View previous topic :: View next topic |
Author |
Message |
raphaelh
Joined: 16 Jan 2008 Posts: 5
|
Posted: Wed Jan 16, 2008 3:28 pm Post subject: About UPnP security vulnerabilities |
|
|
It is known since quite a long time that UPnP makes it easier for non tech savvy users, but in spite of security.
Lately, pdp (gnucitizen DOT org) has been playing with UPnP and posting his findings, so we can expect a bunch of script kiddies having fun with the millions of routers available worldwide pretty soon.
I think it could be highly valuable for miniupnp to add security options to restrict the damage that could be done. |
|
Back to top |
|
|
raphaelh
Joined: 16 Jan 2008 Posts: 5
|
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Wed Jan 16, 2008 6:27 pm Post subject: |
|
|
1st thing is Configure your firewall (netfilter, pf) to block access to miniupnpd from the outside world. THAT SHOULD BE ALLREADY DONE ON EVERY ROUTER (and not only for miniupnpd ports, but also for every service not intended from being accessed from the internet).
MiniUPnPd is not responsible from such bad configuration of your firewall.
The gnucitizen article is about a LAN machine executing malicious code (code which has to be downloaded and internet and executed on the machine in some way not related with UPnP) which can open a port using UPnP services available on the LAN.
MiniUPnPd enable the user to restrict which ports/IPs can be the destination of a port mapping. A decent configuration would prohibit ports below 1024 to be mapped, avoiding vulnerable Windows services to be reached from the internet.
The gnucitizen example is forwarding port 445...
The thing to understand is that once your computer is compromised with malicious code, yes of course the malicious code can use UPnP IGD services but anyway you are allready fucked ! _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Wed Jan 16, 2008 6:38 pm Post subject: |
|
|
More comments on what can be read here : http://www.gnucitizen.org/blog/flash-upnp-attack-faq
Quote: | Wrong! UPnP hacking is extremely serious discipline which often lead to a catastrophic effect. The following is possible with UPnP:
* portforward internal services (ports) to the router external facing side (a.k.a poking holes into your firewall and/or network) |
Yes it is possible with miniupnpd. However, miniupnpd allow you to restrict which port are allowed to be redirected. Obviously, no one want an external port being redirected to a Windows LAN machine port 445.
Quote: | * portforward the router web administration interface to the external facing side. |
A correctly configured miniupnpd won't allow that !
Quote: | * port forwarding to any external server located on the Internet, effectively turning your router into a zombie: the attacker can attack an Internet host via your router, thus hiding their IP address (not all routers are affected by this, but most are) | A correctly configured miniupnpd won't allow that ! Only LAN destinations would be allowed for mappings
Quote: | * change the DNS server settings so that next time when the victim visits bank.com, they actually end up on evil.com mascaraed as bank.com |
MiniUPnPd can't change DNS settings.
Quote: | * change the DNS server settings so that the next time when the victim updates theirs favorite Firefox extensions, they will end up downloading evil code from evil.com which will root their system. |
MiniUPnPd can't change DNS settings.
Quote: | * reset/change the administrative credentials
* reset/change the PPP settings
* reset/change the IP settings for all interfaces
* reset/change the WiFi settings
* terminate the connection |
miniupnpd can't do that ! And I don't remember such functions being available in the UPnP IGD API. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Wed Jan 16, 2008 7:01 pm Post subject: Re: About UPnP security vulnerabilities |
|
|
raphaelh wrote: | I think it could be highly valuable for miniupnp to add security options to restrict the damage that could be done. |
The "port mapping allow/deny rules" feature was added to MiniUPnPd in January 2007
the first version to include it was 1.0-RC3 _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
raphaelh
Joined: 16 Jan 2008 Posts: 5
|
Posted: Thu Jan 17, 2008 12:57 pm Post subject: |
|
|
miniupnp wrote: | The thing to understand is that once your computer is compromised with malicious code, yes of course the malicious code can use UPnP IGD services but anyway you are allready fucked ! |
No, it's not true.
In the PoC (proof of concept) from gnucitizen, the attack is made through Flash, so the user only has to navigate to a malicious webpage.
