×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

50 Million Potentially Vulnerable To UPnP Flaws

Soulskill posted about a year ago | from the much-lower-than-expected dept.

Security 138

Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

138 comments

Everything's In HD (0, Funny)

Anonymous Coward | about a year ago | (#42735349)

Even HD Moore's Law now.

Because of the BSD license (1, Insightful)

Anonymous Coward | about a year ago | (#42735399)

Little incentive to contribute code as it will be snatched by Micro$oft and App£e.

Re:Because of the BSD license (0)

Anonymous Coward | about a year ago | (#42735443)

Idiotic troll bait at its best.

Who cares about RTFA (-1)

Anonymous Coward | about a year ago | (#42735403)

when you have first post..

Re:Who cares about RTFA (0)

Anonymous Coward | about a year ago | (#42735413)

Damn you Anonymous Coward and you HD Moore's Law!

UPnP is a vulnerability (0)

Anonymous Coward | about a year ago | (#42735425)

n/t

Re:UPnP is a vulnerability (1)

telchine (719345) | about a year ago | (#42736097)

Does anyone know where I can find a list of routers which aren't vulnerable?

Re:UPnP is a vulnerability (1)

OolimPhon (1120895) | about a year ago | (#42736397)

Does anyone know where I can find a list of routers which aren't vulnerable?

Have you tried scanning the Internet?

Re:UPnP is a vulnerability (4, Informative)

green1 (322787) | about a year ago | (#42737851)

Almost all routers are not vulnerable, if you are smart enough to uncheck the UPnP box. I haven't seen many where you can't disable it. and as has been pointed out elsewhere. Running a firewall where any malware can request a gapping hole in it sort of defeats the purpose.
These flaws are already a non-issue to anyone who takes security seriously. The problem is that the average user leaves things as they come from the factory, and they come from the factory vulnerable.

Re:UPnP is a vulnerability (1)

Stalks (802193) | about a year ago | (#42737563)

This!

uPnP is a solution to a non-problem. Whats the point of any firewall if an application can request a hole through it?

There is the capabilities of having ACLs but the majority of routers it is just a tick-box to enable/disable, allowing any device internally to have free reign to accept incoming requests.

Re:UPnP is a vulnerability (2)

hairyfeet (841228) | about a year ago | (#42737895)

Nooo...its a solution to a VERY real problem but its a problem that most geeks don't realize exists. You see your average Joe has all these devices that can connect to the Internet, multiple PCs, tablet, phone, Internet enabled TV, but they don't have a damned clue on how to make ANY of that shit play nice with one another or to set it up so they can use them on the net as they were designed.

So UPNP was invented so Joe average wouldn't have to pay a guy like me a couple of hundred bucks to set up their network while at the same time not having the routers set to just broadcast in the clear with zero encryption and for that? it actually worked pretty well. Now we need a new generation that will be backwards compatible enough so that everyone isn't gonna have to throw out their TVs or tablets while bumping up the security.

But you can't just throw the baby out with the bathwater as folks still need a way to get all this stuff to hook up and to talk to each other without having to have a degree just to get it to work. Like it or not UPNP is a very useful tech to Joe and Jane average and as we get more and more internet capable devices they'll need plug and play simple even more.

Re:UPnP is a vulnerability (1)

Stalks (802193) | about a year ago | (#42738495)

My understanding was that UPnP was for punching a hole in the firewall/NAT for incoming requests.Joe Average doesn't need this functionality does he?

Outgoing NAT on consumer grade routers is a separate feature from UPnP and isn't required to use your laptop/TV/tablet/phone on the internet.

I think UPnP at the most (ni the average house) is used by the Playstation to host or any other server-less P2P network for connectivity. Solve that problem, and we're gold.

Is it ``hacking'', the way they discovered it? (4, Interesting)

girlinatrainingbra (2738457) | about a year ago | (#42735461)

So did they come up with the number of vulnerable sites from
(a) -- sales figures of devices with UPnP enabled by default,

or did they actually do active spidering of (b):

1 -- a representative sample of IP addresses in a particular space
2 -- a wide ranging probe of many many IP addresses all around the world?
.

If they did (a) above, then sure it makes sense. If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?

Re:Is it ``hacking'', the way they discovered it? (5, Informative)

Anonymous Coward | about a year ago | (#42735507)

Their methodology is explained in the report. Halfway through the first page of executive summary you'll find the following:

UPnP discovery requests were sent to every routable IPv4 address approximately once a week from
June 1 to November 17, 2012.

Re:Is it ``hacking'', the way they discovered it? (2)

girlinatrainingbra (2738457) | about a year ago | (#42735787)

yep, i noticed that too when i RTFA'd after posting, just like every other dottir here on /. ;>)

Re:Is it ``hacking'', the way they discovered it? (1)

mellon (7048) | about a year ago | (#42736469)

It's good to know that the slashdottir are looking out for us.

