miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Randomize URLs

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request
View previous topic :: View next topic  
Author Message
fof



Joined: 09 Sep 2015
Posts: 4

PostPosted: Wed Sep 09, 2015 8:03 pm    Post subject: Randomize URLs Reply with quote

Hello,

I would like to submit a feature request to randomize all of the URLs that are used to serve XML files, control URLs, etc. This could simply consist of appending a random UUID to the URL path so instead of /rootDesc.xml it would be /A890189-1FE288193989-B1283/rootDesc.xml.

Randomizing this every time the service starts would be excellent if possible. The reason for this request is that an attacker can use a DNS Rebind attack to interact with the UPnP service because all of the URLs are static and easily known to an attacker.

I realize that MiniUPnPd is not responsible for defending against DNS rebind attacks, but the sad truth is most routers are vulnerable to them and have no protection. If MiniUPnPd is updated so that an attacker cannot easily know the URLs that MiniUPnPd is using, it would be incredibly difficult to perform an attack of this nature.

Proof-of-concept code to perform this attack is available here: github dot com /filetofirewall/fof


Thanks,
FoF
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Thu Sep 10, 2015 2:34 pm    Post subject: Reply with quote

could you explain why the HTTP port randomization of miniupnpd is not sufficient against this attack ?
each time miniupnpd is restarted, it picks a different port !
I think the attack is not really possible if 65000 ports have to be scanned...
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fof



Joined: 09 Sep 2015
Posts: 4

PostPosted: Thu Sep 10, 2015 6:43 pm    Post subject: Reply with quote

miniupnp wrote:
could you explain why the HTTP port randomization of miniupnpd is not sufficient against this attack ?
each time miniupnpd is restarted, it picks a different port !
I think the attack is not really possible if 65000 ports have to be scanned...


Good question, and first let me say that if the HTTP port was actually randomized in an implementation then this would be very difficult.

The issue is that most implementations I've seen do not actually pick random ports each time the service is restarted. They are set static ports per device or end up being very high ports within a specific range.

In the comments of this block of minissdp.c on line 389 you can even see different manufacturers choosing specific ports to listen on (49152 which seems to be common and 5678).

https://github.com/miniupnp/miniupnp/blob/5873c5a6b4c4bf95cc5c3dde1309f579cdb3cb58/miniupnpd/minissdp.c#L389

Given the widespread use of static/predictable ports, I don't think it would be a bad idea to add the randomized URLs. This would also offer protection in case a manufacturer wants to use a static port.

Could you point me to the section of the code where the actual HTTP port randomization happens? I wonder if for certain devices seemingly static ports could end up being a side effect of improper randomization of the port in a certain part of the code.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Fri Sep 11, 2015 7:59 am    Post subject: Reply with quote

I'm not saying that all UPnP implementations are randomizing HTTP port. But miniupnpd does.

https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.c#L1871
if 0 is passed to OpenAndConfHTTPSocket(), the port is chosen by the system. This is the default case :
https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf#L23. But the user can choose to set a specific port.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Fri Sep 11, 2015 8:36 am    Post subject: Reply with quote

I see you used pfSense for your poc. You should ask pfsense team why HTTP port is fixed (if that is the case). They may have good reasons.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fof



Joined: 09 Sep 2015
Posts: 4

PostPosted: Sun Sep 13, 2015 6:23 pm    Post subject: Reply with quote

miniupnp wrote:
I'm not saying that all UPnP implementations are randomizing HTTP port. But miniupnpd does.

https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.c#L1871
if 0 is passed to OpenAndConfHTTPSocket(), the port is chosen by the system. This is the default case :
https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf#L23. But the user can choose to set a specific port.


miniupnp wrote:
I see you used pfSense for your poc. You should ask pfsense team why HTTP port is fixed (if that is the case). They may have good reasons.


When I said UPnP implementations, I also meant implementations of miniupnp too. Netgear and ZyXEL also assign static ports when they use miniupnp, not just pfSense. I'm sure there are plenty of other manufacturers who do this as well. The issue might also be that there is no warning that assigning a static port could allow for attacks like this.

Additionally, I'm not sure that relying on binding to port 0 (allocating a dynamic port) should be considered a good defense because different operating systems treat this scenario quite differently.

