Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Most Home Routers Vulnerable to Flash UPnP Attack

CmdrTaco posted more than 6 years ago | from the oh-this-will-go-well dept.

Security 253

An Anonymous reader noted that some folks at GNU Citizen have been researching UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.

Sorry! There are no comments related to the filter you selected.

Eddie's flash attack in a vulnerable place (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22033864)

Well, step aside my friend
I've been doing it for years
I say, sit on down, open your eyes
And open up your ears

Say
Put a tree in your butt
Put a bumblebee in your butt
Put a clock in your butt
Put a big rock in your butt
Put some fleas in your butt
Start to sneeze in your butt
Put a tin can in your butt
Put a little tiny man in your butt
Put a light in your butt
Make it bright in your butt
Put a TV in your butt
Put me in your butt
Everybody say

I, hey, that's, man, I ain't putting no trees in nobody's butt,
no bees in nobody's butt, putting nothing--
You must be out your mind, man,
y'all get paid for doing this?
Cause y'all gotta get some kind of money
Cause this don't sound like the kind of--
I'd rather golf, to be perfectly honest,
than put somethin in somebody's butt
to be truthful

Well step aside my friend and let me
show you how you do it
When big bad E just rock rock to it

Put a metal case in your butt
Put her face in your butt
Put a frown in your butt
Put a clown in your butt
Sit on down in your butt
Put a boat in your butt
Put a moat in your butt
Put a mink coat in your butt
Put everything in your butt
Just start to sing about your butt
Feels real good

PUT CMDRTACO IN YOUR BUTT (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22034572)

Your Butt ( .*. )
                      /
                    /
                  /
                /
              /
            /
          /
        /
      /
    /
  /
/ :_( CmdrTaco

Nothing new, really (3, Interesting)

Billosaur (927319) | more than 6 years ago | (#22033870)

It all hinges on going to a malicious web site. Just like email trojans, if you resist temptaion and use some common sense, do you really have to worry about this?

Re:Nothing new, really (4, Informative)

someone1234 (830754) | more than 6 years ago | (#22033900)

Yes. You may not be sure if a site is malicious or not, without visiting it.
And some sites may become malicious suddenly because of all those syndicated ads around.

Re:Nothing new, really (2, Informative)

lordofwhee (1187719) | more than 6 years ago | (#22034270)

Let's not forget XSS attacks, this is the kind of thing they're perfect for.

Re:Nothing new, really (5, Insightful)

Lumpy (12016) | more than 6 years ago | (#22034394)

Yup, I have seen people computers infected from msn.com the banner ad's were at one time installing spyware from the default IE home page.

All it takes is to get your nastyness in a bunch of Ad rotations from doubleclick and other scumbag webad companies and you can hose a huge swath of the net.

Re:Nothing new, really (5, Informative)

Anonymous Coward | more than 6 years ago | (#22033956)

Well yes. If you never visit a site with adverts. Or the Internet as it's otherwise known. Sure, you can block them (and I do) but sometimes sites switch to new providers and you are vulnerable for the time it takes to update the block file.

I'm not really surprised to be honest - I always thought UPnP looked fishy to me so I disabled it on my router. I don't like the idea that anyone coming to visit can plug in their malware-ridden Windows laptop and reconfigure my router. Sure, having it turned off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis. I wonder if Microsoft will update the X-Box Live support page where they say that UPnP doesn't make your network insecure...

I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware. Most proper web-browsers either let you enable flash on a per-site basis or will allow you to do so with a plug-in and this is really the way to go.

Re:Nothing new, really (1)

KDR_11k (778916) | more than 6 years ago | (#22034122)

For things like Flash it's easier to maintain a whitelist but I agree with your point, anything that can be loaded automatically by the browser in the default settings is seriously dangerous.

Re:Nothing new, really (0, Troll)

somersault (912633) | more than 6 years ago | (#22034480)

Adblockers ftw!

PS lolfag ;)

Re:Nothing new, really (1, Insightful)

Brian Gordon (987471) | more than 6 years ago | (#22035084)

I agree, UPnP always seemed like a bad idea to me.. it's just fills up your network with multicast spam for lazy people who don't want to set up a proper network. Clients should have no control or peer-to-peer interaction.. networking is all about security, and doing everything server-side keeps things secure.