Re:Is it ``hacking'', the way they discovered it? (1)

Anonymous Coward | about a year ago | (#42738515)

If your last name is Slashdottir, that probably means that you're a girl whose Icelandic mom got to "hang out" backstage at a Guns n Roses concert a few years back.

Re:Is it ``hacking'', the way they discovered it? (0)

Anonymous Coward | about a year ago | (#42738867)

It's good to know that the slashdottir are looking out for us.

What about the slashsson?

Re:Is it ``hacking'', the way they discovered it? (-1, Troll)

Diana Kua (2828383) | about a year ago | (#42735971)

I think If they use a representative sample of IP addresses in a particular space then result would be good.... http://x.co/sfEV [x.co]

Re:Is it ``hacking'', the way they discovered it? (1)

girlinatrainingbra (2738457) | about a year ago | (#42736053)

Well, they didn't have to use a representative sample of IP addresses, as they went ahead and sent "probes" about UPnP to every routable IPv4 address over 4+1/2 months (from June to mid-november 2012)
.
Halfway through the first page of executive summary you'll find the following:
UPnP discovery requests were sent to every routable IPv4 address approximately once a week from
June 1 to November 17, 2012.

I didn't notice that detail the first time I read the article.

Re:Is it ``hacking'', the way they discovered it? (0)

Anonymous Coward | about a year ago | (#42738887)

This is a spammer that copies parts from other people's comments and adds a link. Do not click the link.

Re:Is it ``hacking'', the way they discovered it? (1)

AC-x (735297) | about a year ago | (#42736051)

If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port?

Would it be illegal though? For example how would it be illegal to scan port 80 on every public IP address?

Re:Is it ``hacking'', the way they discovered it? (2)

Bengie (1121981) | about a year ago | (#42736569)

As far as I can tell, scanning ports is not illegal unless you do so in a manner that can DOS them.

Re:Is it ``hacking'', the way they discovered it? (1)

Zero__Kelvin (151819) | about a year ago | (#42738513)

" aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?"

You are kidding right? Also, a better but still imperfect analogy would be that they are walking down streets observing if doors exist, and if they are closed or open. A knock is an attempt to gain access, which they are not doing.

Long standing bet (5, Insightful)

EmperorOfCanada (1332175) | about a year ago | (#42735469)

I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.

The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.

So my bet still stands with modification: there will be an attack, it will be soon, it will be a worm, and people will (mostly) be blissfully unaware of (why is my internet so slow) it and certainly be incapable of dealing with it. Thus it will come down to the ISPs to deal with it which should be interesting to watch.

Re:Long standing bet (0)

Anonymous Coward | about a year ago | (#42735685)

Simple, there's a smaller attack surface. Just look at the exploited flaws in client applications: script engines (javascript, flash), parsing code for complicated document formats. Complex code, large attack surface. Router software isn't complex like that, right?

Re:Long standing bet (3, Insightful)

Corwn of Amber (802933) | about a year ago | (#42735721)

Router software is utter, total, complete shit and all of it is attackable with 25-year-old buffer overflows.

GP is right. A worm packing a handful of attacks, designed to replicate on old routers, would make hundreds of millions of victims and nothing could stop it.

It would actually force the rock-stupid morons to replace their obsolete hardware, though. That would be a good thing. Even if they buy the new castrated shit hardware that won't ever be supported.

Re:Long standing bet (0)

Anonymous Coward | about a year ago | (#42735877)

Like they don't have that same 25-year-old buffer overflow bug in the new model?

Re:Long standing bet (1)

Corwn of Amber (802933) | about a year ago | (#42735901)

They have other bugs, still buffer overflows. Basically, all models that don't have sanitation on all inputs can be hacked that way. And there are zero consumer routers that sanitize everything. But there are a lot of consumer routers that can very simply be 0wned and stay 0wned.

Still wondering why anyone ever bothered making botnets out of Windows boxes. It's so much easier to keep routers infected than PCs.

Re:Long standing bet (1)

Anonymous Coward | about a year ago | (#42736223)

Still wondering why anyone ever bothered making botnets out of Windows boxes. It's so much easier to keep routers infected than PCs.

Try to put something on a device that is underpowered for the job it is designed for. Many DSL routers break CPU and/or memory wise if you really use your connection.

Re:Long standing bet (0)

Anonymous Coward | about a year ago | (#42736271)

How many models of routers with different OSes and architectures do you think are out there? How many of them have development toolchains readily available?

You could target something like WRT, but then those are more likely to get patches and/or have UPnP disabled.

