miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

About UPnP security vulnerabilities

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Feature Request
View previous topic :: View next topic  
Author Message
raphaelh



Joined: 16 Jan 2008
Posts: 5

PostPosted: Wed Jan 16, 2008 3:28 pm    Post subject: About UPnP security vulnerabilities Reply with quote

It is known since quite a long time that UPnP makes it easier for non tech savvy users, but in spite of security.

Lately, pdp (gnucitizen DOT org) has been playing with UPnP and posting his findings, so we can expect a bunch of script kiddies having fun with the millions of routers available worldwide pretty soon.

I think it could be highly valuable for miniupnp to add security options to restrict the damage that could be done.
Back to top
View user's profile Send private message
raphaelh



Joined: 16 Jan 2008
Posts: 5

PostPosted: Wed Jan 16, 2008 3:33 pm    Post subject: Reply with quote

So now the links Wink

http://www.gnucitizen.org/blog/flash-upnp-attack-faq
http://www.gnucitizen.org/blog/hacking-the-interwebs
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play
http://www.upnp-hacks.org

On thing miniupnp really has to do is check whether the NewInternalClient in the AddPortMapping SOAP request is actually a machine on your LAN

You obviously don't want iptables to turn your router into an onion router Wink

Make it the default behaviour in miniupnp, with an option to allow this if it is really the intended behaviour.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Wed Jan 16, 2008 6:27 pm    Post subject: Reply with quote

1st thing is Configure your firewall (netfilter, pf) to block access to miniupnpd from the outside world. THAT SHOULD BE ALLREADY DONE ON EVERY ROUTER (and not only for miniupnpd ports, but also for every service not intended from being accessed from the internet).

MiniUPnPd is not responsible from such bad configuration of your firewall.

The gnucitizen article is about a LAN machine executing malicious code (code which has to be downloaded and internet and executed on the machine in some way not related with UPnP) which can open a port using UPnP services available on the LAN.

MiniUPnPd enable the user to restrict which ports/IPs can be the destination of a port mapping. A decent configuration would prohibit ports below 1024 to be mapped, avoiding vulnerable Windows services to be reached from the internet.
The gnucitizen example is forwarding port 445...

The thing to understand is that once your computer is compromised with malicious code, yes of course the malicious code can use UPnP IGD services but anyway you are allready fucked !
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Wed Jan 16, 2008 6:38 pm    Post subject: Reply with quote

More comments on what can be read here : http://www.gnucitizen.org/blog/flash-upnp-attack-faq

Quote:
Wrong! UPnP hacking is extremely serious discipline which often lead to a catastrophic effect. The following is possible with UPnP:
* portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network)

Yes it is possible with miniupnpd. However, miniupnpd allow you to restrict which port are allowed to be redirected. Obviously, no one want an external port being redirected to a Windows LAN machine port 445.
Quote:
* portforward the router web administration interface to the external facing side.

A correctly configured miniupnpd won't allow that !
Quote:
* port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are)
A correctly configured miniupnpd won't allow that ! Only LAN destinations would be allowed for mappings
Quote:
* change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com

MiniUPnPd can't change DNS settings.
Quote:
* change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system.

MiniUPnPd can't change DNS settings.
Quote:
* reset/change the administrative credentials
* reset/change the PPP settings
* reset/change the IP settings for all interfaces
* reset/change the WiFi settings
* terminate the connection

miniupnpd can't do that ! And I don't remember such functions being available in the UPnP IGD API.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Wed Jan 16, 2008 7:01 pm    Post subject: Re: About UPnP security vulnerabilities Reply with quote

raphaelh wrote:
I think it could be highly valuable for miniupnp to add security options to restrict the damage that could be done.

The "port mapping allow/deny rules" feature was added to MiniUPnPd in January 2007 Smile
the first version to include it was 1.0-RC3
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
raphaelh



Joined: 16 Jan 2008
Posts: 5

PostPosted: Thu Jan 17, 2008 12:57 pm    Post subject: Reply with quote

miniupnp wrote:
The thing to understand is that once your computer is compromised with malicious code, yes of course the malicious code can use UPnP IGD services but anyway you are allready fucked !


No, it's not true.

In the PoC (proof of concept) from gnucitizen, the attack is made through Flash, so the user only has to navigate to a malicious webpage.

His computer is not compromised, he just visited a webpage!

