Comments on: Hacking with UPnP (Universal Plug and Play)

By: LoRdRapTuReZ

LoRdRapTuReZ — Mon, 10 Nov 2008 02:43:25 +0000

I have an universal plug and play server gateway. And its protected with the password which was set by pervously guy who work in my company.So, is there any other options that i can reset the server gateway or get the default

By: The Invisible Infection, Revisited | All That's Evil

The Invisible Infection, Revisited | All That's Evil — Thu, 18 Sep 2008 17:53:58 +0000

[...] fine folks at GNUcitizen provided much of the information that I’m mentioning here, and they even have some carefully [...]

By: More UPnP Hacking Fun with Google Media Server | GNUCITIZEN

More UPnP Hacking Fun with Google Media Server | GNUCITIZEN — Fri, 27 Jun 2008 09:31:46 +0000

[...] our exploration in the fields of UPnP earlier this year with some smoking posts which covered some basic attacks and the advance flash attacks. Today I stumbled across Google Media Server, a desktop gadget which [...]

By: vino

vino — Mon, 28 Apr 2008 14:27:39 +0000

Thats Greatt.., You guys Rock !!!!

By: Inseguridad en UPnP. » Vida Casi Digital

Inseguridad en UPnP. » Vida Casi Digital — Fri, 11 Apr 2008 20:11:31 +0000

[...] Hacking with UPnP (Universal Plug and Play): http://www.gnucitizen.org/blog.....-and-play/ [...]

By: Nick

Nick — Fri, 28 Mar 2008 07:17:48 +0000

Alright.

So I’m in an interesting situation. A desperate friend convinced me to help him try to get a friend’s MSN and Gmail accounts back from a malicious ex-friend. I am now communicating with the malicious ex-friend’s router via Flash SOAP requests and I would really like to change this person’s DNS servers. Bad I know, but my friend claims her life is getting ruined. I am having trouble finding an API for SOAP communication with routers - specifically a 3COM OfficeConnect.

For justice!

By: WiFi Ownage | GNUCITIZEN

WiFi Ownage | GNUCITIZEN — Thu, 07 Feb 2008 11:00:18 +0000

[...] router and changed the primary DNS server through many of the available methods in the wild, like UPnP hacking, [...]

By: UPnP: The Saga Continues | GNUCITIZEN

UPnP: The Saga Continues | GNUCITIZEN — Sun, 20 Jan 2008 20:35:33 +0000

[...] already covered what UPnP is and how it works in most basic form. We’ve also showed how it can be exploited [...]

By: And Go it Does: CSRF « Reasons to Fear the Matrix

And Go it Does: CSRF « Reasons to Fear the Matrix — Fri, 18 Jan 2008 20:16:30 +0000

[...] a side note, the security issues raised by GnuCitizen about the use of UPnP (Universal Plug and Play) are quite more interesting. Of course, you have to be on the local [...]

By: Pericoloso bug per Flash e Excel :: News Orebla.it

Pericoloso bug per Flash e Excel :: News Orebla.it — Wed, 16 Jan 2008 13:26:26 +0000

[...] pubblicato dai due ricercatori (vedi articolo) si evince come il problema non sia localizzato in una mancanza di validazione da parte di Apple [...]

By: ×¡×“×§×™× » ×‘×¢×™×ª ×”××‘×˜×—×” ×©×ž××™×™×ž×ª ×¢×œ ×›-×•-×œ-×

×¡×“×§×™× » ×‘×¢×™×ª ×”××‘×˜×—×” ×©×ž××™×™×ž×ª ×¢×œ ×›-×•-×œ-× — Tue, 15 Jan 2008 18:32:04 +0000

[...] ×›×“×™ ×œ×–×¨×– ××ª ×”×˜×™×¤×•×œ ×‘× ×•×©×. ×‘×—×•×“×© ×”××—×¨×•×Ÿ ×”× ×—×§×¨×• ×•×¤×¨×¡×ž×• ×ž×¡×¤×¨ ×ž××ž×¨×™× ×”×¢×•×¡×§×™× ×‘× ×•×©× ×›×”×›× ×” ×œ×’×™×œ×•×™. ×”×¦×ž×“ ×’×™×œ×” ×©× ×™×ª×Ÿ ×œ×™×¦×•×¨ ×§×‘×¦×™ [...]

By: rizki

rizki — Tue, 15 Jan 2008 10:25:13 +0000

how to hacking in the syistem

By: G-Brain

G-Brain — Sun, 13 Jan 2008 11:47:58 +0000

“Home Wirless”. An excellent article nonetheless.

