[ale] nasty UPNP bug allows EXTERNAL hackers INTERNAL access

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Fri Mar 1 01:01:40 EST 2013 

Hi all,

Steve gave an update on this problem on the latest podcast so I thought 
I'd pass it along.  His shields up port testing site has cataloged over 
2000 routers that people are testing which did respond to the upnp 
discovery request on their wan port and are potentially vulnerable to 
attack.  I don't know how many total visitors he has.

It was mentioned that, if you had a vulnerable router and cannot 
reconfigure or replace it right away, you could establish a DMZ in your 
router and point it to an ip address on your network that will never be 
used.  Therefore, if the last address assigned by your dhcp server is 
192.168.25.200, you could set the DMZ to 192.168.25.225.  Therefore, any 
unsolicited packets are essentially dumped into a black hole.  On my 
router, the default dhcp server serves up addresses from 2 - 254, so I 
would have to change the upper limit if I wanted to use this technique.

While he didn't mention this specifically, I think another way you could 
do this is with port forwarding.  If you wanted to prevent UPNP 
discovery, you could forward UDP 1900 to a non existent address.  Using 
this method, you could forward other ports to real computers, if you wished.

Sincerely,

Ron


On 2/7/2013 10:28 PM, Ron Frazier (ALE) wrote:
> You're welcome.  Glad to help.
>
> Sincerely,
>
> Ron
>
>
> Jay Lozier<jslozier at gmail.com>  wrote:
>
>    
>> Ron
>>
>> Thanks for the link. My router was good.
>>
>> Jay
>>
>> On 02/07/2013 03:06 PM, Ron Frazier (ALE) wrote:
>>      
>>> Hi all,
>>>
>>> I wanted to let you know about a nasty bug in the UPNP implementation
>>>        
>>      
>>> of millions of routers.  This could allow an external hacker free and
>>>        
>>      
>>> open access to your internal network.  I think this mainly applies to
>>>        
>>      
>>> home and small office routers, but this could apply to commercial
>>>        
>> ones
>>      
>>> as well.
>>>
>>> UPNP stands for Universal Plug and Play.  It is a feature of almost
>>> all routers that is usually on by default.  It allows things INTERNAL
>>>        
>>      
>>> to your network, like XBox game systems, Skype, DVR's and other
>>>        
>> things
>>      
>>> to OPEN HOLES for incoming communications through your firewall,
>>> usually without your knowledge or permission, and sometimes without
>>> your ability to monitor or control it.  This is designed to allow
>>> gamers, for example, to instantly participate in network gaming
>>> without configuring the router.  It generally doesn't require
>>> authentication, and assumes anyone making a UPNP request from within
>>> your network is trustworthy.  This, in itself, is somewhat of a
>>> security risk, and I've had UPNP turned off for years on my routers.
>>>        
>>      
>>> It's one of the first things I disable when I set up a router, since
>>>        
>> I
>>      
>>> have no need for it.
>>>
>>> They discussed the new issue, which is much much worse, on the last
>>> two Security Now podcasts.
>>>
>>> http://twit.tv/sn
>>> http://twit.tv/show/security-now/389
>>> https://www.youtube.com/watch?v=wEa43qM4JjQ#t=09m44s  (Youtube video
>>> of 389.  Relevant part starts at 09:44.)
>>> http://media.grc.com/sn/sn-389.mp3 - MP3 audio of 389.
>>> http://twit.tv/show/security-now/390
>>> http://www.grc.com/securitynow.htm  (Episode 390 hasn't been posted
>>> here yet, but should be shortly.)
>>>
>>> UPNP was always intended to be used only on your INTERNAL LAN.  It
>>>        
>> was
>>      
>>> never intended to be exposed on the Internet on the WAN.  A group of
>>> security researchers at Rapid7 spent months last year using bots to
>>> probe EVERY routable IPv4 address on the Internet. They sent UDP UPNP
>>>        
>>      
>>> discovery packets to every address several times.  The results of the
>>>        
>>      
>>> probes were both surprising and very disconcerting.
>>>
>>> They found that 2.2% of ALL IPv4 routers exposed to the internet
>>> responded to UPNP discovery requests.  This corresponds to 81 MILLION
>>>        
>>      
>>> routers.  This means that they are exposing the UPNP service to the
>>> EXTERNAL internet at large.  This is a MAJOR security flaw.  Of
>>>        
>> those,
>>      
>>> 20%, or 16.2 MILLION are exposing their SOAP API to the EXTERNAL
>>> internet at large.
>>>
>>> This means that a REMOTE cracker, just by sending a few UDP packets
>>>        
>> to
>>      
>>> your router's EXTERNAL address, can punch holes in your firewall and
