ALERT: Router are vulnerable to new Flash UPnP attack (other devices as well)!

<http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/>

Security mavens have uncovered a design flaw in most home routers
[actually in UPnP] that allows attackers to remotely control the
devices by luring an attached computer to a booby-trapped website.

The weakness could allow attackers to redirect victims to fraudulent
destinations that masquerade as trusted sites belonging to banks,
ecommerce companies or health care organizations. The exploit works
even if a user has changed the default password of the router. And it
works regardless the operating system or browser the computer
connected to the device is running, as long as it has a recent
version of Adobe Flash installed.

"This is a huge problem," Adrian Pastor, of the prolific hacking
organization GNUCitizen, said in an instant message.

The problem resides in Universal Plug and Play, a feature built in to
most routers used for home networks so machines running games,
instant messaging programs and other applications will work
seamlessly with the devices. By exposing an end user to a malicious
Flash file lurking on a website, attackers can use UPnP, as the
technology is usually called, to make significant modifications to
the router.

The most serious change that's possible is changing the the server
PCs connected to the router use to access websites. That might cause
a victim trying to access eBay or Bank of America to see spoofed
pages that steal their login credentials.

The hack could also allow attackers to open ports on a victim's
router. That would be useful in turning a router into what would
amount to a zombie machine by forwarding ports to an external server.

The weakness, which works using the navigatetoURL function and
URLRequest object specified in Flash, isn't a security flaw within
Flash, the researches say. Rather they are design flaws in UPnP,
which doesn't use authentication. PCs using virtually any platform
and browser will change router settings, as long as they run version
8 or higher of Flash.

Routers made by Linksys, Dlink and SpeedTouch have been confirmed to
be vulnerable, and other manufacturers' products are also likely
susceptible to attack, the researchers said. Most routers have UPnP
turned on by default. The only way to prevent the attack is to turn
the feature off, something that is possible with some, but not all,
devices.

"Flash UPnP Attack FAQ"
<http://www.gnucitizen.org/blog/flash-upnp-attack-faq>

How would you rate the issue?
HIGHLY SEVERE! Turn UPnP off!

"Hacking The Interwebs"
<http://www.gnucitizen.org/blog/hacking-the-interwebs>

On Wed, 16 Jan 2008 00:45:40 GMT, John Navas <(E-Mail Removed)> wrote:

><http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/>
>
Thanks.

If anyone's interested: To turn off UPnP in the Linksys router, logon to your router's
Administration, Management section with Internet Explorer,
check the box, UPnP Disable, and click the "Save Settings" button.
Direct link - <http://192.168.1.1/Manage.htm>

John Navas wrote:

>
> "Flash UPnP Attack FAQ"
> <http://www.gnucitizen.org/blog/flash-upnp-attack-faq>
>
> How would you rate the issue?
> HIGHLY SEVERE! Turn UPnP off!
>

I said that the first time when I heard MS developed UPnP and how it
would allow anything to automatically reconfigure a router.



> "Hacking The Interwebs"
> <http://www.gnucitizen.org/blog/hacking-the-interwebs>
>

John Navas wrote:
> <http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/>
>
> Security mavens have uncovered a design flaw in most home routers
> [actually in UPnP]

As far as I'm concerned, their research could have stopped right there.
uPnP is a huge massive flaw in itself, a hole waiting to be crawled
into. Weaknesses in the protocol or implementation wan into
insignificance...

On Wed, 16 Jan 2008 14:03:06 -0500, George <(E-Mail Removed)> wrote
in <(E-Mail Removed)>:

>John Navas wrote:
>
>> "Flash UPnP Attack FAQ"
>> <http://www.gnucitizen.org/blog/flash-upnp-attack-faq>
>>
>> How would you rate the issue?
>> HIGHLY SEVERE! Turn UPnP off!
>
>I said that the first time when I heard MS developed UPnP and how it
>would allow anything to automatically reconfigure a router.

Microsoft, the company you love to hate, isn't the issue. UPnP does
have security, but implementing that security is a bit complex, so most
hardware vendors don't bother.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On Wed, 16 Jan 2008 20:32:12 +0000, Mark McIntyre
<(E-Mail Removed)> wrote in
<(E-Mail Removed)>:

>John Navas wrote:
>> <http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/>
>>
>> Security mavens have uncovered a design flaw in most home routers
>> [actually in UPnP]
>
>As far as I'm concerned, their research could have stopped right there.
>uPnP is a huge massive flaw in itself, a hole waiting to be crawled
>into. Weaknesses in the protocol or implementation wan into
>insignificance...

