Comments on: Flash UPnP Attack FAQ

By: tinker

tinker — Sun, 08 Jun 2008 20:16:29 +0000

Any of the folks saying this is not a dangerous vulnerability have no idea what turning your net appliance (router, etc) into a zombie means…

If evil.x can control your router, safeguards or info on your system devices (storage, computers, etc)are irrelevant to the biggest danger… your router becomes capable of being an agent in DOS attacks, anonomous-routing of terrorist net traffic, becoming an apparent server for child-porn, any number of which could put YOU in JAIL, with no way of defending yourself, because you left your system available for evil.x to use for their purposes. If nothing else, you immediately become the suspect in a high level investigation that BEGINS with confiscation of all of your equipment that could have been hooked up to that system(computers, servers, digital cameras…)

I just read of one open source developer who works off his laptop, snagged a discarded laptop from the trash, then when rebuilding that drive while connected to his working laptop he found it contained child porn. His working laptop (not just the drive) was confiscated by the police so forensics could find out if the files had originated from HIS computer, even though he was the one who turn in the complaint… he was unable to maintain his open-source software for several MONTHS until he could get re-imbursed for his system and get another one.

Leaving the router open to flash-uPnP attack is sort of like leaving your keys in your car, with it running, while you go into the bank, which just happens to be held up and then they snag your car for the getaway, running someone over on their way out… now prove you were not part of that robbery and murder.

By: All calls being sent to Voicemail - Page 2 - Voxalot / SIP Broker Support Forums

All calls being sent to Voicemail - Page 2 - Voxalot / SIP Broker Support Forums — Mon, 26 May 2008 04:00:13 +0000

[...] Some clarification on my earlier post. I always opt for the simpler solutions wherever I can, and I fully endorse CTylor’s comments regarding letting STUN do the router sorting out. My suggestion was primarily to address the problems I experienced when the same Voxalot account was logged onto by 2 or more ATAs/SIP phones operating behind the same public IP address. For all I know, the problems may have been due to the particular router and SIP devices being used. For a single ATA, I have generally found that using just DHCP & STUN is sufficient, without the need of any port forwarding. For multiple devices logging onto different SIP services (Eg. Voxalot and FWD), STUN is also usually sufficient. For whatever it is worth, Wikipedia states that "STUN will not work with Symmetric NAT". Simple traversal of UDP over NATs - Wikipedia, the free encyclopedia A word of caution regarding uPnP - Earlier this year, there were reports about a security flaw when using uPnP, and I have not found any indication that this is resolved. Severe UPnP Flaw Allows Router Hijacking — Computer Security — InformationWeek Flash UPnP Attack FAQ | GNUCITIZEN [...]

By: Inseguridad en UPnP. » Vida Casi Digital

Inseguridad en UPnP. » Vida Casi Digital — Fri, 11 Apr 2008 20:11:14 +0000

[...] Flash UPnP Attack FAQ: http://www.gnucitizen.org/blog/flash-upnp-attack-faq/ [...]

By: Cross-site File Upload Attacks | GNUCITIZEN

Cross-site File Upload Attacks | GNUCITIZEN — Thu, 21 Feb 2008 12:15:42 +0000

[...] already proved that various forms of home routers can be entirely compromised and zombiefied by forging UPnP requests with flash. Now I will show you that file uploading facilities can be attacked in a similar way. Let’s [...]

By: Holes in Embedded Devices: Authentication bypass (pt 2) » Inking’s Security Blog

Sat, 16 Feb 2008 02:43:40 +0000

[...] http://www.gnucitizen.org/blog/call-jacking http://www.gnucitizen.org/blog/flash-upnp-attack-faq http://www.gnucitizen.org/blog/hacking-the-interwebs [...]

By: InvisiBill

InvisiBill — Sun, 03 Feb 2008 20:15:04 +0000

@Frankum:
UPnP doesn’t do any special port-forwarding that you can’t do manually (excluding UI limitations in the client or router). If you have 5 copies of MSN working with UPnP, then UPnP is having the copy at x.x.x.1 use port 10001, x.x.x.2 use port 10002, x.x.x.3 use port 10003, etc.