His computer is not compromised, he just visited a webpage!
Moreover, it is a lot more interesting for a black hat to compromise a router than a computer behind it, because it gives you a lot more power. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Jan 17, 2008 3:48 pm Post subject: |
|
|
raphaelh wrote: | miniupnp wrote: | The thing to understand is that once your computer is compromised with malicious code, yes of course the malicious code can use UPnP IGD services but anyway you are allready fucked ! |
No, it's not true.
In the PoC (proof of concept) from gnucitizen, the attack is made through Flash, so the user only has to navigate to a malicious webpage.
His computer is not compromised, he just visited a webpage! |
Yes you are right.
raphaelh wrote: | Moreover, it is a lot more interesting for a black hat to compromise a router than a computer behind it, because it gives you a lot more power. |
The PoC from gnucitizen is not really compromising the router, but just adding a redirection in order to allow compromision of a Computer of the network, using another attack.
It is powerfull in the way that we could imagine that one redirection could be set up to all computers on the LAN, improving the chance of letting at least on computer vulnerable to attacks from the outside.
What is not powerfull in the PoC from gnucitizen is that the issue of device discovery is left unsolved : URLs to POST SOAP UPnP requests are not standardized. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
raphaelh
Joined: 16 Jan 2008 Posts: 5
|
Posted: Thu Jan 17, 2008 4:09 pm Post subject: |
|
|
The PoC from gnucitizen is just an example.
You can image another PoC changing the DNS the router is using, so hackers can later redirect the users wherever they want, and sniff their traffic (for passwords, beeep card numbers,...)
This makes compromising the router much more interesting than a single computer. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Jan 17, 2008 4:53 pm Post subject: |
|
|
raphaelh wrote: | ...
You can image another PoC changing the DNS the router is using, ... |
The problem is I don't know how to change the DNS through UPnP commands... If the command exists, it should be some vendor specific extensions to UPnP IGD spec, so it is wrong to talk about a UPnP breach, it is an implementation dependent issue.
For example, miniUPnPd only allows clients to add/remove ports mappings and retrieve statistics. That's the same for linux-igd on which many commercials home routers are based. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
raphaelh
Joined: 16 Jan 2008 Posts: 5
|
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Jan 17, 2008 6:01 pm Post subject: |
|
|
Very interesting indeed. MiniUPnPd allready complies to most of what is listed in section 8 Fixing UPnP of the document.
What I should add to MiniUPnPd is an option to restrict the possibility to add/remove portmapping about one internal machine on another. (ie check that NewInternalClient is the client making the request.
DNS settings are changed using the LANDevice and LANHostConfigManagement UPnP devices that are implemented by very few devices. (and yes of course that is very insecure to implement them !) _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Jul 17, 2008 12:20 pm Post subject: |
|
|
miniupnp wrote: | What I should add to MiniUPnPd is an option to restrict the possibility to add/remove portmapping about one internal machine on another. (ie check that NewInternalClient is the client making the request.
|
a "secure_mode" option has been added since miniupnpd-1.0 _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
telesha Guest
|
Posted: Tue Feb 22, 2011 7:35 am Post subject: |
|
|
How can I have a webcam that uses dynamic dns? I have a webpage that has my webcam on it and I have to keep changing the ip address in the html code. Can Dynamic dns fix this problem and how can I do it?
___________________
Last edited by telesha on Sat Feb 26, 2011 11:08 am; edited 1 time in total |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Tue Feb 22, 2011 1:42 pm Post subject: |
|
|
telesha wrote: | How can I have a webcam that uses dynamic dns? I have a webpage that has my webcam on it and I have to keep changing the ip address in the html code. Can Dynamic dns fix this problem and how can I do it? |
I'm not sure this is the right thread forum for this question...
anyway you should have a look at your webcam documentation... _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
tommy92
Joined: 08 Jun 2011 Posts: 1
|
Posted: Wed Jun 08, 2011 8:22 pm Post subject: dns |
|
|
So MiniUPnPd can't set DNS? Does that mean that MiniUPnPc can't set DNS either? |
|
Back to top |
|
|
|