It could be used for pointed attacks, but then again, what kind of targeted attack worthy organization has UPnP facing Internet?

Attack surface is still smaller (1)

Dr. Evil (3501) | about a year ago | (#42736479)

Remote buffer overflow in what? the Linux Kernel? IPTables?

There are some crappy routers which expose remote administration tools by default, but those are the exception. Most old home routers only flaw is to enable Universal PnP out of box and not to encrypt wireless.

Re:Attack surface is still smaller (1)

Jeng (926980) | about a year ago | (#42738547)

Actually I doubt a technical attack is necessary to hinder the security considering how many people just keep the default passwords for their routers.

Re:Long standing bet (0)

Anonymous Coward | about a year ago | (#42735911)

That sounds really bad. Someone could install bittorrent and tor relays on 80 million routers. Just thinking...

Re:Long standing bet (2)

Bearhouse (1034238) | about a year ago | (#42735917)

Interesting thought, which has probably occurred to other people, of course.
I suppose the reason why we have not seen large-scale attacks on routers so far, (and maybe there are some out there already, undetected) is that it has just been easier to infect PCs and use them in botnets, with the tools widely available.
Would probably take a little more time and ingenuity to setup a net of zombie routers, with the need to tailor the worm or whatever a little to each model/software stack.
However, once it was in place, can you imagine the disruption? Most SOHO & home users don't know anything about their ISP modem/routers at all, and use them by default as their firewall. Imagine that *gone* tomorrow. An ISP trying to roll-out large-scale firmware updates via a non-tech-savy audience sounds like a recipe for disaster. (Although I suppose many of the later models support remote update...).
Since many users have no choice in their selection of ISP device, it is surely the responsibility of the ISP to make them secure...yeah, like it's their responsibility to get us all IPv6-compatible stuff too...don't hold your breath.

In the meantime, roll your own firewall box everyone, and while you're at it, do one for your friends and relations. It's cheap and fairly easy.
Here's a good place to start.
http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/8391665119 [amazon.com] (You don't have to use BSD, of course, most any flavour of *x will do)
Or just download a distro where pretty much all the work has been done for you.
http://www.techradar.com/news/software/applications/7-of-the-best-linux-firewalls-697177 [techradar.com]

Of course, sitting smug and secure behind your shiny new firewall box will not help if you cannot access the net except via your compromised POS router. If you can, buy a decent one to substitute for the ISP-supplied crap.

Re:Long standing bet (1)

peragrin (659227) | about a year ago | (#42736359)

It is simple processing power.

you hack a router the victims internet slows down. Whether your using bandwidth or not. They notice it, eventually call the ISP. The ISP makes you plug a real computer in and suddenly everything is moving fast again.

You go to best buy plunk down some cash get another router. The old one goes in the garbage.

no more bot node.

Re:Long standing bet (1)

Gr8Apes (679165) | about a year ago | (#42736715)

I did this a long long time ago. It's true, even rolling your own kernel isn't that hard. But it does add to the noise, heat, and power draw. I would prefer to have a sub 10W silent router over a 180+W noisy one any day of the week. Now, the first thing you do with any router is disable UPnP, especially on ISP provided systems. The next thing you do is use your own router behind the ISP one. Now you're in full control of all in/out traffic and can monitor it if you'd like.

Re:Long standing bet (1)

drinkypoo (153816) | about a year ago | (#42737237)

I used to have a PC which was a router. But now I have a router which is a computer.

I will probably go back to Wireless-G, and then I'll be able to use tomato again. But at least my current router is Linux-based. For some reason there's no alternate distributions for it, probably mostly because the GPL sources/build environment don't actually work. Thanks, D-Link.

Re:Long standing bet (1)

2fuf (993808) | about a year ago | (#42736079)

The way you describe it'll be hard to call your bet. How can one disprove this hasn't already happened?

Re:Long standing bet (1)

DarkOx (621550) | about a year ago | (#42736375)

Traditionally the light weight home routers vulnerable or not have just not been targets. It was easy enough to get control of the much more powerful machine behind it. If you wanted a spam bot a PC is much more useful. If you are an identity theif etc, the PC will have information on it, the route probably not so much. If you are script kiddy and you just want metasploit to grab some screen shots for the lolz then again the PC behind the router was more interesting.

I am not saying that in an attack control of the router is not an incredibly valuable asset to your operation but it was hardly needed for attacking home PCs and of little value on its own. As these things are getting more powerful with more memory and capable processors, a botnet of home routers might be useful in its own right so I agree its coming. The reason that old d-link, linksys etc is doing its thing is because nobody really cares about it.

