Then looking at upnp, I noticed forwards and then found this website. I just turned it off. Wow. It is freaky to know that my router was abused by someone for who knows what end.

Question: just turning off upnp should un-zoombie my router. Is that right?

1st: People shouldn’t install untrusted software. Flash IS an untrusted software. They allow immediate execution of third party unauthorized software and doesn’t restrict what they can do, therefore Flash can’t be trusted. No web content should be allowed to originate cross-site traffic or originate LAN traffic. I also think, web browsers should disable links to LAN from WAN. That is, a page at 200.10.10.10 shouldn’t be able to create a link to 127.0.0.1, or at least the user should be warned about it.

2nd: Cheap routers are a huge danger. This is just an example. Many exploits have turned up over the years, and it’ll only get worse.

But, anyway, most people use Windows so this isn’t their biggest threat. And most people that doesn’t run windows don’t use cheap routers and run them with off the box configurations, so, as always, the assholes that shouldn’t be using the net get it, so we shouldn’t give a fuck.

Although a malicious attack will probably not really want to invade a home-user’s PC (other than dropping mals/virusi/trojans to create havoc), the hole lets them cover their tracks for whatever other evil they perpetrate on the web.
Akin to handing your Driver’s Liscense and Social Security Card to a criminal, asking, “You’re sure you won’t use my identity when you commit your crimes?”

But really, the fault is two-fold:
1) UPnP needs to have an authentication. This would solve it.

2) Adobe needs to seriously investigate their script. Is there a valid need for such a potentially dangerous script?

Thanks for your work!

If evil.x can control your router, safeguards or info on your system devices (storage, computers, etc)are irrelevant to the biggest danger… your router becomes capable of being an agent in DOS attacks, anonomous-routing of terrorist net traffic, becoming an apparent server for child-porn, any number of which could put YOU in JAIL, with no way of defending yourself, because you left your system available for evil.x to use for their purposes. If nothing else, you immediately become the suspect in a high level investigation that BEGINS with confiscation of all of your equipment that could have been hooked up to that system(computers, servers, digital cameras…)

I just read of one open source developer who works off his laptop, snagged a discarded laptop from the trash, then when rebuilding that drive while connected to his working laptop he found it contained child porn. His working laptop (not just the drive) was confiscated by the police so forensics could find out if the files had originated from HIS computer, even though he was the one who turn in the complaint… he was unable to maintain his open-source software for several MONTHS until he could get re-imbursed for his system and get another one.

Leaving the router open to flash-uPnP attack is sort of like leaving your keys in your car, with it running, while you go into the bank, which just happens to be held up and then they snag your car for the getaway, running someone over on their way out… now prove you were not part of that robbery and murder.

As long as you can set the router to forward port 10001 to x.x.x.1 and can set the client to listen on port 10001, then it will work just fine when you configure it manually. You just have to make the router and client match. Depending on the application though, it may or may not be easy/possible to configure which port it listens on. I have yet to hear of a router that supports UPnP port-forwarding and not manual port-forwarding (though I’m sure some cheapo model out there touts that as a feature). Also, the number of ports the app uses will directly relate to the annoying factor – it’s not a big deal to forward 1 port for 5 clients, but when each copy wants to use 20 ports it will get really annoying.

Also, port forwarding can be quite bad as well. In some cases you can port forward the router’s own Web interface in which case you are making it public for attackers. Combine that with the fact that some models allow you to reset the admin credentials through UPnP, then you have a real issue. Opening port forwards to your own machine is interesting but as you said might not be valuable.

Exposing your router on the Internet is a big security problem. Changing DNS is also a huge security problem.

I can see that the Flash UPnP attack works as described, but I can’t see how an attacker could leverage it to take over my PC.

The scenario where an attacker changes your DNS server is touted as the worst – it lets him force you into visiting his site (e.g. for browser exploit) via the bad DNS. But he must have *already* been able to dupe you into visiting his site in order to view the SWF in the first place!

As for adding port forwarding rules – big deal. I can see how it would make me vulnerable e.g. if I was running a file server or something. But most home users (i.e. Windows) won’t be running such services themselves, and the out-of-the-box system services (e.g. port 445) will be protected by the host’s own firewall (ICF and maybe others).

I’m happy to be corrected, as always!

Of course, I don’t trust little black boxes; I have an IPtables firewall on a Linux box and use dnsmasq on another Linux box for caching DNS – my router is just shifting packets back and forth. Trusting your network security to a closed-source device seems short-sighted to me.