Flash UPnP Attack FAQ

Mon, 14 Jan 2008 20:20:02 GMT
by pdp

There are loads of misconceptions and confusion regarding the Flash UPnP Attack that was discussed over here. Therefore, it is probably a good idea to shed some light on the matter, since I don't want to leave people with the wrong impression. If the majority of people still don't get it after this post, then that will mean that we have failed and we shouldn't have published the research.

What does the Flash UPnP hack consist of?

When the victim opens a malicious SWF file, or a page that embeds one (think about ad networks, etc), a 4 (could be less or slightly more) step ATTACK will silently execute in the background, upon which the attacker will have control over the victim's router, pretty much regardless of its model.

Q: Does the attack rely on any vulnerabilities within Flash?

No! The attack is based on the navigateToURL function and the URLRequest object. Both of them are used as described in the Flash ActionScript specifications.

Q: Does the Flash UPnP Attack depend on certain browser type and/or version?

No! The attack is possible because of Flash not because of the underlaying browser!

Q: Does the Flash UPnP Attack depend on certain Operating System type and/or version?

No! Flash is cross-platformed. The attack will work wherever Flash works.

Q: The Demo does not work with the most recent version of Flash Player, right?

No! It does work!

Q: Nevertheless, UPnP is useless, right?

No! UPnP is quite serious business and hacking it often leads to a catastrophic effect. The following is possible with UPnP:

  • portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network)
  • portforward the router web administration interface to the external facing side.
  • port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are)
  • change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com
  • change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system.
  • reset/change the administrative credentials
  • reset/change the PPP settings
  • reset/change the IP settings for all interfaces
  • reset/change the WiFi settings
  • terminate the connection
  • etc.

And these are just a small portion of the things you can do over UPnP.

Q: Nevertheless, UPnP is secure. The user will be prompted with a Basic Authentication prompt, right?

No! UPnP specifications do not provide any standard for authentication. Therefore, everyone can do these changes without any restrictions.

Q: Is UPnP turned on by default?

Yes! UPnP is turned on by default on most, if not all devices. Otherwise, things like MSN and Skype realtime audio and video, P2P (Peer-to-Peer) software like Emule, games of all kinds and bunch of other things wont work unless the user manually makes changes in her router's configuration. Due to the fact that the average user is not a System Administrator, UPnP is enabled by default in order to make the magic working behind the screen.

Q: Can I turn UPnP off?

Yes! Please consult with the manual provided by your router manufacturer. It is a good idea to consider the inconveniences that this change may cause you. Remember: there are no perfect things! It is all about keeping the balance.

Q: Is it just my router that supports UPnP?

No! Many types of devices support the UPnP protocol: Cameras, Printers, Mobile Phones (yes my mobile has UPnP capabilities), Digital Entertainment Systems, etc.

Q: Is it possible to hack into other UPnP enabled devices with the Flash UPnP Attack?

Yes! It is possible to hack into any UPnP enabled device as long as the UPnP control point is delivered over HTTP. HTTPU (HTTP over UDP) UPnP implementations are not vulnerable due to the fact that Flash does not support the UDP transport protocol.

Q: Am I safe if my UPnP device handles only HTTPU?

No! You still need to consider the risk that someone can send arbitrary UDP requests to the UPnP control point. Remember, UPnP does not have any authentication or authorization facilities!

Q: Am I safe if I disable/uninstall Flash?

Although I am not aware of any other method for achieving the same effect, it is very likely that the same attack can be performed by other types of Web technologies.

Q: Why did you publish the research?

We hope that by exposing this information, we will drastically improve the situation for the better future. I think that this is a lot better than keeping it for ourselves or risking it all by given the criminals the opportunity to have in possession a secret which no one else is aware of.

Q: Why didn't you contact the vendor?

What vendor? Who? There are so many device manufacturers that it is highly unfeasible to contact each one individually. Regarding Adobe, well..., they haven't done anything wrong either. So, I don't think that you should blame them.

