    • change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com
    • change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system.
    • reset/change the administrative credentials
    • reset/change the PPP settings
    • reset/change the IP settings for all interfaces
    • reset/change the WiFi settings
    • terminate the connection
    In the end, according to this guy it's best to stop using UPnP and get back to portforwarding instead...

    Just thought you all might be interested.
     
  2. jchuit

    jchuit Network Guru Member

    security

    At the moment I read a lot about security and UPnP.

    There are off course security hazards, but if UPnP service on the router is good configured then there should be no problem.

    The Tarifa firmware uses miniUPnPd and has the following setup:

    ext_ifname=vlan1
    listening_ip=192.168.1.1
    port=5000
    enable_natpmp=yes
    bitrate_up=100000000
    bitrate_down=100000000
    system_uptime=yes
    notify_interval=30
    clean_ruleset_interval=0
    uuid=fc4ec57e-????-000f-6651-57ef01????????
    allow 1024-65535 192.168.1.1/24 1024-65535
    deny 0-65535 0.0.0.0/0 0-65535



    Meaning miniUPnPd can only be on the vlan1 interface with ipadres range from192.168.1.0 to 192.168.1.254 and only ports 1024 to 65535 are allowed.

    portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network) = Only vlan1, the wan port is blocked.

    portforward the router web administration interface to the external facing side.
    = Not possible only port 1024 and higher

    port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are) = ?? Maybe someone has an idea how?

    change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com
    change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system. = DNS port can not be forwarded

    reset/change the administrative credentials
    reset/change the PPP settings
    reset/change the IP settings for all interfaces
    reset/change the WiFi settings
    = ?? how?

    terminate the connection = only possible if the deamon authorises this, but miniUPnP doesn't (the original Linksys UPnP doesn't too).

    The latest Tarifa firmware (032RC1) has an option to auto-delete old UPnP mappings, this is an security improvement.

    I hope this info helps!

    Greetings,
    jchuit
    http://tarifa.sourceforge.net/
     
  3. mstombs

    mstombs Network Guru Member

    It appears the full upnp spec for example

    http://www-adele.imag.fr/users/Didi...mentModel.html#setDNSServer(java.lang.String)

    allows the router to be configured remotely from the PC - I think Linksys CDs use upnp?

    The UK BT home-hub has been hacked on various occasions...

    http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4

    I'm fairly sure Hyperwrt etc as well as Miniupnp only implement the essential port forwarding aspects of upnp - but the BT home hub is a Broadcom chipset...
     
  4. 1mongo

    1mongo Guest

    Looks like I might need to turn off UpNP.

    If I portforward do I need to setup a DHCP reservation to keep the same IP to device?

    thanx
     

Share This Page