Slashdot Mirror
50 Million Potentially Vulnerable To UPnP Flaws
Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"
Little incentive to contribute code as it will be snatched by Micro$oft and App£e.
or did they actually do active spidering of (b):
1 -- a representative sample of IP addresses in a particular space 2 -- a wide ranging probe of many many IP addresses all around the world?.
If they did (a) above, then sure it makes sense. If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?
I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.
The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.
So my bet still stands with modification: there will be an attack, it will be soon, it will be a worm, and people will (mostly) be blissfully unaware of (why is my internet so slow) it and certainly be incapable of dealing with it. Thus it will come down to the ISPs to deal with it which should be interesting to watch.
Let any application open a port to the outside world on your router? Really? and nobody gave a damn about the consequences or even understood its power. Meanwhile I sat back and watched as millions of people enabled it by default on products shipped out worldwide and said nothing because NOBODY CARED they /wanted/ the convenience and turn-key solution that UPnP provided and didn't want to bother learning how to open their own ports manually.
How many vendors are going to patch some obsolete hw to get the lib updated? I would be surprised if they can build images for some of those old products. That said, it seems a bit of an uphill crack, you have to know the target CPU, the lib version, and prepare a useful injection rather than just a denial of service. Still, it is interesting that people are still acting as documented on data coming over the wire, sprintfs into buffers with %s was an eye opener to me. These days for web stuff I use the c++ string class, fixed c buffers look weak to me with unvalidated socket input.
H.
Just yesterday, lots of Slashdot readers claimed UPnP was totally reasonable for security. It's time for a wall of shame. Here is the story:
http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers
I'll start.
adolf: http://it.slashdot.org/comments.pl?sid=3415287&cid=42722879
Miamicanes: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723217
julesh: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723393
Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.
...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.
But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900
Suck it, Verizon!
If computers were people, I'd be a misanthrope.
Yes, shovelware applies to hardware too. Hardware like home routers, which are NEVER EVER updated - be it by their rock-dumb owners or their irresponsible manufacturers.
And then this happens. All the time forever, until the greedy fucks who make those never-updated shit get slapped with fines for gazillions, and THEN the surviving ones would begin to think of SUPPORTING the crap they sell, instead of shoveling poorly-differentiated models that only exist to make the non-castrated one more expensive than it has any sort of right to be. But then market segmentation is worth so much more than supporting the products you sold! Why would they sell at what the product is worth (i.e. marginal production cost) when they can pretend to turn more profit by selling half-products at full price so that the complete product costs three times what it should? And when making several models by chopping out necessary things from the reference one, it gets much more complicated to support all the kinds of half-products, instead of making one that works well and is supported for long.
Also, the only company that does Just That - good productsat some price point, but no range of half-products headed by one real model (that all the shit ones are based on, minus vital features) happens to be the most profitable company in the world. Just sayin'.
Making laws based on opinions that stem up from false informations leads to witch hunts.
http://www.grc.com/unpnp/unpnp.htm
Microsoft was one of the founders of the UPnP Forum, Apple isn't a member. Not to mention that Microsoft pushed this API very hard. We were warned of the vulnerability of this protocol back in 2001. There was a big deal with Windows ME and XP about disabling this service also, It was Microsoft whom ignored all the vulnerabilities at first, if they scared OEMs then the OEMs wouldn't implement this protocol.
This is yet another example of why Microsoft has too much power and shouldn't be dictating what's in my hardware. How long until Secure Boot gets this same treatment of access to your system?.
Does anyone know where I can find a list of routers which aren't vulnerable?
Does anyone know where I can find a list of routers which aren't vulnerable?
Have you tried scanning the Internet?
And you've just given me one more reason to think that my policy of "turn it off" (since it was first put into a consumer OS) was correct.
"All we want to do is tell the fucking router that we'd like an open port. Why should that be so difficult?"
Because it's MY DAMN COMPUTER and network, that's why. And you have no need to open my ports. You can talk outwards, no problem at all, to any destination that will accept a connection. And most home routers will NOT accept a connection (you have to think of people who DON'T have UPnP enabled or compatible hardware too, or have software firewalls in the way as well, etc.). Why do I need to let traffic through other than what your servers have sanitised and handled for me?
The number of actual applications for UPnP is vanishingly small, and all solved by just running an intermediary server to handle connections which requires next-to-nothing in terms of resources (literally, a £10/month VPS would be overkill just for that, and most people that would need it have something like a website anyway that could run off the same machine).