Q: How would you rate the issue?


_I am planning to keep this post up-to-date as new question/misconceptions/confusions emerge._

Archived Comments

"If the majority of people still don't get it after this post, then that will mean that we have failed and we shouldn't have published the research." I disagree. If the majority of people still don't get it, then they better go and read anywhere else. You guys have been through an excelent research and disclosure work, and I really thank you for that. I, as you do, think that this issue is highly critical. Reminds me the times when the majority of snmp devices came with "public" and "private" as the default keys. It will take a long until this scenario changes. Normal people, not security professionals or just computer related professionals, doesn't concern about this kind of topics, so we will have to wait until the need of new devices cames out, which will came with UPnP not activated by default or with authentication added to the protocol, and the eariler that this is going to happen is with the next network technology jump, maybe fiber at home. Not too soon, definitlely.
BTW: There are some routers out there, which answer on their hostname. So there's no need to know their IP-addresses. For example the routers from vendor AVM called Fritz!Box. They will answer on: ping fritz.box or http://fritz.box
yep, perfectly valid point. we haven't thought about it. :) BT Home Hub answers on api.home
A question. Reading this I'm left with the impression that pretty much all routers are vulnerable. I would've thought that only those that connect via upnp would be so. eg. My linksys broadband router has a bunch of RJ45's and I configure by pointing the browser to the preset address. In this scenario, how does the vulnerability come into play ?
Nicho, most, if not all, routers are UPnP enabled and most of them have UPnP turned on.
The MoleThe Mole
I find it very tenious that the reason that this isn't a security flaw in flash is because flash is behaving the way it was designed too. This is complete rubbish. It IS a security flaw in flash. I can see no justifiable circumstances why a flash script from the internet should be able to open a page to a private non-public ip address. It shouldn't be allowed.
Craig ScottCraig Scott
"Yes! UPnP is turned on by default on most, if not all devices. Otherwise, things like MSN and Skype realtime audio and video, P2P (Peer-to-Peer) software like Emule, Games of all kinds and bunch of other things wont work unless the user manually make changes in their router’s configuration." I can't comment on the rest, but skype still works fine with UPnP disabled. It can take advantage of UPnP if enabled, but it copes fine without it.
Craig, thanks for the input. We haven't done much investigation whether Skype works with/without UPnP. All we know is that UPnP is used for many things. For example, some ISPs provide you with Wizard-like Software that help you with configuring the device. What do you think the software uses? UPnP! Many of you say that it is ok to turn UPnP off. Well, I am not sure about that. As a security guy I recommend turning UPnP off. Though, I can clearly see how this can turn into a problem. People does use it. Go explain to our grandma how to add a portforward through the admin interface so that she is secure when using whatever program she might have in mind. She would rather leave that decision to the computer, I guess. So let's not be ignorant.
routerlogin.com and routerlogin.net point to the netgear router.
damien, this proves the point that the attack will be a lot more slicker if we use names rather then bruteforcing IP addresses.
Adrian PastorAdrian Pastor
A classic example of a tool that allows you to configure somthing via UPnP is Slingbox. If you enable "remote viewing" all the configuration tool (SlingPlayer) does is enable port-forwarding on your router as we mentioned here: http://www.gnucitizen.org/blog/strategic-geoip-hacking-and-tv-streaming-theft Think about it: SlingPlayer never asks you to enter your router's admin password!! Again, although we don't want to repeat ourselves, UPnP does many more things than just port forwarding (especially on IGDs - aka home routers).
and I would like to add that the Flash UPnP hack and the XSS UPnP hack can be used for other UPnP enabled devices, not just routers.
Tim CuttsTim Cutts
I always considered UPnP to be an obvious security nightmare, and switched it off on every router I've ever owned. Unauthenticated manipulation of the firewall rules?! You might as well not have a firewall at all. That alone was enough for me to switch it off. Consider the equivalent in your home - allowing any visitor to your home to change the locks or put new doors in the walls. Tim
Stephen AuerbachStephen Auerbach
