Remote-Access Router Exploit Finally Revealed

"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable.

Not a big deal

[arth1]

Anyone who wants to use their router for security will have UPnP turned off (or for halfway decent routers, not even present) anyhow. It's an inherently unsafe protocol, deliberately trading security for convenience. Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

Hopefully, this can be another nail in the coffin for UPnP, but I doubt it. With consumers, convenience will always win over security.

Re:Not a big deal

Anyone who wants to use their router for security will have UPnP turned off

Wrong.
There are millions and millions of people who want to use their router for security that don't know enough or do not take the time to turn off UPnP. That is the entire point of discussing this. It's why this is a fucking issue. You cannot just dismiss it by waving your hands and saying meh, they don't know what they're doing.

Re:Not a big deal

[Z00L00K]

I agree, the amount of F-ups that UPnP offers greatly exceeds the advantages of that protocol.

I can't imagine that anyone allowed that protocol from the beginning. On the other hand - don't underestimate the power of human stupidity and laziness.

Re:Not a big deal

What do you expect techies to do? Securing computers which are used by normal consumers is not possible. Maybe you can close this hole, but they leave the door open anyway. The correct response to problems which only affect people who would gladly give up security for a smidgen of convenience is to shrug and move on. Choose your battles.

Re:Not a big deal

> [uPnP is] an inherently unsafe protocol, deliberately trading security for convenience.

How is it more unsafe than giving each machine on your LAN a globally-routable IP address? (Hint: This is exactly what you get with decent IPv6 service.)

> Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

On every one of the dozens of routers I've used, uPnP rules come _after_ all admin-specified firewall rules. This means that uPnP rules cannot override admin prohibitions, as the admin-specified rules take precedence over the uPnP-specified rules.

If you don't have untrusted/untrustworthy devices in their own subnet, then those devices are obviously not that untrustworthy... you let them talk directly to other devices on your LAN (routers aren't involved in (and -thus- can't prohibit) traffic that doesn't cross subnet boundaries).

Re:Not a big deal

[Mashiki]

Well it could be like Bell Canada. Who uses your street address for your wifi password, and uses WEP as the default security. Sometimes there are things far worse, and really the problems here are people either don't look things up(like what UPnP does), or think that because it's set to on by default it's perfectly safe. Second that companies enable this by default because "it makes it easy."

Re:Not a big deal

[freax]

Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.

We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.

Re:Not a big deal

Here's a question for /. crowd, what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?

Re: Not a big deal

Gaming.

**Crickets**

Re:Not a big deal

Well i've never used it myself, but i think the main purpose people use it for is to allow untrustworthy devices to poke holes their firewall, so that remote exploits are easier to create and security of the person's local network is compromised. That way, a person does not have to be a networking guru to create security problems in their own network. It's all handled transparently behind the scenes, which makes things easier for the average person to deal with. It's all about ease of use.

Re: Not a big deal

Well said. The code is appalling, and the blame is not only the programmer, but also the programmer's direct manager for not realizing the situation that programmer in - or not caring, which is often the case.

Re:Not a big deal

A mind boggling stupid idiot must have written that code.

Either your mind boggles easily, in which case I pity you, or you simply don't have much experience with idiots, in which case I envy you.

Re:Not a big deal

It's poor attitudes like yours that makes computing worse for those who don't have the knowledge to fix broken things, all you do is make it worse for those who want to fix it.

Asshole.

Re:Not a big deal

Go ahead, maintain their computers for them. When you've done all the work to make their setup secure, they'll throw it out and buy something new because it works with the latest fad, or won't get in their way so often like the old thing that you practically made unusable, or for no reason at all. UPnP exists because of these people. Of course they'll say they want security. But they choose convenience over security every time. Why would I question their priorities?

Re:Not a big deal

[jader3rd]

Here's a question for /. crowd, what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?

Peer to peer communication works better with it. So things like Skype as well as multi player gaming.

Re:Not a big deal

[jader3rd]

Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

It's main purpose is to knock holes in the firewall for devices on the LAN, behind the router. If I have an untrusted device on my side of the network that's a problem that I should fix, even without UPnP.