UPnP can actually be made quite secure. The problem is that most
hardware companies don't bother.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

On Jan 16, 8:00 pm, John Navas <spamfilt...@navasgroup.com> wrote:
> On Wed, 16 Jan 2008 20:32:12 +0000, Mark McIntyre
> <markmcint...@spamcop.net> wrote in
> <13osqecde1l5...@corp.supernews.com>:
>
> >John Navas wrote:
> >> <http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/>
>
> >> Security mavens have uncovered a design flaw in most home routers
> >> [actually in UPnP]
>
> >As far as I'm concerned, their research could have stopped right there.
> >uPnP is a huge massive flaw in itself, a hole waiting to be crawled
> >into. Weaknesses in the protocol or implementation wan into
> >insignificance...
>
> UPnP can actually be made quite secure. The problem is that most
> hardware companies don't bother.
>
> --
> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>



OK. I just turned it off on our router. Does this mean that I will
simply have to do manual port forwarding from now on for each and
every user and program? And what about DHCP? Should I also assign
all addreses?

PITA, but...

Any other suggestions for how to manage this for a dozen users on a
router?

Steve

On Thu, 17 Jan 2008 03:42:12 -0800 (PST), seaweedsteve
<(E-Mail Removed)> wrote in
<9cacaba8-e048-4c05-a10f-(E-Mail Removed)>:

>On Jan 16, 8:00 pm, John Navas <spamfilt...@navasgroup.com> wrote:

>> UPnP can actually be made quite secure. The problem is that most
>> hardware companies don't bother.

>OK. I just turned it off on our router. Does this mean that I will
>simply have to do manual port forwarding from now on for each and
>every user and program?

Yes, but only if needed, which usually is only the case for (illicit)
filesharing. Automatic router operation works fine for the vast
majority of applications.

>And what about DHCP? Should I also assign
>all addreses?

DHCP isn't affected.

>PITA, but...

You probably won't notice at all that UPnP has been turned off unless
someone complains about filesharing not working as well.

>Any other suggestions for how to manage this for a dozen users on a
>router?

Be relieved that you've protected both you and the dozen users.

--
Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>

seaweedsteve wrote:
> On Jan 16, 8:00 pm, John Navas <spamfilt...@navasgroup.com> wrote:
>> On Wed, 16 Jan 2008 20:32:12 +0000, Mark McIntyre
>> <markmcint...@spamcop.net> wrote in
>> <13osqecde1l5...@corp.supernews.com>:
>>
>>> John Navas wrote:
>>>> <http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/>
>>>> Security mavens have uncovered a design flaw in most home routers
>>>> [actually in UPnP]
>>> As far as I'm concerned, their research could have stopped right there.
>>> uPnP is a huge massive flaw in itself, a hole waiting to be crawled
>>> into. Weaknesses in the protocol or implementation wan into
>>> insignificance...
>> UPnP can actually be made quite secure. The problem is that most
>> hardware companies don't bother.
>>
>> --
>> Best regards, FAQ for Wireless Internet: <http://Wireless.wikia.com>
>> John Navas FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
>> Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
>> Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
>
>
>
> OK. I just turned it off on our router. Does this mean that I will
> simply have to do manual port forwarding from now on for each and
> every user and program?

99.999% of programmes don't need port forwarding - you only need that if
some remote application is trying to connect to you, without you first
asking it to.

For instance I have port forwarding set up for the mailserver,
webserver, voip gateway and thats it. No other app I or any of my family
or even our lodger uses requires ports to be forwarded.

>And what about DHCP? Should I also assign all addreses?

Not relevant to DHCP.

> Any other suggestions for how to manage this for a dozen users on a
> router?

Don't let them waste your bandwidth with dodgy P2P?

X-No-Archive: yes
On Jan 16, 9:00 pm, John Navas <spamfilt...@navasgroup.com> wrote:
>
> UPnP can actually be made quite secure. The problem is that most
> hardware companies don't bother.
>

You mean security like this? SOAP is too hard, the security is BS!

<http://www.upnp.org/standardizeddcps/security.asp>

<chessucat twitches>