| View previous topic :: View next topic |
| Author |
Message |
fof
Joined: 09 Sep 2015
Posts: 4
|
 Posted: Wed Sep 09, 2015 8:03 pm Post subject: Randomize URLs |
 |
|
Hello,
I would like to submit a feature request to randomize all of the URLs that are used to serve XML files, control URLs, etc. This could simply consist of appending a random UUID to the URL path so instead of /rootDesc.xml it would be /A890189-1FE288193989-B1283/rootDesc.xml.
Randomizing this every time the service starts would be excellent if possible. The reason for this request is that an attacker can use a DNS Rebind attack to interact with the UPnP service because all of the URLs are static and easily known to an attacker.
I realize that MiniUPnPd is not responsible for defending against DNS rebind attacks, but the sad truth is most routers are vulnerable to them and have no protection. If MiniUPnPd is updated so that an attacker cannot easily know the URLs that MiniUPnPd is using, it would be incredibly difficult to perform an attack of this nature.
Proof-of-concept code to perform this attack is available here: github dot com /filetofirewall/fof
Thanks,
FoF |
|
| Back to top |
|
 |
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
| Posted: Thu Sep 10, 2015 2:34 pm Post subject: |
|
|
could you explain why the HTTP port randomization of miniupnpd is not sufficient against this attack ?
each time miniupnpd is restarted, it picks a different port !
I think the attack is not really possible if 65000 ports have to be scanned...
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
fof
Joined: 09 Sep 2015
Posts: 4
|
| Posted: Thu Sep 10, 2015 6:43 pm Post subject: |
|
|
| miniupnp wrote: | could you explain why the HTTP port randomization of miniupnpd is not sufficient against this attack ?
each time miniupnpd is restarted, it picks a different port !
I think the attack is not really possible if 65000 ports have to be scanned... |
Good question, and first let me say that if the HTTP port was actually randomized in an implementation then this would be very difficult.
The issue is that most implementations I've seen do not actually pick random ports each time the service is restarted. They are set static ports per device or end up being very high ports within a specific range.
In the comments of this block of minissdp.c on line 389 you can even see different manufacturers choosing specific ports to listen on (49152 which seems to be common and 5678).
https://github.com/miniupnp/miniupnp/blob/5873c5a6b4c4bf95cc5c3dde1309f579cdb3cb58/miniupnpd/minissdp.c#L389
Given the widespread use of static/predictable ports, I don't think it would be a bad idea to add the randomized URLs. This would also offer protection in case a manufacturer wants to use a static port.
Could you point me to the section of the code where the actual HTTP port randomization happens? I wonder if for certain devices seemingly static ports could end up being a side effect of improper randomization of the port in a certain part of the code. |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
| Posted: Fri Sep 11, 2015 8:36 am Post subject: |
|
|
I see you used pfSense for your poc. You should ask pfsense team why HTTP port is fixed (if that is the case). They may have good reasons.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
fof
Joined: 09 Sep 2015
Posts: 4
|
| Posted: Sun Sep 13, 2015 6:23 pm Post subject: |
|
|
| miniupnp wrote: | | I see you used pfSense for your poc. You should ask pfsense team why HTTP port is fixed (if that is the case). They may have good reasons. |
When I said UPnP implementations, I also meant implementations of miniupnp too. Netgear and ZyXEL also assign static ports when they use miniupnp, not just pfSense. I'm sure there are plenty of other manufacturers who do this as well. The issue might also be that there is no warning that assigning a static port could allow for attacks like this.
Additionally, I'm not sure that relying on binding to port 0 (allocating a dynamic port) should be considered a good defense because different operating systems treat this scenario quite differently.
First, almost no operating system I can find assigns dynamic ports from 0-65535.
IANA recommended dynamic port ranges of 49152-65535 and most operating systems followed this recommendation at one point in time.
Linux extended this range from 32768 - 65535 in kernel 2.4 and this extended range hinges on the kernel having a certain amount of excess memory available to it from my reading. Linux also has a good algorithm for ensuring that this port is random, so a dynamic port on Linux 2.4+ should protect against this attack to some degree. I believe some BSD variants recently extended their ranges as well, though their configurations seem to vary quite a bit.
As far as pfSense is concerned, they most likely assigned a static port so they could easily limit access to the service on the internal network with firewall rules. This is another way to mitigate this type of attack.
I understand your reluctance to implement this, but given the widespread and understandable use of static ports I think it would be a prudent decision to implement an extra layer of protection against this attack. It would also protect against an attacker who was able to identify the correct port that miniupnp is running on, which is especially helpful if the dynamic port range is limited or sequentially assigned on the operating system.
If you still disagree, that is your prerogative. I just wanted to bring this to your attention. |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
| Posted: Sun Sep 13, 2015 8:12 pm Post subject: |
|
|
well the problem is that implementing random in url path in miniupnpd is not simple...
Another thing I noticed about your poc is that it opens ports to many IP on the LAN. With miniupnpd it can be forbidden with the secure_mode=yes in .conf file
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
|
| Back to top |
|
|
fof
Joined: 09 Sep 2015
Posts: 4
|
| Posted: Tue Sep 15, 2015 4:25 pm Post subject: |
|
|
This looks really good  and that is definitely not present in any of the versions I have seen. That will block the attack 99% of the time as it simply disallows alphabetical characters in the Host header. The latest version of miniupnp I could find in an existing implementation was v1.9 (in pfSense).
The only ways I can think of at the moment to bypass it is to use numeric TLDs in the future (they are being trialed, but do not exist at the moment) or if there is a vulnerability that allows modification of the Host header in an XMLHttpRequest (possible, but not probable). A domain like (http://8475.42) would bypass the check, but for now that is excellent.
As a side note, it seems pfSense doesn't have the latest version because the FreeBSD package maintainer has not updated the miniupnpd port since Nov 2014 when v1.9 was released.
https://github.com/pfsense/FreeBSD-ports/commit/9582ff1c5053ec1cde6a794ed08485ee278dc33e
This looks good too. I'll have to set this up in a test environment to fully try it out. Give me a day or so to do this. |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
| Posted: Fri Sep 18, 2015 12:22 pm Post subject: |
|
|
| fof wrote: |
This looks good too. I'll have to set this up in a test environment to fully try it out. Give me a day or so to do this. |
let me know when you have tested it.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
miniupnp
Site Admin
Joined: 14 Apr 2007
Posts: 1585
|
| Posted: Sat May 27, 2017 8:28 am Post subject: |
|
|
well, as you never answered, I have merged the randomize_url branch into master, but disabled the functionnality by default.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