First, almost no operating system I can find assigns dynamic ports from 0-65535.

IANA recommended dynamic port ranges of 49152-65535 and most operating systems followed this recommendation at one point in time.

Linux extended this range from 32768 - 65535 in kernel 2.4 and this extended range hinges on the kernel having a certain amount of excess memory available to it from my reading. Linux also has a good algorithm for ensuring that this port is random, so a dynamic port on Linux 2.4+ should protect against this attack to some degree. I believe some BSD variants recently extended their ranges as well, though their configurations seem to vary quite a bit.

As far as pfSense is concerned, they most likely assigned a static port so they could easily limit access to the service on the internal network with firewall rules. This is another way to mitigate this type of attack.

I understand your reluctance to implement this, but given the widespread and understandable use of static ports I think it would be a prudent decision to implement an extra layer of protection against this attack. It would also protect against an attacker who was able to identify the correct port that miniupnp is running on, which is especially helpful if the dynamic port range is limited or sequentially assigned on the operating system.

If you still disagree, that is your prerogative. I just wanted to bring this to your attention.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Sun Sep 13, 2015 8:12 pm    Post subject: Reply with quote

well the problem is that implementing random in url path in miniupnpd is not simple...
Another thing I noticed about your poc is that it opens ports to many IP on the LAN. With miniupnpd it can be forbidden with the secure_mode=yes in .conf file
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Mon Sep 14, 2015 9:35 am    Post subject: Reply with quote

I've started to implement, and it is indeed not that simple Sad
Have you checked that the miniupnpd version you are using is including https://github.com/miniupnp/miniupnp/commit/98cc73a372d61988b252794340daff68e2304a9d ?
I'm not sure if it is enough to block your attack Smile
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Mon Sep 14, 2015 10:14 am    Post subject: Reply with quote

what do you think of that ?
https://github.com/miniupnp/miniupnp/commit/a8f80040c9b4d0a99122cb58fc15926d0f61a46a
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
fof



Joined: 09 Sep 2015
Posts: 4

PostPosted: Tue Sep 15, 2015 4:25 pm    Post subject: Reply with quote

miniupnp wrote:
I've started to implement, and it is indeed not that simple Sad
Have you checked that the miniupnpd version you are using is including https://github.com/miniupnp/miniupnp/commit/98cc73a372d61988b252794340daff68e2304a9d ?
I'm not sure if it is enough to block your attack Smile


This looks really good Smile and that is definitely not present in any of the versions I have seen. That will block the attack 99% of the time as it simply disallows alphabetical characters in the Host header. The latest version of miniupnp I could find in an existing implementation was v1.9 (in pfSense).

The only ways I can think of at the moment to bypass it is to use numeric TLDs in the future (they are being trialed, but do not exist at the moment) or if there is a vulnerability that allows modification of the Host header in an XMLHttpRequest (possible, but not probable). A domain like (http://8475.42) would bypass the check, but for now that is excellent.

As a side note, it seems pfSense doesn't have the latest version because the FreeBSD package maintainer has not updated the miniupnpd port since Nov 2014 when v1.9 was released.

https://github.com/pfsense/FreeBSD-ports/commit/9582ff1c5053ec1cde6a794ed08485ee278dc33e


Quote:
what do you think of that ?
https://github.com/miniupnp/miniupnp/commit/a8f80040c9b4d0a99122cb58fc15926d0f61a46a


This looks good too. I'll have to set this up in a test environment to fully try it out. Give me a day or so to do this.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Fri Sep 18, 2015 12:22 pm    Post subject: Reply with quote

fof wrote:
Quote:
what do you think of that ?
https://github.com/miniupnp/miniupnp/commit/a8f80040c9b4d0a99122cb58fc15926d0f61a46a


This looks good too. I'll have to set this up in a test environment to fully try it out. Give me a day or so to do this.

let me know when you have tested it.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1394

PostPosted: Sat May 27, 2017 8:28 am    Post subject: Reply with quote

well, as you never answered, I have merged the randomize_url branch into master, but disabled the functionnality by default.
_________________
Main miniUPnP author.
http://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Feature Request All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.