Re:Nothing new, really (4, Insightful)

Nullav (1053766) | more than 6 years ago | (#22035018)

Yes, but the social engineering requirement is more or less gone in this case. It takes substantially less work to convince someone to click a link than to download a file. (Granted, Bonzai Buddy got people by just being a purple ape.)
Why, look no further than the MyMiniCity/Goatse/2girls1cup links being posted here in every thread! At least one person clicks and ends up warning others. (Either by downmodding or posting.) Why, you just need someone who's curious enough to click.

On the other hand, it requires a bit of work to get someone familiar with malware to click on a 'you just won' banner and download the mystery prize. Don't even get me started on random email attachments following nonsense messages.

Just turn UPNP off (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#22033876)

Thats what I do.

QuantumG is a fag! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22033878)

You know it's true.

Only a subset of users are vulnerable (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22033886)

The stupid, and niggers. Large overlap there, but most of us should be safe.

arxiv (0)

Anonymous Coward | more than 6 years ago | (#22033894)

I believe there is a paper [arxiv.org] covering this on arxiv.

Turn off UPNP (5, Insightful)

russ1337 (938915) | more than 6 years ago | (#22033908)

I thought the recommended steps for setting up a router were:

A. Unbox
B. Throw away the disk
C. Plug in your machine, Turn on the router and navigate to the webgui
D. Turn off UPNP
E. ??? (Change default name and password, set WPA, Turn off SSID etc....)
F. Profit...

The point is, I'd always been told to turn off UPNP 'cos sooner or later something is going to open ports that you don't know about.

Re:Turn off UPNP (3, Insightful)

Corporate Troll (537873) | more than 6 years ago | (#22034172)

Change default name and password, set WPA, Turn off SSID etc....

I'm okay with all of that. The only thing I never get is why to turn off the SSID broadcast. If it's well secured, it doesn't matter if they know it's there or not. Besides, I'm pretty sure that just listening to traffic will reveal the presence of a wireless network.

Re:Turn off UPNP (2, Insightful)

EvilRyry (1025309) | more than 6 years ago | (#22034318)

Right. And it's also rather annoying when you do a quick look around to find a vacant channel. "Oh look, no one is on channel 1, lets use that!" Only to find out a short while later that 5 networks are using that channel, but all of them have SSID broadcast disabled.

Anyone who can break into your wifi can probably find your SSID if broadcast is disabled, all you need to do is wait and listen.

Re:Turn off UPNP (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22034392)

I dont get the whole turn off ssid and mac filtering, change default password crap. more often than not kismet works out the ssid if hidden, mac can be spoofed using macchanger, and i usually guess peoples passwords or look it up on list of manufacturer default list. the alternative is to completely crash a router as it just resets with factory defaults and you can completely take over the router.

Re:Turn off UPNP (2, Insightful)

Tim Browse (9263) | more than 6 years ago | (#22034654)

Er, you 'don't get' the whole 'change default password crap'? Even though you 'usually' look up the password on a 'list of manufacturer default'?

Want to run that by us again? :-)

Re:Turn off UPNP (3, Insightful)

MBGMorden (803437) | more than 6 years ago | (#22034716)

The other funny thing is that he claims to be "completely crashing a router so it resets to factory defaults". Now most of them, do that after a firmware update (but you have to already have admin access for that, so no glory there), or if you do a a hardware reset, in which case you no physical access to the device. I have NEVER heard of any router that will reboot with factory default settings if it crashes (and believe me, my first D-Link router several years ago crashed on a near daily basis - the poor little processor inside of it couldn't keep up with the number of connections my P2P software was making).

WHERE $money; PUT $mouth (3, Interesting)

ronadams (987516) | more than 6 years ago | (#22034848)

I dont get the whole turn off ssid and mac filtering, change default password crap. more often than not kismet works out the ssid if hidden, mac can be spoofed using macchanger, and i usually guess peoples passwords or look it up on list of manufacturer default list. the alternative is to completely crash a router as it just resets with factory defaults and you can completely take over the router.

I live in Cincinnati, Ohio. You come (wirelessly) break into my router, change the current settings by opening port 1337, and I'll refund the cost of your travel (as determined by hotwire or expedia's fare rates on the day of your travel), and pay you $100 additional, all in cash on the same day.