And the simple examples of Skype/Steam show that there's NO NEED TO, whether joining gameservers or providing streaming video from both ends simultaneously, unless I'm deliberately setting up a network service that NEEDS to be accessible to the world. And if I can't figure out a port-forward interface on a router for that, maybe I shouldn't be doing it.
Opening a port really is old-hat, and not something that's worked reliably on any random machine/network for decades (You'll notice that things like TeamViewer etc. just run a local client and talk out to a accessible server, faffing with port-forwards just isn't worth the hassle). And there's no need to do it. And UPnP is a just way for it to happen automatically (whether it works or not is another matter) without any user say-so in it. If that isn't enough to scare you off having used it for the past decade, maybe you need to run a network or two and see what it means in real terms of impact upon what you need to do.
If your application NEEDS to open ports, run an intermediary server which is publicly accessible, secured, and only exposes that port necessary. If you haven't got the resources / brains to do that, I don't want you opening ports into my networks and personal computers anyway.
Remote buffer overflow in what? the Linux Kernel? IPTables?
There are some crappy routers which expose remote administration tools by default, but those are the exception. Most old home routers only flaw is to enable Universal PnP out of box and not to encrypt wireless.
I followed the link to the article... then the link to the PDF follow the link to their "Vulnerablity Detector"... Start to install... Read the Legalese... The terms are suspicious... Click OK tpo continue... The next screen asks for personal information. Red Lights and Alarms go off. Anytime a "security vendor" lists contract terms like those and then wants my name and address when I did not want or ask to contract a service. I killed the installer.
Level7 is not preventing a problem --- it is the problem. If you installed their client you have just been pwned...
Why is the uPnP service facing Internet anyway? Shouldn't it be accessible only from LAN?
Set it into "bridged" mode, & get a GOOD NAT stateful packet inspecting router!
(E.G./I.E.-> For example, my LinkSys/CISCO BEFSX41 for example, can do this - most, CAN!).
Why?
It works, since it sets THEIR FIOS (or DSL) modem into "dummy terminal mode", & then allows YOUR router to take overcontrol duties instead!
(Which, odds are, since your firewalling router has more features for security, odds are, including UPnP control, "hardware-side" - then, you can also do this OS-side too, in Windows as well for more "layered-security"/"derfense-in-depth" -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736557 by disabling the service for UPnP too...)
* :)
I cover the software-side, for a GOOD reason too - routers can & DO get "compromised" in OTHER WAYS besides this issue is why...
(Hence, my coverage of OS side too, as that "layered-security"/"defense-in-depth" as well!
APK
P.S.=> Been covering this since late 2007 in security guides I wrote up -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725
... apk
I've got an old Linksys WRT54GL running the latest Tomato Firmware (v1.28; development seems to have stopped), which has MiniUPNP v1.4 providing Universal PnP services. Version 1.4 is not vulnerable to the exploits listed in the whitepaper (1.0 is), so it's probably safe to keep it turned on.
Hail Eris, full of mischief...
E pluribus sanguinem
I did actually install that Gibson thing to disable my UPnP in 2001 because I didn't see a use for accessing my Plug-and-Play hardware over the net - the very concept of plugging something into one machine and accessing it from another as if it had been plugged in there felt far too much like a security problem to me.
Seems these days this is just becoming a hot topic again because Media Servers seem to use UPnP for streaming music and movies to your TV, or speakers, or smartphone, or tablet - yes, right across the Internet.
And some WLAN routers now tout their built-in Media Server as a feature, and of course you want to allow access to them from the Internet because of smartphone tunes... ...and all apparently without proper security, or at least I was never prompted for login details.
This!
uPnP is a solution to a non-problem. Whats the point of any firewall if an application can request a hole through it?
There is the capabilities of having ACLs but the majority of routers it is just a tick-box to enable/disable, allowing any device internally to have free reign to accept incoming requests.
Almost all routers are not vulnerable, if you are smart enough to uncheck the UPnP box. I haven't seen many where you can't disable it. and as has been pointed out elsewhere. Running a firewall where any malware can request a gapping hole in it sort of defeats the purpose.
These flaws are already a non-issue to anyone who takes security seriously. The problem is that the average user leaves things as they come from the factory, and they come from the factory vulnerable.
Nooo...its a solution to a VERY real problem but its a problem that most geeks don't realize exists. You see your average Joe has all these devices that can connect to the Internet, multiple PCs, tablet, phone, Internet enabled TV, but they don't have a damned clue on how to make ANY of that shit play nice with one another or to set it up so they can use them on the net as they were designed.
