Results 1 to 2 of 2
  1. #1
    Member asoonernurse's Avatar
    Join Date
    Aug 2012

    Default UPnP - A Security Risk?

    Chris Hoffman brought up some thought provoking points on this very subject.

    Malware On Your Network Can Use UPnP

    A virus, Trojan horse, worm, or other malicious program that manages to infect a computer on your local network can use UPnP, just like legitimate programs can. While a router normally blocks incoming connections, preventing some malicious access, UPnP could allow a malicious program to bypass the firewall entirely. For example, a Trojan horse could install a remote control program on your computer and open a hole for it in your router’s firewall, allowing 24/7 access to your computer from the Internet. If UPnP were disabled, the program couldn’t open the port – although it could bypass the firewall in other ways and phone home.

    Is This a Problem? Yes. There’s no getting around this one – UPnP assumes local programs are trustworthy and allows them to forward ports. If malware not being able to forward ports is important to you, you’ll want to disable UPnP.

    The Flash UPnP Attack

    UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP. You might assume that you’re secure as long as no malware is running on any local devices – but you’re probably wrong.

    The Flash UPnP Attack was discovered in 2008. A specially crafted Flash applet, running on a web page inside your web browser, can send a UPnP request to your router and ask it to forward ports. For example, the applet could ask the router to forward ports 1-65535 to your computer, effectively exposing it to the entire Internet. The attacker would have to exploit a vulnerability in a network service running on your computer after doing this, though – using a firewall on your computer will help protect you.

    Unfortunately, it gets worse — on some routers, a Flash applet could change the primary DNS server with a UPnP request. Port forwarding would be the least of your worries – a malicious DNS server could redirect traffic to other websites. For example, it could point at another IP address entirely – your web browser’s address bar would say, but you’d be using a website set up by a malicious organization.

    Is This a Problem? Yes. I can’t find any sort of indication that this was ever fixed. Even if it was fixed (this would be difficult, as this is a problem with the UPnP protocol itself), many older routers still in use would be vulnerable.

    Bad UPnP Implementations on Routers

    The UPnP Hacks website contains a detailed list of security issues in the ways different routers implement UPnP. These aren’t necessarily problems with UPnP itself; they’re often problems with UPnP implementations. For example, many routers’ UPnP implementations don’t check input properly. A malicious application might ask a router to redirect network to remote IP addresses on the Internet (instead of local IP addresses), and the router would comply. On some Linux-based routers, it’s possible to exploit UPnP to run commands on the router. (Source) The website lists many other such problems.

    Is This a Problem? Yes. Millions of routers in the wild are vulnerable. Many router manufacturers haven’t done a good job of securing their UPnP implementations.

  2. #2
    Member Spyware Fighter zep516's Avatar
    Join Date
    Dec 2005
    Pittsburgh, Pa


    Additional Information

    What is UPnP?

    The main goal of UPnP is to make adding network devices and networked programs to a network as easy as it is to plug in a piece of hardware into a PC (or even easier, as that is often error prone). The devices and programs find out about the network setup and other networked devices and programs through discovery and advertisements of services and configure themselves accordingly. In short: UPnP is a framework to build networked applications.

    The use of the name UPnP has caused a lot of confusion. Product specifications often mention something like 'UPnP support', but are totally unclear about what kind of support. Technically, just implementing device discovery would make a product UPnP compatible.

    Depending on the context 'UPnP' can mean completey different things. For a router this often means that the Internet Gateway Device Profile is implemented. For a media device it means that MediaServer, MediaRenderer or RemoteUI is implemented.

    UPnP history

    Universal Plug and Play (UPnP) saw the light in the late 1990s. Networks were just becoming popular. Several vendors were coming up with solutions to make networks and networked applications easier to manage. One early attempt was Sun's JINI. As a reaction to JINI (or so I was told) Microsoft came with UPnP. The first Microsoft products to ship with UPnP were Windows Millenium Edition and Windows XP. Since then there have been a lot of programs and devices that depend on UPnP (Live Messenger, Playstation, X-Box) and millions of networked devices that have implemented UPnP, such as routers and, increasingly, media players and media servers.

    Early versions of the Microsoft UPnP software suffered from a few buffer overflows. Until 2006 these were the most widely known UPnP bugs. In 2006 at the SANE 2006 conference in Delft, the Netherlands, I presented a paper about bugs in other UPnP devices, which are hard to fix and detect for normal users. In January 2008 the GNUcitizen hacker group used a flaw in the Adobe Flash plugin for Internet Explorer to reconfigure routers with UPnP (but only some stacks) and turned a (mostly) local attack into a remote attack.

    With more UPnP enabled devices on the market, and more people taking desktop security serious (well, to some extent) some of the focus is shifting towards other devices on the network, such as access points, routers and firewalls, although at the moment it seems that right now desktops are still the prime targets. I have the feeling this will change in the future.

    Getting access to DNS with UPnP

    One of the goals of taking over the router is to get control of the Domain Name System on the router, so an attacker can reroute traffic of certain sites to his own site (a so called "man in the middle" attack). There are a few possible ways how this could be done, where UPnP can be used as part of the hack.

    Accessing DNS from the outside

    Many routers allow port 53 (UDP and TCP) on the WAN port the router to be portmapped to port 53 (UDP and TCP) on the inside of the router itself, exposing the DNS on the router to the outside world. The DNS servers on most routers seem to be pure forwarders though, with no caching.