Comments on: BT Home Flub: Pwnin the BT Home Hub (5) – exploiting IGDs remotely via UPnP

By: ocean

ocean — Wed, 15 Apr 2009 10:21:21 +0000

great post. hey anybody know how to exploit NAT in router. Port forwarding is also best way to exploit router

By: CERT Polska » Blog Archive » Urz?dzenia korzystaj?ce z UPnP s? podatne na ataki

Fri, 10 Oct 2008 13:31:10 +0000

[...] http://www.gnucitizen.org (opis problemu) isc.sans.org http://www.gnu citixen.org [...]

By: Adrian 'pagvac' Pastor

Adrian 'pagvac' Pastor — Tue, 29 Jul 2008 23:31:28 +0000

@anonymous: that question is NOT dumb at all! The only reason why it’s possible to contact an internal system (home router in this case) is because:

1. you visit evil.com which loads HTML/JS code in your browser
2. your browser executes such code
3. since your browser is located in the *internal* network (LAN), it CAN communicate with your home router, even if the HTTP service is only available internally

In other words: your browser becomes your worst enemy. It’s nothing else than a proxy which links both the external world (WAN/Internet) and the internal one (LAN/intranet).

Makes sense? Let me know if you have any other questions.

By: anonymous

anonymous — Tue, 29 Jul 2008 01:00:10 +0000

Hi,

This must sound really dumb to you guys but I have to ask it .. how are you allowed to make a request to 192.*.* if you are from some evil.com site?

By: Holes in Embedded Devices: Authentication bypass (pt 2) » Inking’s Security Blog

Sat, 16 Feb 2008 02:44:20 +0000

[...] http://www.gnucitizen.org/blog.....-interwebs http://www.gnucitizen.org/blog.....home-hub-5 [...]

By: catweazle

catweazle — Sat, 19 Jan 2008 00:03:11 +0000

DUH! Am so confused reading all the above have answered my own question! Of course this will happen! Sorry.

By: catweazle

catweazle — Fri, 18 Jan 2008 23:48:52 +0000

gool: I run an Alcatel Speedtouch 510 (4.3.2.6.0 firmware; 9 volt supply version)router and set it to disable UPnP, turned firewall on to standard level and when I retrieve your link it opens the 510 Connectivity Check menu window.

This is quite scary as I thought UPnP was blocked by the 510. What ‘should’ your link do? (Using Mac OS Leopard)

By: pdp

pdp — Wed, 16 Jan 2008 19:46:24 +0000

gool, the UPnP attack does work on the latest firmware.

By: gool

gool — Wed, 16 Jan 2008 19:19:05 +0000

i found that u can get straight to menu in last firmware without serial chk but it will ask for user and password

http://192.168.1.254/cgi/b/con.....#038;l1=-1

hope can find bug in laste firmware, UPnP attack dosent work on last firmware E

By: BT Home Hub Vulnerable - Security exploits - PoC « Another rambling…

BT Home Hub Vulnerable - Security exploits - PoC « Another rambling… — Tue, 15 Jan 2008 11:45:55 +0000

[...] http://www.gnucitizen.org/blog.....home-hub-5 [...]

By: Adrian Pastor

Adrian Pastor — Sat, 12 Jan 2008 00:40:49 +0000

Hi Mark. I’m a bit confused about your comment. Changing passwords shouldn’t make a difference on this exploit as the payload uses a UPnP which is a authentication-less protocol (no password required!).

Please elaborate so I can understand your problem better.

By: pdp

pdp — Fri, 11 Jan 2008 17:45:45 +0000

10x for the info. through, I am not sure whether it is me, but how is that related to the hack discussed above.

By: Mark

Mark — Fri, 11 Jan 2008 17:43:12 +0000

Bt have kindly updated HH to version E, if you changed your password from the default (please!) the exploit now just goes into a loop with no changes made. AFAIK the HH now requires a serial number input in order to change the pass also.

By: rezn

rezn — Fri, 11 Jan 2008 15:26:30 +0000

UPNP requests executed via DNS Rebinding sounds like a really ugly thing. One that wouldn’t be difficult to code up into a convenient little applet.

By: Steal His Wi-Fi | GNUCITIZEN

Steal His Wi-Fi | GNUCITIZEN — Fri, 11 Jan 2008 07:01:27 +0000

[...] think about it: who gives a darn about compromising your computer when you can change the DNS settings on most consumer routers without a password via UPnP? We’ve said it before here at GNUCITIZEN: people are stuck on the [...]

By: Adrian Pastor

Adrian Pastor — Thu, 10 Jan 2008 22:28:15 +0000

Something that worries me about many network devices that support UPnP is that when you change settings via UPnP they sometimes cannot be undone via the web console! Instead you need to undo them via UPnP.

By: Hacking with UPnP (Universal Plug and Play) | GNUCITIZEN

Hacking with UPnP (Universal Plug and Play) | GNUCITIZEN — Thu, 10 Jan 2008 11:47:08 +0000

[...] We simply expose how UPnP works and how it can be attacked. Though, Adrian has a very interesting research coming up which I think will make you flip out. HE SHOWS HOW TO EXPLOIT UPNP REMOTELY EVEN WHEN NO [...]