I've had a long-standing FIX since 2007... apk (0)

Anonymous Coward | about a year ago | (#42736845)

http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736557 [slashdot.org]

* :)

( I cover it in 2 ways there, & have BEEN covering it since late 2007, per security guides for Windows users -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725 [slashdot.org] I wrote up back then - that still do a good job, even today, even vs. THIS vulnerability... )

APK

P.S.=> "Onwards & UPWARDS"...

... apk

Re:Long standing bet (1)

tlhIngan (30335) | about a year ago | (#42738189)

I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.

Easy - routers are not monocultures. They vary in price and capabilities from sub-$20 specials to $200+ with fast processors, lots of RAM, USB, etc. etc. etc.

A vulnerability in one is not necessarily a vulnerability in all, and may only be present in one specific firmware revision. And routers fall out of support very rapidly, so now you've got an attack surface comprised of hundreds of router models, each of which has a handful of different firmware revisions.

The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.

That's because most of the ISP provided CPE is often of one model running a very specific firmware revision. Which leads to a monoculture and makes it much easier to do a targeted attack (you only attack the ISP's IPs, and can be reasonably confident that the hole exists on practically all of the ISO's CPE).

I saw this coming 5 years ago (1)

Anonymous Coward | about a year ago | (#42735483)

Let any application open a port to the outside world on your router? Really? and nobody gave a damn about the consequences or even understood its power. Meanwhile I sat back and watched as millions of people enabled it by default on products shipped out worldwide and said nothing because NOBODY CARED they /wanted/ the convenience and turn-key solution that UPnP provided and didn't want to bother learning how to open their own ports manually.

Re:I saw this coming 5 years ago (0)

Anonymous Coward | about a year ago | (#42735551)

Let any application open a port to the outside world on your router? Really? and nobody gave a damn about the consequences or even understood its power. Meanwhile I sat back and watched as millions of people enabled it by default on products shipped out worldwide and said nothing because NOBODY CARED they /wanted/ the convenience and turn-key solution that UPnP provided and didn't want to bother learning how to open their own ports manually.

5 years ago?

Dude, I remember this from 9 years ago [sans.edu].

Any technology that purports to make a device accessible to every host on a network - UPnP, Bonjour/Zeroconf, what have you - is bound to have at least one remote exploit. And should be disabled by default.

On a Windows box, I don't use a software firewall to keep an eye on potential malware, I use it to keep a lid on the software I pay for.

Re:I saw this coming 5 years ago (2)

sumdumass (711423) | about a year ago | (#42735689)

Steve Gibson of grc.com had been warning about plug'n play since late 2001 when windows XP was on it's first release. He even offered a service to quickly turn it off and scan for it.

Of course that was back when MS claimed their software firewall on XP was enough to put your computer directly onto the internet and you could use the XP machine as a router with internet connection sharing actually working easily on it. And if doing so, the average time from fresh install to infected was about 5 minutes or so- Often before you AV could update and detect the infection. I think that rose to about 15 minutes after some updates and I lost track of what it might be now.

Anyways, the alarms have been going up for about 12 years now. I wasn't aware that routers were implementing it until recently so I'm sure I'm in the problem pile on this.

Re:I saw this coming 5 years ago (1)

bill_mcgonigle (4333) | about a year ago | (#42735713)

Anyways, the alarms have been going up for about 12 years now. I wasn't aware that routers were implementing it until recently so I'm sure I'm in the problem pile on this.

Not sure if it was exposed in lowend firmwares, but we were turning it off in ddwrt back in '04 (maybe it was still ewrt at that point).

Re:I saw this coming 5 years ago (2)

Nerdfest (867930) | about a year ago | (#42736063)

Does anyone know if the latest DD-WRT, OpenWRT, and Tomato releases are vulnerable?

Re:I saw this coming 5 years ago (0)

Anonymous Coward | about a year ago | (#42736467)

OpenWRT 12.09 (Attitude Adjustment) uses MiniUPnPd v1.6, but only if you choose to install it. v1.6 was released around 18 months ago, and the article says that versions more than 2 years old are vulnerable. So it appears to be safe. In any case, no UPnP daemon is installed by default.

I don't follow DD-WRT or Tomato... I think they're dead-end projects, personally.

Re:I saw this coming 5 years ago (1)

Anonymous Coward | about a year ago | (#42738153)

Gosh, BOTH informative and a troll. Hey people, it makes it hard to moderate if you don't put your differing characteristics in separate posts.

Re:I saw this coming 5 years ago (0)

Anonymous Coward | about a year ago | (#42735819)

I've also known that this was a potential source of vulnerabilities for many years now. Ultimately, the presence of UPnP adds very little value to systems, and turning it off doesn't degrade the system as far as I've been unable to tell.