So UPNP was invented so Joe average wouldn't have to pay a guy like me a couple of hundred bucks to set up their network while at the same time not having the routers set to just broadcast in the clear with zero encryption and for that? it actually worked pretty well. Now we need a new generation that will be backwards compatible enough so that everyone isn't gonna have to throw out their TVs or tablets while bumping up the security.
But you can't just throw the baby out with the bathwater as folks still need a way to get all this stuff to hook up and to talk to each other without having to have a degree just to get it to work. Like it or not UPNP is a very useful tech to Joe and Jane average and as we get more and more internet capable devices they'll need plug and play simple even more.
ACs don't waste your time replying, your posts are never seen by me.
My understanding was that UPnP was for punching a hole in the firewall/NAT for incoming requests.Joe Average doesn't need this functionality does he?
Outgoing NAT on consumer grade routers is a separate feature from UPnP and isn't required to use your laptop/TV/tablet/phone on the internet.
I think UPnP at the most (ni the average house) is used by the Playstation to host or any other server-less P2P network for connectivity. Solve that problem, and we're gold.
You fool! Anyone who depends on their router for security is an idiot. You assumed that your brand new laptop would be safe when connecting to your home LAN, behind that router? What were you planning on doing when you took it to Starbucks and used their WiFi?
Security need to be built into each device in the form of a software firewall. Unneeded ports need to be closed, whether you are on a LAN or not. Once this is taken care of, you can assume that your home/office LAN is as hostile as the Internet at large. Which isn't a bad policy, seeing as how many idiots bring infected laptops or free USB drives in to work all the time.
Have gnu, will travel.
What about those of us who want to use UPnP and so can't trivially uncheck the box?
You see your average Joe has all these devices that can connect to the Internet, multiple PCs, tablet, phone, Internet enabled TV, but they don't have a damned clue on how to make ANY of that shit play nice with one another or to set it up so they can use them on the net as they were designed.
So Microsoft, instead of handing the user a rag and a bottle of Windex (or water diluted vinegar which works just as well) to clean their dirty [Ww]indows so they can see out, instead handed them a hammer so they can break the glass.
Amazing. UPnP has been a disastrous idea from day one. It surprises me every time I hear of someone who's ignorant of this.
"Tongue tied and twisted, just an Earth bound misfit
NAT is not an argument for security, don't combine it with a firewall like that. uPnP was a workaround to the NAT problem that was a workaround to the single public IP most ISP's provided to their customers. I remember I had to coax my ISP to give me more IPs so I could play Starcraft 1 online with my friends against other players. Great fun, and I got to play around with a Juniper traffic shaper and IP assignment.
If you want to run a server or host anything, having support for uPnP is great - you don't have to login to the router and open any ports. Just run the program or game and everything just works.
It is really sad that these security holes has been uncovered, but even more sad that hardware manufacturers seldom offer software support beyond their shelf time. I think we need a consumer law that says you can return or exchange your hardware if the manufacturer refuses to update their firmware. And if they won't provide new hardware to you, they should be forced to open-source their unsupported stuff in the name of security.
Hmmm that might become really insteresting if I think about Microsoft, Windows XP and Internet Explorer 6 :D
Teasing the nobles, and rightfully so!
Friends don't let friends allow app guys to mess with network/security.
Cheap storage VM.
Then sleep well knowing that your insistence on continuing to use a known insecure feature just for a little bit of extra convenience might just come back to bite you in the ass eventually. The rest of us who know the flaws of UPnP and how to manually set up port forwarding and/or port triggering have likely already done this long ago; we survived, our networks aren't broken. It's really not difficult; just a couple switches on the router to match the ports of the software you use.
Nooo...its a solution to a VERY real problem but its a problem that most geeks don't realize exists. You see your average Joe has all these devices that can connect to the Internet, multiple PCs, tablet, phone, Internet enabled TV, but they don't have a damned clue on how to make ANY of that shit play nice with one another or to set it up so they can use them on the net as they were designed.
Well, it's about time they fucking learn. Computers don't need to be dumbed down to toaster levels... their increasing number of users need to learn a thing or two about a network of they want to have one in the first place. This mass retardation of computers has allowed even the dumbest people to do basic things on them, and that's great--but if these people want to do anything more advanced, then maybe it's time that they read up and learn how. This mass dumbing down of computing and networking is creating security problems while at the same time inviting even more dumbasses in droves. The world would be better off with fewer of these people, even if that means fewer new computer owners.
