<< Speaking at Victoria Code Camp | Home | Hashing For Passwords >>

Common Home Router Exploit (UPNP enabled routers only)

The concept of Universal Plug and Play (UPNP) is a great idea but for some reason always frightened me.... and now I see why.

For a bit of background UPNP is a protocol that is meant to allow network devices to seamlessly connect and configure. A good example of this is on home routers when you use the file sharing feature in MSN. When you to send someone a file your computer opens a port up and instructs the recipient to connect to your computer on port x and download that file. If you are behind a home router you would actually have to login to it and say forward requests on port x to my computer internally on port x. That is quite the pain but with UPNP the computer talks to the router and does this all for you automatically and the file transfer is completed. This is all done without the user having to confirm the action and the commands are trusted because it is coming from inside the network.

This is how routers can be exploited. The current proof of concept has the user visit a website with a flash application on it. The flash application runs on your local computer which is behind the router. This allows the flash application to issue UPNP commands inside your network. So now by visiting a website you could possibly emit UPNP commands from within your network without you knowing (not that you ever knew what commands UPNP was executing in the first place)

Some of the things that could be done with this attack

-Open a port forward to your internal network.
-Change the DNS server on the router. This could be tragic as it could route www.yourbank.com to a fake site that looks just like www.yourbank.com and you would never know... well until your account got emptied out.
-Resetting credentials (yes this can be done over UPNP).
-Potentially open a port forward to the internal router web server to the outside world.

Mitigation Techniques

-Number one is to disable PNP on your router/other devices. Most routers have this turned on by default.
-In order to carry out this attack the software needs to guess the routers IP address. The common address is 192.168.1.1 so changing it to something else (but still in the private range) makes the attack harder but may only be a matter of time if a brute force methodology is used.
-Disable flash on your internal computers (not very practical and all it would take would be for someone to create a Java app or some other app that runs on the client to exploit this)

Not a Flash Issue

Reading this most people have felt that this is an issue with Flash and should be fixed there. Really Flash is just a convenient vector. In theory anything that is downloaded and executed on your computer could be used to do this (i.e. javascript, activeX, Java, silverlight, etc.) could perform the same exploit. The only thing limiting those technologies is the language feature to do a HTTP post to any IP it wants to (some languages will only allow you to talk back to where you got the file from in the first place). Flash actually has this protection in that it will allow you to send data to any server but not read the response back.

Print | posted on Tuesday, January 15, 2008 11:20 AM

Comments

No comments posted yet.

My Links

Recent Comments

Common Home Router Exploit (UPNP enabled routers only)