It's a SOHO router, but I won't tell you what make/model -- if your prowess is as you claim, you should have no trouble determining that. You may not enter the apartment or inspect any systems currently connected -- but you shouldn't need to. I have no other firewalls, proxy servers, or tricks on the front end of this router -- it's straight from modem to unit. You may have 48 consecutive hours to complete the task.

Still confident? Email me at radams theatsign tohuw.net and make arrangements.

Re:Turn off UPNP (5, Informative)

Z-MaxX (712880) | more than 6 years ago | (#22034184)

I thought the recommended steps for setting up a router were:
... D. Turn off UPNP
I guess that is the wise choice. But UPnP is very handy for me because my home machines always get different IPs from my router, so if I want to port-forward BitTorrent ports to me laptop, desktop, etc., I have to go in and change the port-forwarding config on the router every time I get assigned a new IP. Big PITA. But then I discovered how Azureus can use UPnP to automagically forward the ports for me on the fly. It seems to work fine. Too bad it's a security risk.

Re:Turn off UPNP (5, Informative)

FlashBIOS (665492) | more than 6 years ago | (#22034252)

See if your router supports port triggering [wikipedia.org] or look for that feature in your next router. It is a way to automate port forwarding, and would help you in your setup without being the security risk UPnP is.

Re:Turn off UPNP (1)

bjackson1 (953136) | more than 6 years ago | (#22034310)

You could just do DHCP reservations.

Re:Turn off UPNP (5, Informative)

pipatron (966506) | more than 6 years ago | (#22034360)

Configure your DHCP server (your router in this case) to always give the same IP to the machines that you run server software on. It's trivial, really.

Re:Turn off UPNP (1)

mzs (595629) | more than 6 years ago | (#22034838)

Or just give them static IPs. You can have the rest via DHCP for convenience even if the IP is fixed.

Re:Turn off UPNP (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#22034914)

Using true static IPs is much less convenient than configuring a dhcp server to dole them out. One problem is moving a machine (like a laptop or lan-party gaming computer) between networks -- static IPs can make things sticky.

Re:Turn off UPNP (2, Informative)

morgan_greywolf (835522) | more than 6 years ago | (#22034884)

You're right, but many routers do NOT support this feature out-of-the-box, the most notable of these being the WRT54G.

Personally, I just run a standard ISC DHCP daemon on one of my boxes and then configure it to dole out addresses to machines that need 'static' IPs for server functionality. I also have a dynamic port range for other boxes and devices that can change without any adverse effects.

On a Linux machine (currently there are packages for Ubuntu, Debian and Fedora, plus some others), this can be made easy by the use of the gadmintools' ghdpcd [85.214.17.244] .

Re:Turn off UPNP (1)

MMC Monster (602931) | more than 6 years ago | (#22035212)

If your router doesn't support this feature, you may want to consider changing the firmware of the router.

I am using DD-WRT (http://www.dd-wrt.com/wiki/index.php/Main_Page), and it's much more functional than the original firmware of my linksys WRT-54GL router. It's also rock stable, once it's installed (Just follow the installation directions closely).

FIXED IP address (1)

baomike (143457) | more than 6 years ago | (#22034892)

now there is a heretical thought.

Re:Turn off UPNP (5, Informative)

yuna49 (905461) | more than 6 years ago | (#22034218)

BitTorrent users often use uPNP to punch a hole through the router for torrents. Many torrenting "how-tos" specify using uPNP for this purpose, and it's commonly enabled in many BT clients like Azureus and uTorrent. For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

Re:Turn off UPNP (5, Funny)

binaryspiral (784263) | more than 6 years ago | (#22034698)

For most of these people, uPNP is a godsend since it eliminates the need to mess around with portforwarding in the router configuration.

If uPNP is a godsend to those people... they need to get a better God.

Re:Turn off UPNP (1)

mzs (595629) | more than 6 years ago | (#22034776)

I just have two ports open for this. You only need it for the initial incoming connection. I only had to do it once.