For my Windows machines, I have a post-setup series of scripts which turn off the two services related to UPnP, and domestic gateway/routers I've turned it off manually for every change in hardware since at least 2004.

Re:I saw this coming 5 years ago (0)

Anonymous Coward | about a year ago | (#42735885)

OP AC here, 5 years ago I was made aware that everyone and their pet dog/cat/rabbit had UPnP enabled by default by all routers/modems.

Up until then I knew of its existence and disabled it by default, but wasn't aware that other people were stupid enough to actually use it, 5 years ago I was made aware that enough people are stupid enough to leave it on.

It was a sort of idiocracy-eye-opener.

Suddenly old UPnP problem is hot - Media Servers? (1)

FlameWise (84536) | about a year ago | (#42737233)

I did actually install that Gibson thing to disable my UPnP in 2001 because I didn't see a use for accessing my Plug-and-Play hardware over the net - the very concept of plugging something into one machine and accessing it from another as if it had been plugged in there felt far too much like a security problem to me.

Seems these days this is just becoming a hot topic again because Media Servers seem to use UPnP for streaming music and movies to your TV, or speakers, or smartphone, or tablet - yes, right across the Internet.

And some WLAN routers now tout their built-in Media Server as a feature, and of course you want to allow access to them from the Internet because of smartphone tunes... ...and all apparently without proper security, or at least I was never prompted for login details.

V1.0? (1)

hedley (8715) | about a year ago | (#42735499)

How many vendors are going to patch some obsolete hw to get the lib updated? I would be surprised if they can build images for some of those old products. That said, it seems a bit of an uphill crack, you have to know the target CPU, the lib version, and prepare a useful injection rather than just a denial of service. Still, it is interesting that people are still acting as documented on data coming over the wire, sprintfs into buffers with %s was an eye opener to me. These days for web stuff I use the c++ string class, fixed c buffers look weak to me with unvalidated socket input.

H.

Re:V1.0? (1)

Corwn of Amber (802933) | about a year ago | (#42735741)

How many vendors are going to patch some obsolete hw to get the lib updated?

Zero.

I would be surprised if they can build images for some of those old products.

I'm certain that most of them have simply lost or let bitrot the toolchains they need to build those images.

That said, it seems a bit of an uphill crack, you have to know the target CPU, the lib version, and prepare a useful injection rather than just a denial of service.

Pack several exploits in the worm.

Still, it is interesting that people are still acting as documented on data coming over the wire, sprintfs into buffers with %s was an eye opener to me. These days for web stuff I use the c++ string class, fixed c buffers look weak to me with unvalidated socket input.

H.

Shovelware kit will always be programmed all wrong and never be updated, be it by their rock-fuck owners or greedy makers.

Re:V1.0? (0)

Anonymous Coward | about a year ago | (#42738777)

How many vendors are going to patch some obsolete hw to get the lib updated?

Zero.

Nope. [latimes.com]

Toyota is recalling 907,000 vehicles, mostly Corolla models, around the world for faulty air bags and another 385,000 Lexus IS luxury cars for defective wipers.

Toyota Motor Corp. spokesman Naoto Fuse said Wednesday there have been no accidents or injuries related to either of those defects

manufactured between December 2001 and May 2004.

So how old are these "obsolete" routers, and why is a ten year old piece of equipment seen as "obsolete"? My car is an '02, why can I still not only get it serviced, but recalled for design flaws, while Microsoft and Cisco can just tell me to fuck off when a defect is found in their wares?

Could it be that the do BECAUSE THEY CAN?? The real question is, why do we put up with this nonsesnse? Why aren't we up in arms and demanding product recalls, not just for routers but Windows XP as well?

-mcgrew (can't log on here)

No surprise here... (0)

Anonymous Coward | about a year ago | (#42735555)

This is what you should expect when you design a protocol as unnecessarily complex and as undocumented as UPnP.

A friend and I were thinking of using UPnP to help people run servers for a game we're working on, but documentation for the protocol is seemingly non-existant, and from what we can tell, it's quite complex as well, requiring a lot of parsing of plain text (XML is more bug-prone than binary data in that respect) and using protocols that are clearly bad ideas (like HTTP over UDP, rather than doing something sane like creating a UPnP protocol by just sending packets with the necessary information in them rather than wrapping it all up in a bunch of XML and HTTP and then some bastardized form of HTTP at that).

We found libupnp, and thought about using it, but even it's quite complex for the given task. All we want to do is tell the fucking router that we'd like an open port. Why should that be so difficult? Quite honestly, the router only needs 16 bits of data from us to fullfill the request, but for some reason they've taken something so simple and wrapped it in layers of bullshit. That sort of thing just begs for vulnerabilities to be present everywhere, since rather than spend time reviewing code and verifying that it works correctly, developers instead spend all their time just getting things to work at all.

