Slashdot Mirror
50 Million Potentially Vulnerable To UPnP Flaws
Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"
Even HD Moore's Law now.
Little incentive to contribute code as it will be snatched by Micro$oft and App£e.
Damn you Anonymous Coward and you HD Moore's Law!
n/t
or did they actually do active spidering of (b):
1 -- a representative sample of IP addresses in a particular space 2 -- a wide ranging probe of many many IP addresses all around the world?.
If they did (a) above, then sure it makes sense. If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?
I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.
The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.
So my bet still stands with modification: there will be an attack, it will be soon, it will be a worm, and people will (mostly) be blissfully unaware of (why is my internet so slow) it and certainly be incapable of dealing with it. Thus it will come down to the ISPs to deal with it which should be interesting to watch.
Let any application open a port to the outside world on your router? Really? and nobody gave a damn about the consequences or even understood its power. Meanwhile I sat back and watched as millions of people enabled it by default on products shipped out worldwide and said nothing because NOBODY CARED they /wanted/ the convenience and turn-key solution that UPnP provided and didn't want to bother learning how to open their own ports manually.
How many vendors are going to patch some obsolete hw to get the lib updated? I would be surprised if they can build images for some of those old products. That said, it seems a bit of an uphill crack, you have to know the target CPU, the lib version, and prepare a useful injection rather than just a denial of service. Still, it is interesting that people are still acting as documented on data coming over the wire, sprintfs into buffers with %s was an eye opener to me. These days for web stuff I use the c++ string class, fixed c buffers look weak to me with unvalidated socket input.
H.
This is what you should expect when you design a protocol as unnecessarily complex and as undocumented as UPnP.
A friend and I were thinking of using UPnP to help people run servers for a game we're working on, but documentation for the protocol is seemingly non-existant, and from what we can tell, it's quite complex as well, requiring a lot of parsing of plain text (XML is more bug-prone than binary data in that respect) and using protocols that are clearly bad ideas (like HTTP over UDP, rather than doing something sane like creating a UPnP protocol by just sending packets with the necessary information in them rather than wrapping it all up in a bunch of XML and HTTP and then some bastardized form of HTTP at that).
We found libupnp, and thought about using it, but even it's quite complex for the given task. All we want to do is tell the fucking router that we'd like an open port. Why should that be so difficult? Quite honestly, the router only needs 16 bits of data from us to fullfill the request, but for some reason they've taken something so simple and wrapped it in layers of bullshit. That sort of thing just begs for vulnerabilities to be present everywhere, since rather than spend time reviewing code and verifying that it works correctly, developers instead spend all their time just getting things to work at all.
Just yesterday, lots of Slashdot readers claimed UPnP was totally reasonable for security. It's time for a wall of shame. Here is the story:
http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers
I'll start.
adolf: http://it.slashdot.org/comments.pl?sid=3415287&cid=42722879
Miamicanes: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723217
julesh: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723393
Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.
...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.
But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900
Suck it, Verizon!
If computers were people, I'd be a misanthrope.
Yes, shovelware applies to hardware too. Hardware like home routers, which are NEVER EVER updated - be it by their rock-dumb owners or their irresponsible manufacturers.
And then this happens. All the time forever, until the greedy fucks who make those never-updated shit get slapped with fines for gazillions, and THEN the surviving ones would begin to think of SUPPORTING the crap they sell, instead of shoveling poorly-differentiated models that only exist to make the non-castrated one more expensive than it has any sort of right to be. But then market segmentation is worth so much more than supporting the products you sold! Why would they sell at what the product is worth (i.e. marginal production cost) when they can pretend to turn more profit by selling half-products at full price so that the complete product costs three times what it should? And when making several models by chopping out necessary things from the reference one, it gets much more complicated to support all the kinds of half-products, instead of making one that works well and is supported for long.
Also, the only company that does Just That - good productsat some price point, but no range of half-products headed by one real model (that all the shit ones are based on, minus vital features) happens to be the most profitable company in the world. Just sayin'.
Making laws based on opinions that stem up from false informations leads to witch hunts.
http://www.grc.com/unpnp/unpnp.htm
I blame the banking industry for colluding to set LIBOR.
are potentially belonging to someone? are we talkin root level type executions?
then 'anonymous' is doing it all wrong.
when they hack a site, they just need to put a little notice on it.
"your site is vulnerable. we are researchers, not hackers. this has been an public service of anonymous."
captcha: sesame
Microsoft was one of the founders of the UPnP Forum, Apple isn't a member. Not to mention that Microsoft pushed this API very hard. We were warned of the vulnerability of this protocol back in 2001. There was a big deal with Windows ME and XP about disabling this service also, It was Microsoft whom ignored all the vulnerabilities at first, if they scared OEMs then the OEMs wouldn't implement this protocol.