>>> break into your INTERNAL LAN just as though he was your XBOX sitting
>>> in your house.  It requires no authentication or decryption on the
>>> cracker's part, and is trivially easy.
>>>
>>> This is very bad news for the 81 million people, most of which, don't
>>>        
>>      
>>> even know they are vulnerable.
>>>
>>> For years, Steve Gibson has been operating the Shields Up service on
>>> his website.  It provides a way to scan your network from the outside
>>>        
>>      
>>> to see if net bios is being exposed, or if common TCP service ports
>>> are being exposed.  In light of these events, he has added testing
>>>        
>> for
>>      
>>> the UPNP vulnerability.
>>>
>>> I would recommend that each person reading this make use of Steve's
>>> port scanner to test your router's external IPv4 address to determine
>>>        
>>      
>>> if you are vulnerable to the UPNP attack vector. Here's how.
>>>
>>> Go to the Shields Up main page at:
>>>        
>> https://www.grc.com/x/ne.dll?bh0bkyd2
>>      
>>> You will probably have to trust grc.com in noscript, etc. for
>>> everything to work.  Read what it says there and click proceed. Keep
>>> in mind, some of the verbiage is a decade old, but the site is still
>>> very useful.  The stuff related to UPNP is new.
>>>
>>> Once you're on the second page, you will get to a screen with some
>>> menu buttons on it.
>>>
>>> Click the orange GRC's Instant UPNP Exposure Test button.
>>>
>>> His server will query the UPNP ports for your external IPv4 address.
>>>        
>>      
>>> It will then report back as to whether your router didn't respond at
>>> all (PREFERABLE), actively rejected the remote request (OK), or did
>>> respond to the UPNP discovery request (BAD). The result page also
>>> contains verbiage explaining the results.
>>>
>>> Note that a simple port scan, like from nmap, will not do the trick
>>> here.  First, you have to send the scan from outside your router, on
>>> the internet side.  Second, the UPNP discovery request is a
>>> specifically formatted UDP packet, not just a simple ping. Since it's
>>>        
>>      
>>> UDP, the source address can be spoofed by a cracker.
>>>
>>> If your router is in the category that did respond, you are
>>> potentially vulnerable to attack.  At the very least, a cracker could
>>>        
>>      
>>> find out that your UPNP service is listening on the WAN, and it will
>>> probably tell him which UPNP stack you have in its reply. This may
>>> give him the info he needs to attack you.  If your router is among
>>>        
>> the
>>      
>>> 1 in 5 (of the 81 million) that exposes its SOAP API to the WAN, you
>>> are vulnerable to immediate attack.  If your router responds to an
>>> external UPNP request, which it NEVER should, you should find a way
>>>        
>> to
>>      
>>> turn off that functionality and retest it.  If you cannot turn it
>>>        
>> off,
>>      
>>> you should discontinue using this router.
>>>
>>> While you're there on the Shields Up page, you can select other
>>> buttons as follows:
>>>
>>> File Sharing - tests to see if your router is exposing any net bios
>>> file sharing ports to the WAN.
>>> Common Ports - tests to see if certain commonly used TCP service
>>>        
>> ports
>>      
>>> are listening on the WAN.
>>> All Service Ports - tests to see if the first 1056 TCP service ports
>>> are listening on the WAN
>>> User Specified Custom Port Probe - used to test a specific TCP port
>>> number after entering it into the blank.
>>> Lookup Specific Port Information - used to lookup data about what
>>> certain port numbers are commonly used for.
>>>
>>> Here are other resources that Steve provides relative to the UPNP
>>> problem so you can research it:
>>>
>>>
>>>        
>> https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
>>
>>      
>>> http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
>>> http://www.upnp-hacks.org/upnp.html
>>> http://toor.do/upnp.html
>>>
>>>        
>> http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-Update-1794032.html
>>
>>      
>>>
>>> I recommend that you test your internet facing IPv4 addresses for
>>>        
>> UPNP
>>      
>>> vulnerability immediately.  If your router responds to the external
>>> UPNP inquiry, I suggest turning off UPNP from its control panel and
>>> retesting.  If it still responds, consider upgrading the firmware and
>>>        
>>      
>>> retesting, or removing and replacing the router.
>>>
>>> I hope you find this information useful.
>>>
>>> Sincerely,
>>>
>>> Ron
>>>
>>>
>>>        


-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

More information about the Ale mailing list