Re:No surprise here... (1)

ledow (319597) | about a year ago | (#42736471)

And you've just given me one more reason to think that my policy of "turn it off" (since it was first put into a consumer OS) was correct.

"All we want to do is tell the fucking router that we'd like an open port. Why should that be so difficult?"

Because it's MY DAMN COMPUTER and network, that's why. And you have no need to open my ports. You can talk outwards, no problem at all, to any destination that will accept a connection. And most home routers will NOT accept a connection (you have to think of people who DON'T have UPnP enabled or compatible hardware too, or have software firewalls in the way as well, etc.). Why do I need to let traffic through other than what your servers have sanitised and handled for me?

The number of actual applications for UPnP is vanishingly small, and all solved by just running an intermediary server to handle connections which requires next-to-nothing in terms of resources (literally, a £10/month VPS would be overkill just for that, and most people that would need it have something like a website anyway that could run off the same machine).

And the simple examples of Skype/Steam show that there's NO NEED TO, whether joining gameservers or providing streaming video from both ends simultaneously, unless I'm deliberately setting up a network service that NEEDS to be accessible to the world. And if I can't figure out a port-forward interface on a router for that, maybe I shouldn't be doing it.

Opening a port really is old-hat, and not something that's worked reliably on any random machine/network for decades (You'll notice that things like TeamViewer etc. just run a local client and talk out to a accessible server, faffing with port-forwards just isn't worth the hassle). And there's no need to do it. And UPnP is a just way for it to happen automatically (whether it works or not is another matter) without any user say-so in it. If that isn't enough to scare you off having used it for the past decade, maybe you need to run a network or two and see what it means in real terms of impact upon what you need to do.

If your application NEEDS to open ports, run an intermediary server which is publicly accessible, secured, and only exposes that port necessary. If you haven't got the resources / brains to do that, I don't want you opening ports into my networks and personal computers anyway.

Re:No surprise here... (0)

Anonymous Coward | about a year ago | (#42736955)

Wow, Linus was right, masturbating monkeys indeed. It's nice that you take the previous post all out of context and then use it to talk down to them and to belittle them. Nice in that it may have given you some validation and made you feel righteous and fulfilled. You know when you do that it's like a great psychological cry for help that the rest of us can read, don't you?

find the posts (3, Interesting)

r00t (33219) | about a year ago | (#42735569)

Just yesterday, lots of Slashdot readers claimed UPnP was totally reasonable for security. It's time for a wall of shame. Here is the story:

http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers [slashdot.org]

I'll start.

adolf: http://it.slashdot.org/comments.pl?sid=3415287&cid=42722879 [slashdot.org]
Miamicanes: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723217 [slashdot.org]
julesh: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723393 [slashdot.org]

Re: find the posts (0)

Anonymous Coward | about a year ago | (#42735927)

The article talks about vanurabilities in the implementation. How does this make the protocol bad?

Re:find the posts (1)

Anonymous Coward | about a year ago | (#42736129)

Maybe you should start with the link to your comment where you claimed it was not (and specifically because of bad implementation, instead of just being an unauthenticated protocol). Otherwise you don't have the told-you-so right, and your comment is nothing but a flamebait.

Sweet! (0)

Anonymous Coward | about a year ago | (#42736603)

I was shocked that I had to, repeatedly, argue about the insecurity of the entire UPnP concept with supposedly technical people on Slashdot. This article and your post is a sweet stab to the face of those morons.

UPnP is a ludicrous concept intended to facilitate the installation of network devices by complete neophytes. It is a marketing tool, not a networking or security tool. Even without this "new" vulnerability UPnP is a disaster that should always be disabled.

Having UPnP turned on is the equivalent of turning off your firewall. Arguments in favor of UPnP are proof of not having a clue.

Brilliant by design (1)

Anonymous Coward | about a year ago | (#42735571)

Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.

Re:Brilliant by design (0)

Anonymous Coward | about a year ago | (#42735773)

Strange, my system has a patched version of Java.

Re:Brilliant by design (2, Insightful)

rvw (755107) | about a year ago | (#42736021)

Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.

So don't install the Java plugin in your browser and quit bullshitting.

Re:Brilliant by design (0)

Anonymous Coward | about a year ago | (#42736457)

Sounds like a butthurt java developer living in denial about his favourite technology circling the drain.

Re:Brilliant by design (0)

Anonymous Coward | about a year ago | (#42737775)

I'm curious, how do you 14 year olds find this site? It's not like... reddit hip or anything.

Re:Brilliant by design (0)

Anonymous Coward | about a year ago | (#42736977)

So don't install the Java plugin in your browser and quit bullshitting.

