Remote-Access Router Exploit Finally Revealed

"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable.

Not a big deal

[arth1]

Anyone who wants to use their router for security will have UPnP turned off (or for halfway decent routers, not even present) anyhow. It's an inherently unsafe protocol, deliberately trading security for convenience. Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

Hopefully, this can be another nail in the coffin for UPnP, but I doubt it. With consumers, convenience will always win over security.

Re:Not a big deal

Anyone who wants to use their router for security will have UPnP turned off

Wrong.
There are millions and millions of people who want to use their router for security that don't know enough or do not take the time to turn off UPnP. That is the entire point of discussing this. It's why this is a fucking issue. You cannot just dismiss it by waving your hands and saying meh, they don't know what they're doing.

Re:Not a big deal

[Z00L00K]

I agree, the amount of F-ups that UPnP offers greatly exceeds the advantages of that protocol.

I can't imagine that anyone allowed that protocol from the beginning. On the other hand - don't underestimate the power of human stupidity and laziness.

Re:Not a big deal

> [uPnP is] an inherently unsafe protocol, deliberately trading security for convenience.

How is it more unsafe than giving each machine on your LAN a globally-routable IP address? (Hint: This is exactly what you get with decent IPv6 service.)

> Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

On every one of the dozens of routers I've used, uPnP rules come _after_ all admin-specified firewall rules. This means that uPnP rules cannot override admin prohibitions, as the admin-specified rules take precedence over the uPnP-specified rules.

If you don't have untrusted/untrustworthy devices in their own subnet, then those devices are obviously not that untrustworthy... you let them talk directly to other devices on your LAN (routers aren't involved in (and -thus- can't prohibit) traffic that doesn't cross subnet boundaries).

Re:Not a big deal

[Mashiki]

Well it could be like Bell Canada. Who uses your street address for your wifi password, and uses WEP as the default security. Sometimes there are things far worse, and really the problems here are people either don't look things up(like what UPnP does), or think that because it's set to on by default it's perfectly safe. Second that companies enable this by default because "it makes it easy."

Re:Not a big deal

[freax]

Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.

We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.

Re:Not a big deal

Well i've never used it myself, but i think the main purpose people use it for is to allow untrustworthy devices to poke holes their firewall, so that remote exploits are easier to create and security of the person's local network is compromised. That way, a person does not have to be a networking guru to create security problems in their own network. It's all handled transparently behind the scenes, which makes things easier for the average person to deal with. It's all about ease of use.

Re:Not a big deal

Go ahead, maintain their computers for them. When you've done all the work to make their setup secure, they'll throw it out and buy something new because it works with the latest fad, or won't get in their way so often like the old thing that you practically made unusable, or for no reason at all. UPnP exists because of these people. Of course they'll say they want security. But they choose convenience over security every time. Why would I question their priorities?

Re:Not a big deal

[jader3rd]

Here's a question for /. crowd, what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?

Peer to peer communication works better with it. So things like Skype as well as multi player gaming.

Re:Not a big deal

[jader3rd]

Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

It's main purpose is to knock holes in the firewall for devices on the LAN, behind the router. If I have an untrusted device on my side of the network that's a problem that I should fix, even without UPnP.

Re:Not a big deal

> what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?

Ad-hoc port forwarding. UPnP does a bit more than this, but that's its primary use.

Rather than asking a user to faff about with a shitty login screen, and then three or more frequently poorly-designed screens, the software that needs port forwarding -but doesn't want to try to roll the dice with one of the three or so NAT hole punching techniques that don't work all of the time- can just automatically set up the forwarding. Networks should Just Work.

People are freaking out about untrusted devices tunnelling out from the LAN. Untrusted devices should be in an "untrusted devices" subnet that's isolated from the "trusted devices" subnet. That's just a basic practice. (The fact that most consumer routers are too poorly designed to provide a UI to do this painlessly doesn't change the fact that it's a basic practice.)

Re:Not a big deal

[chihowa]

You start off by confusing NAT and firewalls, so it's hard to believe that you really have much of a clue.

Re:Not a big deal

[erapert]

That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code.

Everyone makes mistakes. But aren't there tools out there that will avoid mistakes like this? In other words, if that rank amateur had been using C++ instead of doing a bunch of manual stuff with C then this particular problem would have been avoided.

Page 17 from the .pdf:

We see that the code has been refactored, but still suffers from three buffer overflows in roughly the same places as before. The strncpy() function is being passed a length based on the distance between two strings in the attacker-supplied request, but is not checked against the size of the destination buffer.

So... if they had used C++ and std::string instead of doing everything manually in C then this would not have happened (perhaps some other vulnerability would be found instead, but not this one).

STOP USING C. It is not superior in any way. You are not a big tough guy for using "the most hardcore" language.

Not everyone will be an expert. Yes, we do have to live with idiots-- and even if there's no idiots around we're all still capable of being dumb ourselves.

Re:Not a big deal

[arth1]

If you absolutely have to run a game like that, switch the machine over to a dmz. Even consumer routers support dmzs these days.

And then write a complaint to the company stating the need for being able to set fixed ports. They'll only listen if people complain.

FTFY

[TeknoHog]

most manufacturers don't update their router's firmware -- meaning many routers may still be vulnerable.

It's great having to buy new hardware because of software issues. Makes me feel like a Windows user.

Re:FTFY

+1 Very accurate comment.

IMHO most consumer routers out there seem to be sold with "one-off" firmware that is NEVER UPDATED by the manufacturer.

I think the researchers should learn how to do real research before they make clueless comments that consumers don't update their router firmware.

For those consumers with devices that can be updated, yes, that group of consumers shares responsibility for these exploits getting out of hand.

Another group of consumers that share responsibility fo exploits getting out of hand are those that don't understand or don't care about the risks of "...opening up that 1 port so I can access my remotely..." Some will open ports so they can play their online games, but then they leave those ports open when they don't need them. Others think they are being "community minded" or "unselfish" by opening up their Internet access to outsiders via the Internet, and they are clueless, lazy or don't care about the risks (HEY NOTZ MY PROBLEM CUZ I GOTS ME MY OBAMACARE FO CHEEEEP).

Manufacturers must also share responsibility if they made the firmware update process so complicated that it drives away consumers.

I like the BIOS upgrade process that I have seen in some motherboards. Drop the computer into the BIOS. Select the correct menu where the Internet update option is located, and select the "Update" choice. Now that option may be too simplistic for Internet routers that as the edge of the consumer's network and access point to the Internet. Perhaps double the amount of Flash storage for storing the firmware so it holds 2 copies of firmware. Update 1 copy. Instruct the consumer to reboot to the new version, then overwrite the old version when the consumer accepts the new version. Also provide an easy mechanism for the consumer to revert to the old untouched firmware if the new firmware fouls up something for the consumer. Not exactly "unbrickable", but "pretty good".

Sadly, there is no way to prevent price from becoming a deciding factor in any purchase. So there is no way to keep useless junk off the market.

Irony in the magic word: altruism