As long as you can set the router to forward port 10001 to x.x.x.1 and can set the client to listen on port 10001, then it will work just fine when you configure it manually. You just have to make the router and client match. Depending on the application though, it may or may not be easy/possible to configure which port it listens on. I have yet to hear of a router that supports UPnP port-forwarding and not manual port-forwarding (though I’m sure some cheapo model out there touts that as a feature). Also, the number of ports the app uses will directly relate to the annoying factor - it’s not a big deal to forward 1 port for 5 clients, but when each copy wants to use 20 ports it will get really annoying.

By: pdp

pdp — Wed, 30 Jan 2008 15:02:26 +0000

wintermute, if someone changes your DNS they will be able to do a lot more then just forcing to visit a site. They will be able to push down malicious extensions or perform easily the Skype vulnerability that we talked at GNUCITIZEN not that long time ago.

Also, port forwarding can be quite bad as well. In some cases you can port forward the router’s own Web interface in which case you are making it public for attackers. Combine that with the fact that some models allow you to reset the admin credentials through UPnP, then you have a real issue. Opening port forwards to your own machine is interesting but as you said might not be valuable.

Exposing your router on the Internet is immense security problem. Changing DNS is also a huge security problem. Some routers even allow you to do more stuff.

By: wintermute

wintermute — Wed, 30 Jan 2008 13:45:16 +0000

To me, this attack still seems more of an interesting curiosity than something to be worried about.

I can see that the Flash UPnP attack works as described, but I can’t see how an attacker could leverage it to take over my PC.

The scenario where an attacker changes your DNS server is touted as the worst - it lets him force you into visiting his site (e.g. for browser exploit) via the bad DNS. But he must have *already* been able to dupe you into visiting his site in order to view the SWF in the first place!

As for adding port forwarding rules - big deal. I can see how it would make me vulnerable e.g. if I was running a file server or something. But most home users (i.e. Windows) won’t be running such services themselves, and the out-of-the-box system services (e.g. port 445) will be protected by the host’s own firewall (ICF and maybe others).

I’m happy to be corrected, as always!

By: Adam Oellermann

Adam Oellermann — Sat, 26 Jan 2008 10:42:49 +0000

I have a cheap Safecom ADSL modem/router (Conexant chipset) which doesn’t have UPnP support at all. There must be millions of these boxes in circulation, so I think the “99% of routers at risk” statistic is perhaps a bit high.

Of course, I don’t trust little black boxes; I have an IPtables firewall on a Linux box and use dnsmasq on another Linux box for caching DNS - my router is just shifting packets back and forth. Trusting your network security to a closed-source device seems short-sighted to me.

By: pdp

pdp — Tue, 22 Jan 2008 20:13:34 +0000

Th3ChaS3r, yes! If you are already inside the network where the UPnP device is located you can just start sending UPnP requests. However, the here presented method is useful when attacking from outside. This is the most important difference.

By: Th3ChaS3r

Th3ChaS3r — Tue, 22 Jan 2008 17:38:10 +0000

This is indeed a very good find, and with me personally owning a HomeHub I am taking this very seriously myself. I am not sure whether a user HAS to visit a website with a script on it. This for me seems like it will work from ANY device connected to the network correct? So if someone connected to an open network is there the possibility that a spoofed message can be sent to the router to do all of these same requests? Just me thinking allowed.

By: Ros

Ros — Tue, 22 Jan 2008 11:20:24 +0000

I have a Belkin F5D7230-4 wireless router which ships with UPnP disabled, I’ve never had a problem with Skype or anything else. Thanks for making me aware of the UPnP situation.

By: pdp

pdp — Sat, 19 Jan 2008 12:35:23 +0000

Thanks for the comment A,

I see your point. The thing with the Flash UPnP attack is that it is not obvious. This means that even if you get hacked, you won’t see it. Some UPnP settings are not visible from the Web Interface, therefore, we cannot provide with a good explanation on how to detect whether you have been hacked.