Because for most of the JRE's life it was impossible to install java without installing the java plugin into the web browser.

Re:Brilliant by design (0)

Anonymous Coward | about a year ago | (#42737865)

Aren't "native" Java applications given way more permissions than the browser plugin?

So isn't that a worse vulnerability?

FYI If you have Verizon FiOS... (4, Informative)

eksith (2776419) | about a year ago | (#42735613)

...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.

But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900 [192.168.1.1]

Suck it, Verizon!

Re:FYI If you have Verizon FiOS... (1)

eksith (2776419) | about a year ago | (#42735621)

Forgot to add, my router model is MI424WR-GEN3I

Re:FYI If you have Verizon FiOS... (4, Funny)

rvw (755107) | about a year ago | (#42736035)

...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.

But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900 [192.168.1.1]

Suck it, Verizon!

Forgot to add, my router model is MI424WR-GEN3I

Hey I just tried to login to your browser, but it seems to be a Linksys Router, and that link didn't work, got a 404 back. So please - for the next time - make sure what your talking about!

Re:FYI If you have Verizon FiOS... (0)

Anonymous Coward | about a year ago | (#42736159)

Disclaimer:
Readers might get varying results, when trying to log in to 192.168.1.1.

There, fixed that for you.

Re:FYI If you have Verizon FiOS... (0)

Anonymous Coward | about a year ago | (#42736301)

of cos u get 404! i got their frist and hacked dat n00b asshoConnection reset by peer

Re:FYI If you have Verizon FiOS... (1)

eksith (2776419) | about a year ago | (#42736765)

Not sure if this is trolling or genuine. But just in case it's genuine, please visit YouTube and browse for cat videos. Watch about 4 hours worth and then read this [wikipedia.org]

Bridge your FIOS modem... apk (1)

Anonymous Coward | about a year ago | (#42736967)

Set it into "bridged" mode, & get a GOOD NAT stateful packet inspecting router!

(E.G./I.E.-> For example, my LinkSys/CISCO BEFSX41 for example, can do this - most, CAN!).

Why?

It works, since it sets THEIR FIOS (or DSL) modem into "dummy terminal mode", & then allows YOUR router to take overcontrol duties instead!

(Which, odds are, since your firewalling router has more features for security, odds are, including UPnP control, "hardware-side" - then, you can also do this OS-side too, in Windows as well for more "layered-security"/"derfense-in-depth" -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736557 [slashdot.org] by disabling the service for UPnP too...)

* :)

I cover the software-side, for a GOOD reason too - routers can & DO get "compromised" in OTHER WAYS besides this issue is why...

(Hence, my coverage of OS side too, as that "layered-security"/"defense-in-depth" as well!

APK

P.S.=> Been covering this since late 2007 in security guides I wrote up -> http://tech.slashdot.org/comments.pl?sid=3418595&cid=42736725 [slashdot.org]

... apk

Lol shovelware (2)

Corwn of Amber (802933) | about a year ago | (#42735697)

Yes, shovelware applies to hardware too. Hardware like home routers, which are NEVER EVER updated - be it by their rock-dumb owners or their irresponsible manufacturers.

And then this happens. All the time forever, until the greedy fucks who make those never-updated shit get slapped with fines for gazillions, and THEN the surviving ones would begin to think of SUPPORTING the crap they sell, instead of shoveling poorly-differentiated models that only exist to make the non-castrated one more expensive than it has any sort of right to be. But then market segmentation is worth so much more than supporting the products you sold! Why would they sell at what the product is worth (i.e. marginal production cost) when they can pretend to turn more profit by selling half-products at full price so that the complete product costs three times what it should? And when making several models by chopping out necessary things from the reference one, it gets much more complicated to support all the kinds of half-products, instead of making one that works well and is supported for long.

Also, the only company that does Just That - good productsat some price point, but no range of half-products headed by one real model (that all the shit ones are based on, minus vital features) happens to be the most profitable company in the world. Just sayin'.

Re: Lol shovelware (0)

Anonymous Coward | about a year ago | (#42735951)

Quite interesting that everybody here understands that there are million of small router device owners out ther that can hardly operate a windows machine let alone flash and update their router. Yet when a company decides to set their router's automatic update(remember the linksys case?)on by default we flame them to death...

Automatic Updates (0)

Anonymous Coward | about a year ago | (#42736861)

Quite interesting that everybody here understands that there are million of small router device owners out ther that can hardly operate a windows machine let alone flash and update their router. Yet when a company decides to set their router's automatic update(remember the linksys case?)on by default we flame them to death...

I'm pretty sure that if Cisco had rolled out a patched firmware that didn't change the features, functionality or configuration on the router that most people would have been quite OK with it, maybe even happy.

