Comments on: Hacking The Interwebs

By: Omid

Omid — Fri, 02 Nov 2012 23:56:31 +0000

Can anyone tell me whether this vulnerability still exists or not?

Thanks

By: Bharath

Bharath — Tue, 07 Aug 2012 06:17:50 +0000

I have been trying to figure how the DNS settings can be changed using the UPnP protocol. I have figured out discovering the host and also its description but I have not been able to get into the DNS settings change . Can anyone suggest a way I can proceed with it.

Bharath

By: pdp

pdp — Sat, 13 Nov 2010 01:42:06 +0000

regarding upnp, the situation is still the same although we cannot exploit it with flash through the web… not yet… some day the browser will evolve enough to allow us to do that

By: hilbert

hilbert — Sat, 06 Nov 2010 13:11:00 +0000

More than two years have gone since this post and one from the last message… and I would like to know if the situation has evolved somehow.

Is it still dangerous using UPnP? Did somebody try to make it more secure?

Thanks for your answer,

By: Most home routers 'vulnerable to remote take-over'

Most home routers 'vulnerable to remote take-over' — Sun, 17 Oct 2010 10:56:48 +0000

[...] vulnerability, which was also discovered by Petko D. Petkov, is explained further here. A FAQ is here. [...]

By: Honeynet Project: Challenge 3/2010 (I parte) « Il non-blog di Mario Pascucci

Thu, 24 Jun 2010 03:04:20 +0000

[...] Potrebbe non essere significativo, ma potrebbe anche essere il segno di un tentativo di sfruttare una nota vulnerabilitÃ del protocollo UPnP, per cui non si possono trattare come innocue. In definitiva, abbiamo due processi con porte aperte [...]

By: Flash can modify Routerâ€™s UPnP Interface | DevWebPro

Flash can modify Routerâ€™s UPnP Interface | DevWebPro — Wed, 16 Dec 2009 20:49:58 +0000

[...] security issues surfaced about a week ago that the Universal Plug and Play (UPnP) interface of your Router may be highly vulnerable to use by hackers seeking to modify their settings â€” such as choice of DNS Server â€” from an [...]

By: Serious Flash/UPnP Issue Identified | DevWebPro

Serious Flash/UPnP Issue Identified | DevWebPro — Wed, 16 Dec 2009 19:52:21 +0000

[...] letâ€™s take a step back to examine the issue itself.Â Between two articles, Petkov and Pastor spent about 2,300 words writing about it, and if you want to fully [...]

By: Mexx

Mexx — Mon, 21 Sep 2009 02:00:14 +0000

Can’t we just hack the router without UPnP. I mean just fire queries to change DNS settings using default admin/password when 90% of the people never care to change it?

By: Timbo

Timbo — Fri, 12 Jun 2009 11:59:46 +0000

Fascinating! I’m just a user of computers, neither and IT specialist nor a programmer but it seems that what you’re saying is, once the hacker has obtained entry through to your network, the damage is done and turning uPnP off will be too late because the hackers are in. Is that right, or if I disable UPnP, will I be saved?

Excellent article though!

regards

Timbo

By: networkplanner.net » Blog Archive » Wi-Fi routers vulnerable to UPnP attack from hackers

Tue, 09 Jun 2009 19:14:22 +0000

[...] The solution seemed to be simple: Use WPA encryption and strong passwords. Now, based on an article Gnucitizen, thereâ€™s another way for hackers to take down your router. In theory, at [...]

By: Lee

Lee — Wed, 03 Jun 2009 18:41:19 +0000

Educational if esoteric discussion. I’m happy to say that my Netgear WGT624 does not enable UPnP by default, and I don’t have a need to enable it as far as I can tell.

By: pdp

pdp — Mon, 20 Apr 2009 15:25:51 +0000

Seer, thanks for the informative comment. I will have a look into the Adobe Flash Platform for the Digital Home which you’ve mentioned. Since I’ve been trying to hack my TV for some time now, this technology may prove to be very interesting.

I am not sure if I understand your last question correctly. I believe that you are suggesting that none one is implementing UPnP in real devices at the moment. This is not true. UPnP is virtually everywhere from embedded devices to mobile phones. As I mentioned before, my brand new TV has support for UPnP and pretty much every home router I’ve seen is UPnP enabled.

By: Seer

Seer — Mon, 20 Apr 2009 14:12:21 +0000

Hi there… About the “discovery” problem for hackers (how to guess UUIDs and ports ?), maybe Adobe “solved” it with its freshly announced “Adobe Flash Platform for the Digital Home” ? (I think not, as I develop further on)

I guess if it was available to anyone, this should provide developers APIs to read media (WebTVs) from real TVs/set-top boxes… why not from UPnP Media Servers ? Thus, things are getting easier, except if they restrain the supported requests to concern media stuff, and only it (no DNS change or port forwarding ?).

Anyway the special player may not be available to anyone except device manufacturers. With flash apps not gotten from the internet but deployed in the boxes (no download, only stream play ?), no problem. I guess then that we won’t be able to play free flash games from the web ;) Or only certified ones ?

Keep in mind that all of it was just pure speculation and anticipation…

One last word : Good discussion indeed with lots of information. I haven’t studied the UPnP Security profile, but would it provide solutions ? I believe (am I wrong ?) no manufacturer has implemented it yet :)

By: Le migliori tecniche di Web Hacking del 2008 | lonerunners.net

Le migliori tecniche di Web Hacking del 2008 | lonerunners.net — Sun, 15 Mar 2009 17:31:32 +0000

[...] UPnP Hacking via Flash [...]

By: Matthew

Matthew — Thu, 26 Feb 2009 19:47:00 +0000

Thank you–I learned from this article as well as the discussion.

By: pdp

pdp — Wed, 25 Feb 2009 10:44:39 +0000

It has been fixed now! We are still moving stuff around!

By: ZeroOne

ZeroOne — Tue, 24 Feb 2009 13:57:03 +0000

The link to the Test.mxml-file does not work. Could you please fix it? Or does anyone have a copy?

By: Inseguridad en UPnP. | Noticias

Inseguridad en UPnP. | Noticias — Fri, 20 Feb 2009 23:23:13 +0000

[...] Hacking The Interwebs: http://www.gnucitizen.org/blog.....interwebs/ [...]

By: ??? » Blog Archive » What’s new in web hacking techniques of 2008

Sun, 15 Feb 2009 01:52:27 +0000

[...] UPnP Hacking via Flash [...]