I hate, hate, hate white on black text. I hate hate hate white on black text. Why do people create white on black web sites? Why?
Philip CassPhilip Cass
"for other UPnP enabled devices, not just routers" true, but it's routers that have the bloody stupid ability to have their DNS settings changed by J.Random client not so worried about the port opening (or else why use UPnP with your router?) as I believe a computer should be secured as if connected directly to the internet... but the person who thought it was a good idea to let any computer on a LAN change central settings needs to rethink things a bit
Armijn HemelArmijn Hemel
hi guys, excellent work. I never had the time to turn my own research about UPnP (published at SANE 2006) into a websploit. You might want to know there are a lot of extra hacks possible, depending on which stack is used, including remote root exploits on the router itself. You might want to adapt your tools to do even more interesting things. See http://www.upnp-hacks.org/ for a discussion of several UPnP stacks and their security issues.
"Nicho, most, if not all, routers are UPnP enabled and most of them have UPnP turned on." FWIW, I just checked mine and UPnP is deactivated. And I'm 100% I've never touched that setting. I'm using the Sitecom Modem/Router WL-174.
My Netgear WGR614 v6 came with UPnP off by default. I don't know if it's enabled by default in most routers.
Your reasearch article talks about UPnP being enabled/disabled in the router which is certainly a facility in my router. I have been concerned about UPnP for some time and I use a utility from www.grc.com that allows me to disable/enable UPnP in my PC. Upto now I have UPnP in the router enabled but disabled in my PC unless I need to use it for a specific purpose. I then use the GRC utility to enable it. I can only use UPnP when both PC and router are enabled. Is this a safe way of working or should the router also have UPnP disabled to protect against the possible Flash attack described in your research article?
Alan, excellent question. The answer is NO. I am not quite sure what this GRC utility does but I suspect that it simply makes UPnP an exception on your local firewall and it turns the Windows SSDP service on. I might be wrong. Turning off/on your machine UPnP capabilities does not solve the problem. The attack will work regardless of that.
Can a person write a Flash "app" which turns UPn off using UPnP?
An OgreAn Ogre
The GRC utility simply stops and disables the Windows UPnP service/driver. Whether that is relevant to this I do not know. Contact Steve Gibson. You are over thinking finding the router. It is well know that nearly all home and SMB routers live at or in the rare instance the default is changed x.x.x.1 relative the machine you are attacking thru. Third party, usually Linux based, firmware is likely also vulnerable. This whole thing is rather academic given the vast number of routers running default passwords and settings. Certain ISPs are famous for setting all their routers to one common and weak ID/PW to log in AND leaving remote management enabled. You've also overlooked that there are allot worse things you can make these weak routers do besides steal data from local users. More than a few brands products are running easily altered and even open source code right out of the box that frequently has serious flaws. Few owners ever update router firmware.
The Mole: Well and good, but how on earth is Flash to determine what is a "private non-public IP address" and what isn't? You can't just use the IETF non-routable ranges as an indicator because of both false positives (Eg large corporate intranet on 10.x.x.x with Flash apps that legitimately want to open HTTP connections to intranet servers) and false negatives (ie using an assigned routable range with NAT).
Conrad, good question. If UPnP exports a methods that allows you to turn UPnP off then it is possible. Though, I haven't seen such a setup.
I have a Linksy router that came with UPnP disabled. I left it that way for about three years. Then last summer, I wanted to try Microsoft's new live FolderShare. Microsoft has a list of routers that will work with FolderShare and explains how to turn UPnP on in each of them. I turned it on and, due to a bug in the Linksy firmware, I found myself locked out of the router interface after I did that. Evidently the password is now a random one and the only way to get into the router's interface now is to do a factory reset. That I have been reluctant to do because I use beta firmware (required for one of my most important applications) and would have to go search for that firmware again (it was never on the Linksy FTP server and Linksy will not email it because my router is more than one year old so there is no support). So, I have not fixed the problem. I didn't like FolderShare and haven't needed UPnP on for anything else since I got the router in 2003 so I would simply put the setting for UPnP back to off except I can't get in to do that. What are all the Microsoft FolderShare folks supposed to do now?