But, Cisco rolled out a whole new feature set firmware that removed control from the end user, moved their configs to the coud, forced them to create cloud accounts to regain any access to their own routers, started collecting user usage data for advertisers or what-have-you.

In scenario one, bugs are automatically fixed. In scenario two the router is hijacked and its functionality significantly altered without notification. That's a huge difference.

2001 just called.... (1)

SwampChicken (1383905) | about a year ago | (#42735701)

Re:2001 just called.... (0)

Anonymous Coward | about a year ago | (#42735779)

That's PNP not UPNP and very different.

Re:2001 just called.... (0)

Anonymous Coward | about a year ago | (#42736331)

wrong wrong wrong WRONG WRONG WRONG wrong wrong

Re:2001 just called.... (0)

Anonymous Coward | about a year ago | (#42737007)

So you're saying that's wrong?

Who to blame? (0)

Anonymous Coward | about a year ago | (#42735739)

I blame the banking industry for colluding to set LIBOR.

all your 23 million bases (0)

Anonymous Coward | about a year ago | (#42735855)

are potentially belonging to someone? are we talkin root level type executions?

if this is legal (0)

Anonymous Coward | about a year ago | (#42735959)

then 'anonymous' is doing it all wrong.

when they hack a site, they just need to put a little notice on it.

"your site is vulnerable. we are researchers, not hackers. this has been an public service of anonymous."

captcha: sesame

We were warned (1)

Mike Frett (2811077) | about a year ago | (#42736033)

Microsoft was one of the founders of the UPnP Forum, Apple isn't a member. Not to mention that Microsoft pushed this API very hard. We were warned of the vulnerability of this protocol back in 2001. There was a big deal with Windows ME and XP about disabling this service also, It was Microsoft whom ignored all the vulnerabilities at first, if they scared OEMs then the OEMs wouldn't implement this protocol.

This is yet another example of why Microsoft has too much power and shouldn't be dictating what's in my hardware. How long until Secure Boot gets this same treatment of access to your system?.

Level7 is a Phishing vulnerability (1)

gishzida (591028) | about a year ago | (#42736511)

I followed the link to the article... then the link to the PDF follow the link to their "Vulnerablity Detector"... Start to install... Read the Legalese... The terms are suspicious... Click OK tpo continue... The next screen asks for personal information. Red Lights and Alarms go off. Anytime a "security vendor" lists contract terms like those and then wants my name and address when I did not want or ask to contract a service. I killed the installer.

Level7 is not preventing a problem --- it is the problem. If you installed their client you have just been pwned...

2 preventative fixes (1 for Windows users)... apk (0)

Anonymous Coward | about a year ago | (#42736557)

1.) IF you use a router (NAT stateful packet inspecting type hopefully)? Examine its settings for UPnP - & disable it!

(E.G./I.E.-> LinkSys/Cisco models DO offer this (I have that in my wired BEFSX41 unit here))

2.) Per my subject-line - for Windows users, specifically: Disable Windows' "UPnP Device Host" service (Run services.msc & right-click on that service name, setting it to disabled)

(Assuming you DON'T need its services, that is... & if you do? That's a risk you're taking until this is fixed!)

---

* VOILA: Problem solved, & rather easily...

APK

P.S.-> And, there you go...

... apk

Me not understand (1)

jones_supa (887896) | about a year ago | (#42736571)

Why is the uPnP service facing Internet anyway? Shouldn't it be accessible only from LAN?

Re:Me not understand (1)

LunaticTippy (872397) | about a year ago | (#42738739)

You are correct, it shouldn't be exposed to the WAN. Doing so is an implementation flaw, and this flaw is widespread. uPnP has other problems, but this particular one is truly awful.

Tomato Firmware v1.28 not vulnerable (1)

Nimey (114278) | about a year ago | (#42737203)

I've got an old Linksys WRT54GL running the latest Tomato Firmware (v1.28; development seems to have stopped), which has MiniUPNP v1.4 providing Universal PnP services. Version 1.4 is not vulnerable to the exploits listed in the whitepaper (1.0 is), so it's probably safe to keep it turned on.

Router/NAT for Security? (1)

PPH (736903) | about a year ago | (#42738839)

You fool! Anyone who depends on their router for security is an idiot. You assumed that your brand new laptop would be safe when connecting to your home LAN, behind that router? What were you planning on doing when you took it to Starbucks and used their WiFi?

Security need to be built into each device in the form of a software firewall. Unneeded ports need to be closed, whether you are on a LAN or not. Once this is taken care of, you can assume that your home/office LAN is as hostile as the Internet at large. Which isn't a bad policy, seeing as how many idiots bring infected laptops or free USB drives in to work all the time.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...