Moreover, it is a lot more interesting for a black hat to compromise a router than a computer behind it, because it gives you a lot more power.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Thu Jan 17, 2008 3:48 pm    Post subject: Reply with quote

raphaelh wrote:
miniupnp wrote:
The thing to understand is that once your computer is compromised with malicious code, yes of course the malicious code can use UPnP IGD services but anyway you are allready fucked !


No, it's not true.

In the PoC (proof of concept) from gnucitizen, the attack is made through Flash, so the user only has to navigate to a malicious webpage.

His computer is not compromised, he just visited a webpage!

Yes you are right.

raphaelh wrote:
Moreover, it is a lot more interesting for a black hat to compromise a router than a computer behind it, because it gives you a lot more power.

The PoC from gnucitizen is not really compromising the router, but just adding a redirection in order to allow compromision of a Computer of the network, using another attack.
It is powerfull in the way that we could imagine that one redirection could be set up to all computers on the LAN, improving the chance of letting at least on computer vulnerable to attacks from the outside.
What is not powerfull in the PoC from gnucitizen is that the issue of device discovery is left unsolved : URLs to POST SOAP UPnP requests are not standardized.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
raphaelh



Joined: 16 Jan 2008
Posts: 5

PostPosted: Thu Jan 17, 2008 4:09 pm    Post subject: Reply with quote

The PoC from gnucitizen is just an example.

You can image another PoC changing the DNS the router is using, so hackers can later redirect the users wherever they want, and sniff their traffic (for passwords, beeep card numbers,...)

This makes compromising the router much more interesting than a single computer.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Thu Jan 17, 2008 4:53 pm    Post subject: Reply with quote

raphaelh wrote:
...
You can image another PoC changing the DNS the router is using, ...

The problem is I don't know how to change the DNS through UPnP commands... If the command exists, it should be some vendor specific extensions to UPnP IGD spec, so it is wrong to talk about a UPnP breach, it is an implementation dependent issue.
For example, miniUPnPd only allows clients to add/remove ports mappings and retrieve statistics. That's the same for linux-igd on which many commercials home routers are based.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
raphaelh



Joined: 16 Jan 2008
Posts: 5

PostPosted: Thu Jan 17, 2008 5:27 pm    Post subject: Reply with quote

Another interesting paper on the issue : http://www.sane.nl/sane2006/program/final-papers/R6.pdf
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Thu Jan 17, 2008 6:01 pm    Post subject: Reply with quote

raphaelh wrote:
Another interesting paper on the issue : http://www.sane.nl/sane2006/program/final-papers/R6.pdf

Very interesting indeed. MiniUPnPd allready complies to most of what is listed in section 8 Fixing UPnP of the document.
What I should add to MiniUPnPd is an option to restrict the possibility to add/remove portmapping about one internal machine on another. (ie check that NewInternalClient is the client making the request.

DNS settings are changed using the LANDevice and LANHostConfigManagement UPnP devices that are implemented by very few devices. (and yes of course that is very insecure to implement them !)
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Thu Jul 17, 2008 12:20 pm    Post subject: Reply with quote

miniupnp wrote:
What I should add to MiniUPnPd is an option to restrict the possibility to add/remove portmapping about one internal machine on another. (ie check that NewInternalClient is the client making the request.

a "secure_mode" option has been added since miniupnpd-1.0
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
telesha
Guest





PostPosted: Tue Feb 22, 2011 7:35 am    Post subject: Reply with quote

How can I have a webcam that uses dynamic dns? I have a webpage that has my webcam on it and I have to keep changing the ip address in the html code. Can Dynamic dns fix this problem and how can I do it?
___________________


Last edited by telesha on Sat Feb 26, 2011 11:08 am; edited 1 time in total
Back to top
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1113

PostPosted: Tue Feb 22, 2011 1:42 pm    Post subject: Reply with quote

telesha wrote:
How can I have a webcam that uses dynamic dns? I have a webpage that has my webcam on it and I have to keep changing the ip address in the html code. Can Dynamic dns fix this problem and how can I do it?

I'm not sure this is the right thread forum for this question...
anyway you should have a look at your webcam documentation...
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
tommy92



Joined: 08 Jun 2011
Posts: 1

PostPosted: Wed Jun 08, 2011 8:22 pm    Post subject: dns Reply with quote

So MiniUPnPd can't set DNS? Does that mean that MiniUPnPc can't set DNS either?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpc Feature Request All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.