This is yet another example of why Microsoft has too much power and shouldn't be dictating what's in my hardware. How long until Secure Boot gets this same treatment of access to your system?.
Remote buffer overflow in what? the Linux Kernel? IPTables?
There are some crappy routers which expose remote administration tools by default, but those are the exception. Most old home routers only flaw is to enable Universal PnP out of box and not to encrypt wireless.
I followed the link to the article... then the link to the PDF follow the link to their "Vulnerablity Detector"... Start to install... Read the Legalese... The terms are suspicious... Click OK tpo continue... The next screen asks for personal information. Red Lights and Alarms go off. Anytime a "security vendor" lists contract terms like those and then wants my name and address when I did not want or ask to contract a service. I killed the installer.
Level7 is not preventing a problem --- it is the problem. If you installed their client you have just been pwned...
1.) IF you use a router (NAT stateful packet inspecting type hopefully)? Examine its settings for UPnP - & disable it!
(E.G./I.E.-> LinkSys/Cisco models DO offer this (I have that in my wired BEFSX41 unit here))
2.) Per my subject-line - for Windows users, specifically: Disable Windows' "UPnP Device Host" service (Run services.msc & right-click on that service name, setting it to disabled)
(Assuming you DON'T need its services, that is... & if you do? That's a risk you're taking until this is fixed!)
---
* VOILA: Problem solved, & rather easily...
APK
P.S.-> And, there you go...
... apk
Why is the uPnP service facing Internet anyway? Shouldn't it be accessible only from LAN?
I was shocked that I had to, repeatedly, argue about the insecurity of the entire UPnP concept with supposedly technical people on Slashdot. This article and your post is a sweet stab to the face of those morons.
UPnP is a ludicrous concept intended to facilitate the installation of network devices by complete neophytes. It is a marketing tool, not a networking or security tool. Even without this "new" vulnerability UPnP is a disaster that should always be disabled.
Having UPnP turned on is the equivalent of turning off your firewall. Arguments in favor of UPnP are proof of not having a clue.
Per my subject-line above - In my security guides for Windows users -> http://www.pcreview.co.uk/forums/secure-windows-2000-xp-server-2003-and-even-vista-make-fun-do-t3511888p2.html (search UPnP on that page, it covers that which I posted in my reply I just replied to now, "for posterities' sake"...)
* :)
APK
P.S.=> "Onwards & UPWARDS"...
... apk
Except I have documented PROOF of it, from 5++ yrs. ago here -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725 & since late 2007 in fact!
* See subject-line though, in any event... lol!
APK
P.S.=> "Onwards & UPWARDS"... apk
http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736557
* :)
( I cover it in 2 ways there, & have BEEN covering it since late 2007, per security guides for Windows users -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725 I wrote up back then - that still do a good job, even today, even vs. THIS vulnerability... )
APK
P.S.=> "Onwards & UPWARDS"...
... apk
Quite interesting that everybody here understands that there are million of small router device owners out ther that can hardly operate a windows machine let alone flash and update their router. Yet when a company decides to set their router's automatic update(remember the linksys case?)on by default we flame them to death...
I'm pretty sure that if Cisco had rolled out a patched firmware that didn't change the features, functionality or configuration on the router that most people would have been quite OK with it, maybe even happy.
But, Cisco rolled out a whole new feature set firmware that removed control from the end user, moved their configs to the coud, forced them to create cloud accounts to regain any access to their own routers, started collecting user usage data for advertisers or what-have-you.
In scenario one, bugs are automatically fixed. In scenario two the router is hijacked and its functionality significantly altered without notification. That's a huge difference.
See here -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725
* :)
APK
P.S.=> Additionally, in 2 discrete ways (hardware, in router settings - AND software level by services, for Windows users @ least (the predominant type online no less)) -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736557
... apk
Set it into "bridged" mode, & get a GOOD NAT stateful packet inspecting router!
(E.G./I.E.-> For example, my LinkSys/CISCO BEFSX41 for example, can do this - most, CAN!).
Why?
It works, since it sets THEIR FIOS (or DSL) modem into "dummy terminal mode", & then allows YOUR router to take overcontrol duties instead!
(Which, odds are, since your firewalling router has more features for security, odds are, including UPnP control, "hardware-side" - then, you can also do this OS-side too, in Windows as well for more "layered-security"/"derfense-in-depth" -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736557 by disabling the service for UPnP too...)
* :)
I cover the software-side, for a GOOD reason too - routers can & DO get "compromised" in OTHER WAYS besides this issue is why...