I am personally not aware of anyone using the attack vector at the moment. But this does not mean that we should not take care of it or even treated as a serious risk. Maybe, there are already some individual cases but it will take weeks if not months for the real criminals to start taking advantage of it. I wont be surprised if it gets included into MPACK, WebAttacker, or Storm.

Therefore, this type of issue needs to be fixed now, or at least we should make sure that everyone is aware of it so that there are no nasty surprises at the end.

By: Andy RSS

Andy RSS — Sat, 19 Jan 2008 10:32:16 +0000

Mind me asking - you speak a lot about the threat of and the possibility of - can you give any examples where it’s actually happened?

What’s the risk on this? I’m a home user with nothing interesting on my machine (apart from some creative pr0n, but what’s the intahwebb without creative pr0n, eh?) and i don’t blaze a trail of downloads and blogs and stuff, so i wouldn’t consider myself “visible” as such - how many cases are you aware of where this has happened?

I see lots of posts regarding problems with the fix but not one post about problems regarding actually suffering from this exploit - is it common ground that will be splashed about as easily as Sub-7 or B.O. or is it something that would require plenty of skill and knowledge and, therefore, just wouldn’t be worth the effort unless the programmer was just broken in the head.

On that note, advertisers using flash banners/ads are surely responsible for the content of them ads as they are distributing them, right?

It’s not our problem guys and unless it starts hitting the net like a plague, whilst i admire your research (the amount of stuff that has gone completely over my head is testament to your dedication and understanding of the situation), this is an exploit that should be addressed by Adobe, should cause concerns for ad-companies and domain providers and we shouldn’t have to concern ourselves with it at all, unless we’re making ourselves a target for this kind of mal-ware.

Cheers for the info though, top work on that

By: B.Patten-Walsh

B.Patten-Walsh — Fri, 18 Jan 2008 20:37:57 +0000

My Draytek Vigor 2500 series has UPnP disabled by default. no problemns with p2p or msn encountered

By: CSRF over Flash « Reasons to Fear the Matrix

CSRF over Flash « Reasons to Fear the Matrix — Fri, 18 Jan 2008 20:11:23 +0000

[...] over Flash With great interest I read the research and the corresponding FAQ by pdp and pagvac at GNUCitizen about UPnP insecurity. In a nutshell they found out that with Adobe [...]

By: Frankum

Frankum — Fri, 18 Jan 2008 10:28:13 +0000

The inconvenience of switching off UPNP in the home router depends greatly on how many clients in the home network want to use the the same UPNP application simultaneously.

There are lots of home routers which can only handle one instance of the same UPNP application if you use the manual port forwarding method.
(And some manufacturers even suggest to put the client pc or console in the DMZ and that also limits it to just one.)

So, with a few kids that have some MSN, some consoles etc, there is not just the burden of doing the manual port forwarding administration once, but you would have to agree to schedule who can play which game or who can MSN etc. at what time and then change the manual port forwarding correspondingly.

By: Warning: Domestic routers under UPNP/Flash attack! « Today is life … Tomorrow never comes

Thu, 17 Jan 2008 23:02:14 +0000

[...] If your domestic router has UPnP turned ON (like mine before) and you open a infect/bad Flash (SFW) file, some bad guy out there could turn your computer into a zombie. This means, you internet access and your router could be used by other people without you realize it. The only thing you can do is to disable the option UPnP in your router. Read your manual and find something like what’s displayed in this post picture to disable the UPnP. All the story is far better described here. [...]

By: Severe UPnP Flaw Allows Router Hijacking - Voxalot / SIP Broker Support Forums

Severe UPnP Flaw Allows Router Hijacking - Voxalot / SIP Broker Support Forums — Thu, 17 Jan 2008 14:54:59 +0000

[...] Hijacking Severe UPnP Flaw Allows Router Hijacking — Computer Security — InformationWeek Flash UPnP Attack FAQ | GNUCITIZEN Cutting-edge Think tank | Ethical Hacker Outfit | [...]

By: ros palmer

ros palmer — Thu, 17 Jan 2008 11:00:13 +0000

I have BT home hub and have been warned about the UPnP and would like to know how I get into the hub to turn it off and whether I can customize it as I have read you need it for Skype for example.