evan_tech -- upnp/flash vulnerability

08:17 am, 14 Jan 08

upnp/flash vulnerability

Not to reduce their work, but this article on UPnP "hacking" [site's currently not loading very reliably] uses a lot of words to make a small point. So here it is in shorter form:

Many (most) routers use UPnP for configuration, which uses SOAP over HTTP.
Despite there being an autodiscovery phase to UPnP that involves non-HTTP packets, you can guess a router's IP anyway and you don't need to do autodiscovery to run commands.
Flash lets you set arbitrary HTTP headers and POST to arbitrary hosts. This is standard XSRF -- the POSTing could be done with DHTML, so Flash is just needed to set the SOAP header.
Therefore, malicious Flash can run port-opening commands on your router.

Opening ports doesn't require a password (since software like Skype wants to be able to do it). They claim you can also change the DNS server or admin credentials, which seems to me like it ought to need a password, but maybe they're relying on people leaving default passwords.

symbioid

Intuitionally, I've never trusted UPnP, hence I've always had it turned off on my routers. That said, if I use, say, a Linksys BEFSR41, and only explicitly open ports in the forwarding section, would I be safe from this? And god knows I would never use a default password!

Does UPnP have other advantages that I should use, instead of explicitly opening a port? i.e. only open a report when it's needed, otherwise it closes it? I don't know enough about it, honestly...

reply to this

snej

It lets software open a port when it needs to (and the port is closed wen that process quits.) That makes P2P / VoIP / remote-access software work a lot more smoothly, when used by non-geeks or anyone else who doesn't want to have to mess with manually configuring port forwarding.

(Apple's newer AirPort base stations use an alternate protocol that's (a) vastly simpler - just a UDP packet - and (b) immune to this since it's nothing like HTTP. Thanks to Stuart "Bonjour" Cheshire.)

reply to this

snej

I don't think you could do this with DHTML, since browsers don't let JavaScript open connections to hosts outside the domain the page was served from. It sounds like Flash uses a looser security policy that allows this to happen. But if that's true, then can't Flash code already do other typical evil things, like fetching confidential data from hosts inside your firewall and sending it back to its server's evil overlords?

reply to this

evan	In this instance, it's just making a POST to an arbitrary IP -- no response needed (the seeing of which is typically disallowed by cross-domain security policies). Existing DHTML already allows POSTs to arbitrary IPs; Flash is only needed for this attack because Flash additionally allows setting arbitrary HTTP headers.
reply to this

Anonymous	UPnP hacking - Airport & Bonjour Having read all of this I was wondering: how about Mac's Airport base stations and Bonjour. Are they vulnerable to these kinds of exploits too? Thx for any suggestions and comments!
reply to this

evan	Re: UPnP hacking - Airport & Bonjour Airports use NAT-PMP, which works over UDP. I really hope (and am pretty sure) even Flash doesn't allow arbitrary UDP packets.
reply to this

ioerror	Re: UPnP hacking - Airport & Bonjour I believe that flash player does send UDP packets for it's magic Proxy Auto-Discovery stuff. I don't think you can control the payload but I believe you can configure a different target udp port. I think much worse than sending UDP packets is the fact that flash can touch your file system...
reply to this

evan_tech

upnp/flash vulnerability

UPnP hacking - Airport & Bonjour

Re: UPnP hacking - Airport & Bonjour

Re: UPnP hacking - Airport & Bonjour