Is the attack directed at the ip address of your LAN interface or a multicast address., and if so would changing the default addresses give any protection.
How can you tell if your router has been compromised?
TRB, sometimes it is obvious, sometimes it is not. Some changes performed over UPnP does not reflect into the router administration console.
I think this definitly is a vulnerability in flash. Flash does not observe the same origin policy as you write yourself in your article. It's one thing to do simple GET requests, but a complete different thing to be able to craft complete HTTP requests. With XMLHttpRequest you also can't craft a request to a different domain. So why should flash be allowed to do so?
Mark ThorntonMark Thornton
Unsigned Java applets only allow connections to the site on which they are hosted. Connections to third party sites (such as the router in this case) are not allowed. Flash (or the browser hosting it) should implement similar restrictions.
Mark, keep in mind that Flash does not connect to anything in our case. It simply makes the browser to connect on Flash's behalf. The navigateToURL function will replace the current window where the malicious movie is loaded with the result page of the request. Attackers can hide this change by encapsulating the whole thing within an iframe. However, the sendToURL function also allows you to perform the request but without any visual change, i.e. the state of the malicious movie stays as it is. This, I believe, is a security BUG and needs to be fixed!
I have some doubt about all the risks exposed. Only ill written UPnP IGD service software will allow a mapping to a non local IP or change the DNS settings.
Once again, run for Cisco when it comes to network devices. They don't support uPNP (except maybe with Linksys brand), so problems like this don't exist.
ros palmerros palmer
I have BT home hub and have been warned about the UPnP and would like to know how I get into the hub to turn it off and whether I can customize it as I have read you need it for Skype for example.
The inconvenience of switching off UPNP in the home router depends greatly on how many clients in the home network want to use the the same UPNP application simultaneously. There are lots of home routers which can only handle one instance of the same UPNP application if you use the manual port forwarding method. (And some manufacturers even suggest to put the client pc or console in the DMZ and that also limits it to just one.) So, with a few kids that have some MSN, some consoles etc, there is not just the burden of doing the manual port forwarding administration once, but you would have to agree to schedule who can play which game or who can MSN etc. at what time and then change the manual port forwarding correspondingly.
My Draytek Vigor 2500 series has UPnP disabled by default. no problemns with p2p or msn encountered
Andy RSSAndy RSS
Mind me asking - you speak a lot about the threat of and the possibility of - can you give any examples where it's actually happened? What's the risk on this? I'm a home user with nothing interesting on my machine (apart from some creative pr0n, but what's the intahwebb without creative pr0n, eh?) and i don't blaze a trail of downloads and blogs and stuff, so i wouldn't consider myself "visible" as such - how many cases are you aware of where this has happened? I see lots of posts regarding problems with the fix but not one post about problems regarding actually suffering from this exploit - is it common ground that will be splashed about as easily as Sub-7 or B.O. or is it something that would require plenty of skill and knowledge and, therefore, just wouldn't be worth the effort unless the programmer was just broken in the head. On that note, advertisers using flash banners/ads are surely responsible for the content of them ads as they are distributing them, right? It's not our problem guys and unless it starts hitting the net like a plague, whilst i admire your research (the amount of stuff that has gone completely over my head is testament to your dedication and understanding of the situation), this is an exploit that should be addressed by Adobe, should cause concerns for ad-companies and domain providers and we shouldn't have to concern ourselves with it at all, unless we're making ourselves a target for this kind of mal-ware. Cheers for the info though, top work on that A
