[ale] nasty UPNP bug allows EXTERNAL hackers INTERNAL access

Jay Lozier jslozier at gmail.com
Thu Feb 7 21:31:25 EST 2013 

Ron

Thanks for the link. My router was good.

Jay

On 02/07/2013 03:06 PM, Ron Frazier (ALE) wrote:
> Hi all,
>
> I wanted to let you know about a nasty bug in the UPNP implementation 
> of millions of routers.  This could allow an external hacker free and 
> open access to your internal network.  I think this mainly applies to 
> home and small office routers, but this could apply to commercial ones 
> as well.
>
> UPNP stands for Universal Plug and Play.  It is a feature of almost 
> all routers that is usually on by default.  It allows things INTERNAL 
> to your network, like XBox game systems, Skype, DVR's and other things 
> to OPEN HOLES for incoming communications through your firewall, 
> usually without your knowledge or permission, and sometimes without 
> your ability to monitor or control it.  This is designed to allow 
> gamers, for example, to instantly participate in network gaming 
> without configuring the router.  It generally doesn't require 
> authentication, and assumes anyone making a UPNP request from within 
> your network is trustworthy.  This, in itself, is somewhat of a 
> security risk, and I've had UPNP turned off for years on my routers.  
> It's one of the first things I disable when I set up a router, since I 
> have no need for it.
>
> They discussed the new issue, which is much much worse, on the last 
> two Security Now podcasts.
>
> http://twit.tv/sn
> http://twit.tv/show/security-now/389
> https://www.youtube.com/watch?v=wEa43qM4JjQ#t=09m44s  (Youtube video 
> of 389.  Relevant part starts at 09:44.)
> http://media.grc.com/sn/sn-389.mp3 - MP3 audio of 389.
> http://twit.tv/show/security-now/390
> http://www.grc.com/securitynow.htm  (Episode 390 hasn't been posted 
> here yet, but should be shortly.)
>
> UPNP was always intended to be used only on your INTERNAL LAN.  It was 
> never intended to be exposed on the Internet on the WAN.  A group of 
> security researchers at Rapid7 spent months last year using bots to 
> probe EVERY routable IPv4 address on the Internet. They sent UDP UPNP 
> discovery packets to every address several times.  The results of the 
> probes were both surprising and very disconcerting.
>
> They found that 2.2% of ALL IPv4 routers exposed to the internet 
> responded to UPNP discovery requests.  This corresponds to 81 MILLION 
> routers.  This means that they are exposing the UPNP service to the 
> EXTERNAL internet at large.  This is a MAJOR security flaw.  Of those, 
> 20%, or 16.2 MILLION are exposing their SOAP API to the EXTERNAL 
> internet at large.
>
> This means that a REMOTE cracker, just by sending a few UDP packets to 
> your router's EXTERNAL address, can punch holes in your firewall and 
> break into your INTERNAL LAN just as though he was your XBOX sitting 
> in your house.  It requires no authentication or decryption on the 
> cracker's part, and is trivially easy.
>
> This is very bad news for the 81 million people, most of which, don't 
> even know they are vulnerable.
>
> For years, Steve Gibson has been operating the Shields Up service on 
> his website.  It provides a way to scan your network from the outside 
> to see if net bios is being exposed, or if common TCP service ports 
> are being exposed.  In light of these events, he has added testing for 
> the UPNP vulnerability.
>
> I would recommend that each person reading this make use of Steve's 
> port scanner to test your router's external IPv4 address to determine 
> if you are vulnerable to the UPNP attack vector. Here's how.
>
> Go to the Shields Up main page at: https://www.grc.com/x/ne.dll?bh0bkyd2
>
> You will probably have to trust grc.com in noscript, etc. for 
> everything to work.  Read what it says there and click proceed. Keep 
> in mind, some of the verbiage is a decade old, but the site is still 
> very useful.  The stuff related to UPNP is new.
>
> Once you're on the second page, you will get to a screen with some 
> menu buttons on it.
>
> Click the orange GRC's Instant UPNP Exposure Test button.
>
> His server will query the UPNP ports for your external IPv4 address.  
> It will then report back as to whether your router didn't respond at 
> all (PREFERABLE), actively rejected the remote request (OK), or did 
> respond to the UPNP discovery request (BAD). The result page also 
> contains verbiage explaining the results.
>
> Note that a simple port scan, like from nmap, will not do the trick 
> here.  First, you have to send the scan from outside your router, on 
> the internet side.  Second, the UPNP discovery request is a 
> specifically formatted UDP packet, not just a simple ping. Since it's 
> UDP, the source address can be spoofed by a cracker.
>
> If your router is in the category that did respond, you are 
> potentially vulnerable to attack.  At the very least, a cracker could 
> find out that your UPNP service is listening on the WAN, and it will 
> probably tell him which UPNP stack you have in its reply. This may 
> give him the info he needs to attack you.  If your router is among the 
> 1 in 5 (of the 81 million) that exposes its SOAP API to the WAN, you 
> are vulnerable to immediate attack.  If your router responds to an 
> external UPNP request, which it NEVER should, you should find a way to 
> turn off that functionality and retest it.  If you cannot turn it off, 
> you should discontinue using this router.
>
> While you're there on the Shields Up page, you can select other 
> buttons as follows:
>
> File Sharing - tests to see if your router is exposing any net bios 
> file sharing ports to the WAN.
> Common Ports - tests to see if certain commonly used TCP service ports 
> are listening on the WAN.
> All Service Ports - tests to see if the first 1056 TCP service ports 
> are listening on the WAN
> User Specified Custom Port Probe - used to test a specific TCP port 
> number after entering it into the blank.
> Lookup Specific Port Information - used to lookup data about what 
> certain port numbers are commonly used for.
>
> Here are other resources that Steve provides relative to the UPNP 
> problem so you can research it:
>
> https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf 
>
> http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
> http://www.upnp-hacks.org/upnp.html
> http://toor.do/upnp.html
> http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-Update-1794032.html 
>
>
> I recommend that you test your internet facing IPv4 addresses for UPNP 
> vulnerability immediately.  If your router responds to the external 
> UPNP inquiry, I suggest turning off UPNP from its control panel and 
> retesting.  If it still responds, consider upgrading the firmware and 
> retesting, or removing and replacing the router.
>
> I hope you find this information useful.
>
> Sincerely,
>
> Ron
>
>


-- 
Jay Lozier
jslozier at gmail.com

More information about the Ale mailing list