There is a reason you have to go through a period of training at a new job, and plenty of practice followed by a test just to get your license to drive a vehicle. There is a certain skill set that is expected, and with computers, that should be no different. Any machine down to a damn cash register should be understood before just diving in. Fuck, you should even have a basic understanding of a toaster before you use one, or else you'll end up getting burned, electrocuted, or even burn the damn house down. It is the users who need to get smarter... not the computers.
Are you sure you want to use upnp over the internet? The upnp setting does not affect local network upnp.
Don't complain about syntax, grammar, or spelling. There is no.hell like input on android.
I tend to think of it as very useful... if you've spent the time trying to do on-demand ports for games, irc, ftp etc... it's not fun opening up all those nat forwards... upnp is a bit easier. Though, I'm generally the only user on my network at home...
Michael J. Ryan - tracker1.info
Translation: "how can I enable a security vulnerability while disabling a security vulnerability?"
The sentence just doesn't parse that way does it?
There is no secure way to let any piece of software that wants to open your firewall do so. The whole concept of a firewall is disabled by the idea of UPnP.
If you need a port opened, then open the port. Letting random software do it automatically is just asking for trouble.
ah, if only there were a way to mark spammer-trolls and slowly-deactivate their accounts without inviting a way for other types of trolls to abuse that capacity to mark down people whom they do not like. The scary / scarier part is that they picked a "name" Diane Kua that is actually a name of "1 real person in the USA" when you search for them. That identity theft is probably part of this spam-troll technique, but their blatant use of a real person's identity may be the leverage against them because it might actually be unlawful and illegal to impersonate an actual person that way: using identity theft.
Appropriate reply based on user name. I see what you did there.
Why?!? UPNP should only be necessary for running servers. If you want to host a game server or ftp server or web server, port-forward the appropriate port(s) on your NATing router. Hopefully, you have some basic understanding of the security implications.
What I don't understand is how UPNP got accepted as a protocol. Why are some apps so braindead that clients need UPNP? TFA mentions "smart TVs, IP cameras, printers, media servers and routers to name a few". An ordinary PC can subscribe to Netflix without UPNP. Why does a "smart TV" need to be "discoverable" from outside? Why The F*** would I (or 99% of users) want to have my router/TV/printer/etc "discoverable" from the outside?
Bittorrent is both client and server. A user who doesn't have a clue about securely running a server has no business running bittorrent.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
> If we're lucky, it'll force the rock stupid ISP's to roll out IPv6 world wide. That
> would fix the god damn problem the fastest and solve the problem if address
> exhaustion we're already facing. Get all of us home users off IPv4 and onto
> IPv6 with the damn modems actually supporting multiple IPv6 addresses.
How does that address the problem? What makes you think that brand new barely-tested IPV6 firmware would be any more secure than older patched IPV4 firmware?
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
Upnp was spotted as an issue years ago by Gibson research Corp more than 10 years ago. He even made tools to test for it. www.grc.com
I've read that in Estonia children are educated at school, at young age, the practical usage of computers and networks. I would add to it digital photography, image editing, digital cartography, and smartphones.
>My understanding was that UPnP was for punching a hole in the firewall/NAT for incoming requests
No, uPnP is primarily about AV devices finding each other so they can do stuff like sending video from the video source to the TV. It's network detection and selection, device discovery, service discovery and service negotiation. All run of the mill consumer electronic behaviors that the industry has managed to massively screw up for the past 30 years. P1394 tried and screwed it up (discovery and negotiation). uPnP tried and screwed it up (bad security, ineffective discovery). P802 tried and screwed it up - LLDP (too little), 802.21 (too late). I could go on. You still cannot string one wire, or wireless interface between standards compliant boxes, computer, dvd, tv, speakers, roku-esque box and have them find each other and present a user with the right options like "watch dvd" or "watch roku" or "watch TV".
The punching-a-hole thing is a router behavior to allow uPnP to work across the router (whether firewalled or not), because by default they block uPnP, as they should.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Okay thats great thanks.
My experience of UPnP has been from routers and firewalls. For example the linux daemon for upnp upnp just adds a NAT rule in the UPNP table.
The pfSense option does the same thing.
The article is about upnp from many IPs (via routers I would of imagined)
Yes. Millions of vulnerable uPnP implementations in consumer electronics, behind cheap NAT routers that by default allow a uPnP hole.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.