Thanks for the comment A, I see your point. The thing with the Flash UPnP attack is that it is not obvious. This means that even if you get hacked, you won't see it. Some UPnP settings are not visible from the Web Interface, therefore, we cannot provide with a good explanation on how to detect whether you have been hacked. I am personally not aware of anyone using the attack vector at the moment. But this does not mean that we should not take care of it or even treated it as a serious risk. Maybe, there are already some individual cases but it will take weeks if not months for the real criminals to start taking advantage of it. I wont be surprised if it gets included into MPACK, WebAttacker, or Storm.
Therefore, this type of issue needs to be fixed now, or at least we should make sure that everyone is aware of it so that there are no nasty surprises at the end.
I have a Belkin F5D7230-4 wireless router which ships with UPnP disabled, I've never had a problem with Skype or anything else. Thanks for making me aware of the UPnP situation.
This is indeed a very good find, and with me personally owning a HomeHub I am taking this very seriously myself. I am not sure whether a user HAS to visit a website with a script on it. This for me seems like it will work from ANY device connected to the network correct? So if someone connected to an open network is there the possibility that a spoofed message can be sent to the router to do all of these same requests? Just me thinking allowed.
Th3ChaS3r, yes! If you are already inside the network where the UPnP device is located you can just start sending UPnP requests. However, the here presented method is useful when attacking from outside. This is the most important difference.
Adam OellermannAdam Oellermann
I have a cheap Safecom ADSL modem/router (Conexant chipset) which doesn't have UPnP support at all. There must be millions of these boxes in circulation, so I think the "99% of routers at risk" statistic is perhaps a bit high. Of course, I don't trust little black boxes; I have an IPtables firewall on a Linux box and use dnsmasq on another Linux box for caching DNS - my router is just shifting packets back and forth. Trusting your network security to a closed-source device seems short-sighted to me.
To me, this attack still seems more of an interesting curiosity than something to be worried about. I can see that the Flash UPnP attack works as described, but I can't see how an attacker could leverage it to take over my PC. The scenario where an attacker changes your DNS server is touted as the worst - it lets him force you into visiting his site (e.g. for browser exploit) via the bad DNS. But he must have *already* been able to dupe you into visiting his site in order to view the SWF in the first place! As for adding port forwarding rules - big deal. I can see how it would make me vulnerable e.g. if I was running a file server or something. But most home users (i.e. Windows) won't be running such services themselves, and the out-of-the-box system services (e.g. port 445) will be protected by the host's own firewall (ICF and maybe others). I'm happy to be corrected, as always!
wintermute, if someone changes your DNS they will be able to do a lot more then just forcing to visit a site. They will be able to push down malicious extensions or perform easily the Skype vulnerability that we talked at GNUCITIZEN not that long time ago. Also, port forwarding can be quite bad as well. In some cases you can port forward the router's own Web interface in which case you are making it public for attackers. Combine that with the fact that some models allow you to reset the admin credentials through UPnP, then you have a real issue. Opening port forwards to your own machine is interesting but as you said might not be valuable. Exposing your router on the Internet is a big security problem. Changing DNS is also a huge security problem.
@Frankum: UPnP doesn't do any special port-forwarding that you can't do manually (excluding UI limitations in the client or router). If you have 5 copies of MSN working with UPnP, then UPnP is having the copy at x.x.x.1 use port 10001, x.x.x.2 use port 10002, x.x.x.3 use port 10003, etc. As long as you can set the router to forward port 10001 to x.x.x.1 and can set the client to listen on port 10001, then it will work just fine when you configure it manually. You just have to make the router and client match. Depending on the application though, it may or may not be easy/possible to configure which port it listens on. I have yet to hear of a router that supports UPnP port-forwarding and not manual port-forwarding (though I'm sure some cheapo model out there touts that as a feature). Also, the number of ports the app uses will directly relate to the annoying factor - it's not a big deal to forward 1 port for 5 clients, but when each copy wants to use 20 ports it will get really annoying.
