[ale] nasty UPNP bug allows EXTERNAL hackers INTERNAL access

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Thu Feb 7 22:28:22 EST 2013 

You're welcome.  Glad to help.

Sincerely,

Ron


Jay Lozier <jslozier at gmail.com> wrote:

>Ron
>
>Thanks for the link. My router was good.
>
>Jay
>
>On 02/07/2013 03:06 PM, Ron Frazier (ALE) wrote:
>> Hi all,
>>
>> I wanted to let you know about a nasty bug in the UPNP implementation
>
>> of millions of routers.  This could allow an external hacker free and
>
>> open access to your internal network.  I think this mainly applies to
>
>> home and small office routers, but this could apply to commercial
>ones 
>> as well.
>>
>> UPNP stands for Universal Plug and Play.  It is a feature of almost 
>> all routers that is usually on by default.  It allows things INTERNAL
>
>> to your network, like XBox game systems, Skype, DVR's and other
>things 
>> to OPEN HOLES for incoming communications through your firewall, 
>> usually without your knowledge or permission, and sometimes without 
>> your ability to monitor or control it.  This is designed to allow 
>> gamers, for example, to instantly participate in network gaming 
>> without configuring the router.  It generally doesn't require 
>> authentication, and assumes anyone making a UPNP request from within 
>> your network is trustworthy.  This, in itself, is somewhat of a 
>> security risk, and I've had UPNP turned off for years on my routers. 
>
>> It's one of the first things I disable when I set up a router, since
>I 
>> have no need for it.
>>
>> They discussed the new issue, which is much much worse, on the last 
>> two Security Now podcasts.
>>
>> http://twit.tv/sn
>> http://twit.tv/show/security-now/389
>> https://www.youtube.com/watch?v=wEa43qM4JjQ#t=09m44s  (Youtube video 
>> of 389.  Relevant part starts at 09:44.)
>> http://media.grc.com/sn/sn-389.mp3 - MP3 audio of 389.
>> http://twit.tv/show/security-now/390
>> http://www.grc.com/securitynow.htm  (Episode 390 hasn't been posted 
>> here yet, but should be shortly.)
>>
>> UPNP was always intended to be used only on your INTERNAL LAN.  It
>was 
>> never intended to be exposed on the Internet on the WAN.  A group of 
>> security researchers at Rapid7 spent months last year using bots to 
>> probe EVERY routable IPv4 address on the Internet. They sent UDP UPNP
>
>> discovery packets to every address several times.  The results of the
>
>> probes were both surprising and very disconcerting.
>>
>> They found that 2.2% of ALL IPv4 routers exposed to the internet 
>> responded to UPNP discovery requests.  This corresponds to 81 MILLION
>
>> routers.  This means that they are exposing the UPNP service to the 
>> EXTERNAL internet at large.  This is a MAJOR security flaw.  Of
>those, 
>> 20%, or 16.2 MILLION are exposing their SOAP API to the EXTERNAL 
>> internet at large.
>>
>> This means that a REMOTE cracker, just by sending a few UDP packets
>to 
>> your router's EXTERNAL address, can punch holes in your firewall and 
>> break into your INTERNAL LAN just as though he was your XBOX sitting 
>> in your house.  It requires no authentication or decryption on the 
>> cracker's part, and is trivially easy.
>>
>> This is very bad news for the 81 million people, most of which, don't
>
>> even know they are vulnerable.
>>
>> For years, Steve Gibson has been operating the Shields Up service on 
>> his website.  It provides a way to scan your network from the outside
>
>> to see if net bios is being exposed, or if common TCP service ports 
>> are being exposed.  In light of these events, he has added testing
>for 
>> the UPNP vulnerability.
>>
>> I would recommend that each person reading this make use of Steve's 
>> port scanner to test your router's external IPv4 address to determine
>
>> if you are vulnerable to the UPNP attack vector. Here's how.
>>
>> Go to the Shields Up main page at:
>https://www.grc.com/x/ne.dll?bh0bkyd2
>>
>> You will probably have to trust grc.com in noscript, etc. for 
>> everything to work.  Read what it says there and click proceed. Keep 
>> in mind, some of the verbiage is a decade old, but the site is still 
>> very useful.  The stuff related to UPNP is new.
>>
>> Once you're on the second page, you will get to a screen with some 
>> menu buttons on it.
>>
>> Click the orange GRC's Instant UPNP Exposure Test button.
>>
>> His server will query the UPNP ports for your external IPv4 address. 
>
>> It will then report back as to whether your router didn't respond at 
>> all (PREFERABLE), actively rejected the remote request (OK), or did 
>> respond to the UPNP discovery request (BAD). The result page also 
>> contains verbiage explaining the results.
>>
>> Note that a simple port scan, like from nmap, will not do the trick 
>> here.  First, you have to send the scan from outside your router, on 
>> the internet side.  Second, the UPNP discovery request is a 
>> specifically formatted UDP packet, not just a simple ping. Since it's
>
>> UDP, the source address can be spoofed by a cracker.
>>
>> If your router is in the category that did respond, you are 
>> potentially vulnerable to attack.  At the very least, a cracker could
>
>> find out that your UPNP service is listening on the WAN, and it will 
>> probably tell him which UPNP stack you have in its reply. This may 
>> give him the info he needs to attack you.  If your router is among
>the 
>> 1 in 5 (of the 81 million) that exposes its SOAP API to the WAN, you 
>> are vulnerable to immediate attack.  If your router responds to an 
>> external UPNP request, which it NEVER should, you should find a way
>to 
>> turn off that functionality and retest it.  If you cannot turn it
>off, 
>> you should discontinue using this router.
>>
>> While you're there on the Shields Up page, you can select other 
>> buttons as follows:
>>
>> File Sharing - tests to see if your router is exposing any net bios 
>> file sharing ports to the WAN.
>> Common Ports - tests to see if certain commonly used TCP service
>ports 
>> are listening on the WAN.
>> All Service Ports - tests to see if the first 1056 TCP service ports 
>> are listening on the WAN
>> User Specified Custom Port Probe - used to test a specific TCP port 
>> number after entering it into the blank.
>> Lookup Specific Port Information - used to lookup data about what 
>> certain port numbers are commonly used for.
>>
>> Here are other resources that Steve provides relative to the UPNP 
>> problem so you can research it:
>>
>>
>https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
>
>>
>> http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
>> http://www.upnp-hacks.org/upnp.html
>> http://toor.do/upnp.html
>>
>http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-Update-1794032.html
>
>>
>>
>> I recommend that you test your internet facing IPv4 addresses for
>UPNP 
>> vulnerability immediately.  If your router responds to the external 
>> UPNP inquiry, I suggest turning off UPNP from its control panel and 
>> retesting.  If it still responds, consider upgrading the firmware and
>
>> retesting, or removing and replacing the router.
>>
>> I hope you find this information useful.
>>
>> Sincerely,
>>
>> Ron
>>
>>


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity.

(To whom it may concern.  My email address has changed.  Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address.  Please send all personal correspondence to the new address.)

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

More information about the Ale mailing list