Re:Not a big deal

> what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?

Ad-hoc port forwarding. UPnP does a bit more than this, but that's its primary use.

Rather than asking a user to faff about with a shitty login screen, and then three or more frequently poorly-designed screens, the software that needs port forwarding -but doesn't want to try to roll the dice with one of the three or so NAT hole punching techniques that don't work all of the time- can just automatically set up the forwarding. Networks should Just Work.

People are freaking out about untrusted devices tunnelling out from the LAN. Untrusted devices should be in an "untrusted devices" subnet that's isolated from the "trusted devices" subnet. That's just a basic practice. (The fact that most consumer routers are too poorly designed to provide a UI to do this painlessly doesn't change the fact that it's a basic practice.)

Re:Not a big deal

[chihowa]

You start off by confusing NAT and firewalls, so it's hard to believe that you really have much of a clue.

Re:Not a big deal

[erapert]

That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code.

Everyone makes mistakes. But aren't there tools out there that will avoid mistakes like this? In other words, if that rank amateur had been using C++ instead of doing a bunch of manual stuff with C then this particular problem would have been avoided.

Page 17 from the .pdf:

We see that the code has been refactored, but still suffers from three buffer overflows in roughly the same places as before. The strncpy() function is being passed a length based on the distance between two strings in the attacker-supplied request, but is not checked against the size of the destination buffer.

So... if they had used C++ and std::string instead of doing everything manually in C then this would not have happened (perhaps some other vulnerability would be found instead, but not this one).

STOP USING C. It is not superior in any way. You are not a big tough guy for using "the most hardcore" language.

Not everyone will be an expert. Yes, we do have to live with idiots-- and even if there's no idiots around we're all still capable of being dumb ourselves.

Re:Not a big deal

You've clearly never played a video game where it needs ports 10,000 through 60,000 forwarded because it will use one of them, but it is random as to which one it will use. Please, continue telling me how port forwarding is more safe than just opening up 75% of your ports.

Re:Not a big deal

[arth1]

If you absolutely have to run a game like that, switch the machine over to a dmz. Even consumer routers support dmzs these days.

And then write a complaint to the company stating the need for being able to set fixed ports. They'll only listen if people complain.

Better firmware

[Beau1080p]

This is why we all should be running firmware like Tomato. Vetted FOSS firmware solves a lot of problems.

Re: Better firmware

FOSS != vetted/reviewed/critiqued code. If that was the case, we wouldn't have seen heartbleed, shellshock et al.

Where I work, when we develop software, it goes through design reviews, code reviews and sometimes an independent security code reviews. And depending on what it is, independent penetration testing.

Re:Better firmware

No thanks. I'll stick with pfSense.

Not Worried

Like most security conscious slashdotters, I run APKs hosts file protection system protecting me from this and myriad other vulnerabilities.

Protection starts at 127.0.0.1 my friends!

Re: Not Worried

I was skeptical, so I looked at your website .

Very impressive and good looking! But I'm biased since it looks so much like mine.

Re:Not Worried

Love it! The guy that tries to scam people into using his hosts file for "protection" doesn't know the difference between border and device security. Your shitty hosts file would do NOTHING to protect networks vulnerable to this exploit.

FTFY

[TeknoHog]

most manufacturers don't update their router's firmware -- meaning many routers may still be vulnerable.

It's great having to buy new hardware because of software issues. Makes me feel like a Windows user.

Re:FTFY

Exactly! There are many routers out there that would be much more secure IF their firmware was updated, but manufacturers are not interested in updating firmware, they want to sell new routers (as likely as not with new vulnerabilities)!

Re:FTFY

+1 Very accurate comment.

IMHO most consumer routers out there seem to be sold with "one-off" firmware that is NEVER UPDATED by the manufacturer.

I think the researchers should learn how to do real research before they make clueless comments that consumers don't update their router firmware.

For those consumers with devices that can be updated, yes, that group of consumers shares responsibility for these exploits getting out of hand.