By: Hacking The Interwebs | GNUCITIZEN

Hacking The Interwebs | GNUCITIZEN — Sat, 12 Jan 2008 12:57:28 +0000

[...] the last week we’ve tried to prepare you for this very moment by exposing bits and pieces on how UPnP works and why it is so important to keep it in mind when testing and securing networks. [...]

By: Adrian Pastor

Adrian Pastor — Fri, 11 Jan 2008 00:26:26 +0000

@zmx - Plug-and-Play Tester - like other upnp tools - are very handy for reverse-engineering the protocol. make a config change with the tool while sniffing the traffic. once the SOAP request is captured is trivial to convert to XHR() for remote exploitation.

@agent0×0 - you definitely made me want to test UPnP attacks on consoles. Nice idea as I’m sure they use UPnP stacks that can also be found on other devices besides gaming consoles.

By: ambient » Some links from today

ambient » Some links from today — Thu, 10 Jan 2008 21:25:55 +0000

[...] Hacking with UPNP [...]

By: pdp

pdp — Thu, 10 Jan 2008 16:25:16 +0000

definitely a risk, I must say. we haven’t done any research on UPnP enabled consoles although I am sure that there might be a lot of interesting stuff to play with. To give you a hint, certain printers allow you to do a lot more through UPnP then the Web interface ;)

By: agent0x0

agent0x0 — Thu, 10 Jan 2008 15:59:29 +0000

Good stuff guys! I am concerned with all these “media server” devices and clients that auto enable UPnP…I know many people are sticking 360’s and PS3’s out on their Internet Gateway so they can play multiplayer games easier…perhaps video game consoles with UPnP enabled is a growing attack vector along with the devices you mentioned. Have you done any research with UPnP and consoles like the Xbox 360 or PS3?

By: pdp

pdp — Thu, 10 Jan 2008 14:54:52 +0000

yes, Universal Plug-and-Play Tester is pretty good, but it has some limitations.

How can you interrogate an UPnP device from the internet?

first of all check Adrian’s post on how to hack into BT Home Hub from outside with a combined attack: XSS + UPnP. It works flawlessly. The victim needs to visit a specially crafted webpage. Upon visit, the attacker will reconfigure their router with an UPnP SOAP message. At that moment the attacker can do pretty much whatever they like, including but not only: change the primary DNS server, reconfigure the local network, expose internal ports on the router’s Internet facing side.

The broadcast announcement is useful only if you don’t know where to look for the UPnP service description. I lot of people believe that UPnP is useful only if you are inside a network. This is incorrect. If you manage to find a printer or an exposed router, or any other type of UPnP enabled device and you know where their description is located, you might be able to send arbitrary SOAP request to any of control points over the Internet. It is as simple as that.

For example, if you enable the BT Home Hub router Web interface on the internet facing side, you will be able to reconfigure the device across the Internet even if the default admin password was changed.

By: zmx

zmx — Thu, 10 Jan 2008 14:43:49 +0000

There is a nice application Universal Plug-and-Play Tester for playing with http://noeld.com/programs.asp?cat=dstools.

However, you can play with UPnP only if you are inside the internal network. You need to see broadcast announcements to be able to interrogate and control an UPnP capable device.

How can you interrogate an UPnP device from the internet?

Comments on: Hacking with UPnP (Universal Plug and Play)

By: LoRdRapTuReZ

By: The Invisible Infection, Revisited | All That's Evil

By: More UPnP Hacking Fun with Google Media Server | GNUCITIZEN

By: vino

By: Inseguridad en UPnP. » Vida Casi Digital

By: Nick

By: WiFi Ownage | GNUCITIZEN

By: UPnP: The Saga Continues | GNUCITIZEN

By: And Go it Does: CSRF « Reasons to Fear the Matrix

By: Pericoloso bug per Flash e Excel :: News Orebla.it

By: ×¡×“×§×™× » ×‘×¢×™×ª ×”××‘×˜×—×” ×©×ž××™×™×ž×ª ×¢×œ ×›-×•-×œ-×

By: rizki

By: G-Brain

By: Hacking The Interwebs | GNUCITIZEN

By: Adrian Pastor

By: ambient » Some links from today

By: pdp

By: agent0x0

By: pdp

By: zmx

By: ×¡×“×§×™× » ×‘×¢×™×ª ×”××‘×˜×—×” ×©×ž××™×™×ž×ª ×¢×œ ×›-×•-×œ-×