Any of the folks saying this is not a dangerous vulnerability have no idea what turning your net appliance (router, etc) into a zombie means... If evil.x can control your router, safeguards or info on your system devices (storage, computers, etc)are irrelevant to the biggest danger... your router becomes capable of being an agent in DOS attacks, anonomous-routing of terrorist net traffic, becoming an apparent server for child-porn, any number of which could put YOU in JAIL, with no way of defending yourself, because you left your system available for evil.x to use for their purposes. If nothing else, you immediately become the suspect in a high level investigation that BEGINS with confiscation of all of your equipment that could have been hooked up to that system(computers, servers, digital cameras...) I just read of one open source developer who works off his laptop, snagged a discarded laptop from the trash, then when rebuilding that drive while connected to his working laptop he found it contained child porn. His working laptop (not just the drive) was confiscated by the police so forensics could find out if the files had originated from HIS computer, even though he was the one who turn in the complaint... he was unable to maintain his open-source software for several MONTHS until he could get re-imbursed for his system and get another one. Leaving the router open to flash-uPnP attack is sort of like leaving your keys in your car, with it running, while you go into the bank, which just happens to be held up and then they snag your car for the getaway, running someone over on their way out... now prove you were not part of that robbery and murder.
Unrealized before, this is scary. It's a wide-open hole. Although a malicious attack will probably not really want to invade a home-user's PC (other than dropping mals/virusi/trojans to create havoc), the hole lets them cover their tracks for whatever other evil they perpetrate on the web. Akin to handing your Driver's Liscense and Social Security Card to a criminal, asking, "You're sure you won't use my identity when you commit your crimes?" But really, the fault is two-fold: 1) UPnP needs to have an authentication. This would solve it. 2) Adobe needs to seriously investigate their script. Is there a valid need for such a potentially dangerous script? Thanks for your work!
This is a double vulnerability. 1st: People shouldn't install untrusted software. Flash IS an untrusted software. They allow immediate execution of third party unauthorized software and doesn't restrict what they can do, therefore Flash can't be trusted. No web content should be allowed to originate cross-site traffic or originate LAN traffic. I also think, web browsers should disable links to LAN from WAN. That is, a page at shouldn't be able to create a link to, or at least the user should be warned about it. 2nd: Cheap routers are a huge danger. This is just an example. Many exploits have turned up over the years, and it'll only get worse. But, anyway, most people use Windows so this isn't their biggest threat. And most people that doesn't run windows don't use cheap routers and run them with off the box configurations, so, as always, the assholes that shouldn't be using the net get it, so we shouldn't give a fuck.
As I understand many router settings can be changed using this exploitive method. If that's the case, then I would be able to see those changes if I log into my router and check; right?
Simon HelsenSimon Helsen
This site does not look very active, but I can testify that my router was hacked exactly this way. I accidentally noticed it when looking at my traffic meter noticing unusual high bandwidth usage. I was also able to see in the log that outside servers were contacting my log. When doing a whois on some of the IPs I noticed they came from places like Mexico (I am based in Toronto). Then looking at upnp, I noticed forwards and then found this website. I just turned it off. Wow. It is freaky to know that my router was abused by someone for who knows what end. Question: just turning off upnp should un-zoombie my router. Is that right?
How and in how many ways can i undrestand if my router has compromised or get hacked?
This is a very good but difficult to answer question. Just check the settings and make sure that there is nothing suspicious. I hope this helps.
Is this attack still prevalent? Any kinda automatic traffic checking (by a software) to find out whether the gateway is under attack?
This is really eye opening. I couldn't ever thought the vulnerability upto this extent. Well, I heard of port security and stuff. But, I didnt know that a utility can redirect ports by default without any user intervention. Though GOOD WORK guys. This is really OUTSTANDING RESEARCH