Another group of consumers that share responsibility fo exploits getting out of hand are those that don't understand or don't care about the risks of "...opening up that 1 port so I can access my remotely..." Some will open ports so they can play their online games, but then they leave those ports open when they don't need them. Others think they are being "community minded" or "unselfish" by opening up their Internet access to outsiders via the Internet, and they are clueless, lazy or don't care about the risks (HEY NOTZ MY PROBLEM CUZ I GOTS ME MY OBAMACARE FO CHEEEEP).

Manufacturers must also share responsibility if they made the firmware update process so complicated that it drives away consumers.

I like the BIOS upgrade process that I have seen in some motherboards. Drop the computer into the BIOS. Select the correct menu where the Internet update option is located, and select the "Update" choice. Now that option may be too simplistic for Internet routers that as the edge of the consumer's network and access point to the Internet. Perhaps double the amount of Flash storage for storing the firmware so it holds 2 copies of firmware. Update 1 copy. Instruct the consumer to reboot to the new version, then overwrite the old version when the consumer accepts the new version. Also provide an easy mechanism for the consumer to revert to the old untouched firmware if the new firmware fouls up something for the consumer. Not exactly "unbrickable", but "pretty good".

Sadly, there is no way to prevent price from becoming a deciding factor in any purchase. So there is no way to keep useless junk off the market.

Irony in the magic word: altruism

Knowing most users won't upgrade their firmware

They still manufacture devices which expect users to know how to upgrade their firmware.

This is simple. Let us tech-heads play with the dangerous stuff and give the snowflakes their fluffy routers.

Routers = security nightmares

See subject & proof of a sad truth on routers from reputable sources (far from complete): https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html/

APK

P.S.=> See why I use hosts files/firewalls in software + OS patching & IP security tweaks OS side to supplement all that weakness in routers? Betting on routers of IPS etc. ALONE in "eggshell perimeter only" security = stupid risk & NOT good "layered security"/"defense-in-depth"... apk

Fixed that for ya

"most users don't update their router's firmware"

"Many users can't easily update their router's firmware because most vendors don't support their products once they stop selling"

I have a Netgear router that works perfectly fine, but there hasn't been an official firmware update in about five years. I'm becoming increasingly worried and will soon likely cave and get a new piece of hardware only to fall into this trap again in a few years. I'm tempted to install an open source firmware, but would rather not have to take on a project like that.

Bullshit: Hosts secure @ end points

'Eggshell perimiter only' single point of exploit in routers/NIDS alone fails if taken out & they're full of bugs https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/ & DO get "taken out"!

You're NOT practicing good "layered security"/"defense in depth" dumbass!

* If you remove endpoints that are NOT security hardened off your weak single point of exploit 'defenses' & put them on another less secured network THEY ARE VULNERABLE!

THIS stops it happening blocking out threats & gaining you speed & security for LESS resources used APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

APK

P.S.=> Little "networking menials" are STUPID it makes me laugh - no wonder guys like ME make TOOLS fools like you merely USE user w/ a better password (it's all you are)... apk

You don't know layered security

Oliver Day (SYMANTEC/SECURITYFOCUS): http://www.securityfocus.com/c... "The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware"

OReilly on hosts for security -> http://oreilly.com/pub/a/windo... & For speed -> http://www.oreillynet.com/pub/...

Steve Gibson endorses hosts as good https://www.grc.com/sn/sn-045....

Aryeh Goretsky of ESET/NOD32: hosts = good security http://it.slashdot.org/comment...

Brocke Wilders of WILDERS' SECURITY does via an inferior clone of MY PROGRAM http://www.wilderssecurity.com...

Malwarebytes' folks too!

APK

P.S.=> See subject: Security & web pros do... apk

Secure endpoints past faulty routers

APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have in the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/

Best layered security hosts file builder

Perimeter security in routers = faulty. Hosts secure endpoints via APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script & malware rob speed/security/privacy

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

* Via what u NATIVELY have in the IP stack in FASTER kernelmode!

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/