(Hence, my coverage of OS side too, as that "layered-security"/"defense-in-depth" as well!
APK
P.S.=> Been covering this since late 2007 in security guides I wrote up -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725
... apk
I've got an old Linksys WRT54GL running the latest Tomato Firmware (v1.28; development seems to have stopped), which has MiniUPNP v1.4 providing Universal PnP services. Version 1.4 is not vulnerable to the exploits listed in the whitepaper (1.0 is), so it's probably safe to keep it turned on.
Hail Eris, full of mischief...
E pluribus sanguinem
I did actually install that Gibson thing to disable my UPnP in 2001 because I didn't see a use for accessing my Plug-and-Play hardware over the net - the very concept of plugging something into one machine and accessing it from another as if it had been plugged in there felt far too much like a security problem to me.
Seems these days this is just becoming a hot topic again because Media Servers seem to use UPnP for streaming music and movies to your TV, or speakers, or smartphone, or tablet - yes, right across the Internet.
And some WLAN routers now tout their built-in Media Server as a feature, and of course you want to allow access to them from the Internet because of smartphone tunes... ...and all apparently without proper security, or at least I was never prompted for login details.
You fool! Anyone who depends on their router for security is an idiot. You assumed that your brand new laptop would be safe when connecting to your home LAN, behind that router? What were you planning on doing when you took it to Starbucks and used their WiFi?
Security need to be built into each device in the form of a software firewall. Unneeded ports need to be closed, whether you are on a LAN or not. Once this is taken care of, you can assume that your home/office LAN is as hostile as the Internet at large. Which isn't a bad policy, seeing as how many idiots bring infected laptops or free USB drives in to work all the time.
Have gnu, will travel.
Most of the media reports are irresponsible. The flaw reported by US-CERT and Rapid7 are to a coding error in libupnp, an open source library for the UPNP standard. Old versions of that code (like many more I suspect) have buffer overflow errors. This has nothing to do with the UPNP standard or UPNP in general. It is unfortunate that router manufacturers have not implemented the newer versions of UPNP IGD:2 and DeviceProtection:1.
Ultimately there are lots of users that don't update their firmware and so are exposed to numerous threats without knowing it.
I just check the internet facing modem (a Chinese Zyxel-1432 based thingamabob) and the DNS-server/router that it connects to for my internal network (my trusty old WRT-54GL). Neither of these have UPnP enabled. Hopefully when it says 'disabled' it really is 'disabled'. I likely have UPnP enabled within ubuntu. I looked at metasploit's software, but when they stared with installer questions like 'when was your last dental checkup', 'what is the name, address, and phone number of your dentist so we can confirm your last checkup', 'how much money do you have in your bank' and 'what is the personal identification number (pin) number of your bank so we can confirm your account balance' along with 'what is your recent (20 years max) sexual history (include drunken parties)', I got annoyed and deleted all the metasploit stuff. Their software is not signed (at least with md5sum) either. I don't trust it.
ah, if only there were a way to mark spammer-trolls and slowly-deactivate their accounts without inviting a way for other types of trolls to abuse that capacity to mark down people whom they do not like. The scary / scarier part is that they picked a "name" Diane Kua that is actually a name of "1 real person in the USA" when you search for them. That identity theft is probably part of this spam-troll technique, but their blatant use of a real person's identity may be the leverage against them because it might actually be unlawful and illegal to impersonate an actual person that way: using identity theft.
Why?!? UPNP should only be necessary for running servers. If you want to host a game server or ftp server or web server, port-forward the appropriate port(s) on your NATing router. Hopefully, you have some basic understanding of the security implications.
What I don't understand is how UPNP got accepted as a protocol. Why are some apps so braindead that clients need UPNP? TFA mentions "smart TVs, IP cameras, printers, media servers and routers to name a few". An ordinary PC can subscribe to Netflix without UPNP. Why does a "smart TV" need to be "discoverable" from outside? Why The F*** would I (or 99% of users) want to have my router/TV/printer/etc "discoverable" from the outside?
Bittorrent is both client and server. A user who doesn't have a clue about securely running a server has no business running bittorrent.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
> If we're lucky, it'll force the rock stupid ISP's to roll out IPv6 world wide. That
> would fix the god damn problem the fastest and solve the problem if address
> exhaustion we're already facing. Get all of us home users off IPv4 and onto
> IPv6 with the damn modems actually supporting multiple IPv6 addresses.
How does that address the problem? What makes you think that brand new barely-tested IPV6 firmware would be any more secure than older patched IPV4 firmware?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Upnp was spotted as an issue years ago by Gibson research Corp more than 10 years ago. He even made tools to test for it. www.grc.com