Re:Turn off UPNP (2, Informative)

ookabooka (731013) | more than 6 years ago | (#22034792)

Agreed. I'm sure there are even games that support uPnP so when you host a game, the appropriate port is automatically forwarded. IMO, if you keep a tidy computer network with virus scanners on your computers and scan for malware, then it's not much of an issue. It's still better than hooking up your computer directly to the internet and having window's services exposed. You have to compromise the computer before you can use UPnP to allow the attacker in anyways. What's so bad about having a lock thats easy to disable from the inside? It basically comes down to ease of use versus security. I happen to think the benefits of having programs being able to quickly do port forwarding themselves so I don't have to outweigh the possibility that someone can use the same ability to make a trojan work because I feel I am relatively safe (I'm not an idiot and acknowledge nothing is 100% foolproof) against such security breaches.

Re:Turn off UPNP (0, Offtopic)

KiloByte (825081) | more than 6 years ago | (#22034926)

But with your computer having 1e38 fans noisily buzzing around when you sleep, and guzzling power like American cars guzzle gas, why would you even bother running torrents on your personal machine? It's so much more efficient to do that on the damn router itself.

Re:Turn off UPNP (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22034972)

Yes, but the fact it's convenient doesn't change the fact that UPnP is a fundamentally stupid and broken protocol. Exploiting it is NOT a new phenomenon, it's been going on since it was introduced. If a LAN client wants to open a port then fine, but they should have to authenticate and supply a password ... preferably a unique one written on the bottom of the router WPA-PSK style, rather than "admin" or "linksys" ...

Re:Turn off UPNP (1)

SpacePirate20X6 (935718) | more than 6 years ago | (#22035182)

Perhaps it is a good thing, then, that there is some technical barrier required in order to use something. If you want it that bad, maybe you should work for it.

Re:Turn off UPNP (1)

Firehed (942385) | more than 6 years ago | (#22034632)

Like so many things, UPNP is a tradeoff between security and convenience. Want a stronger password? You have to type in an annoying password every time you want to do anything. Want secure WiFi? Then make sure you write down your 64+character alphanumeric nonsense passphrase and be sure to add your MAC address into the allowed users table, after going through a second insane password to hit your router's config panel. Want to lower the risk of a break-in? Then set or open both a lock and deadbolt every time you pass through the door.

In the case of UPNP, I go for convenience. I know the risks, but I also know enough about how to avoid this that the convenience is worth the risk for me.

Re:Turn off UPNP (1)

Tony Hoyle (11698) | more than 6 years ago | (#22034728)

UPNP can be blown wide open with well crafted perl script. It has zero authentication and most implementations even allow portforwarding to machines outside the LAN.

Basically if you're going to enable UPNP you might as well disable all your other security as well in the name of convenience.

Re:Turn off UPNP (1)

Joe The Dragon (967727) | more than 6 years ago | (#22034756)

You forgot one big step UPDATE the firmware

Re:Turn off UPNP (1)

mweather (1089505) | more than 6 years ago | (#22034828)

You forgot the part about installing a dedicated firewall.

Turn of UPNP (1)

mdboyd (969169) | more than 6 years ago | (#22033910)

FTA:

The only way to protect yourself is to turn off UPnP.

If you don't need UPnP, that should prevent you from being vulnerable. I'd imagine that most people don't really need it.

Irresponsible web developers & bad firmware (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22033912)

that equals problems.

(Also, niggers equal problems.)

Open WiFi + this = trouble? (3, Insightful)

eknagy (1056622) | more than 6 years ago | (#22033914)

This will take an old-new argument to "to free or not to free my wifi" questions.

Re:Open WiFi + this = trouble? (1)

slim (1652) | more than 6 years ago | (#22034436)

This will take an old-new argument to "to free or not to free my wifi" questions.
If you're talking about the recent Schneier stuff, then part of the rationale for running unauthenticated WiFi is that the hosts inside the network are hardened. Hence, assuming no mistakes in the host hardening, you could have no firewalling whatsoever on the router, and you'd still be safe.

Re:Open WiFi + this = trouble? (2, Insightful)

wbren (682133) | more than 6 years ago | (#22034600)

From the article's comments:

The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.
The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router.

Re:Open WiFi + this = trouble? (1)

slim (1652) | more than 6 years ago | (#22034744)

From the article's comments:

The portforwarding rule attack was given as an example as this is probably one of the things that cannot be used right away by script kiddies and it is sufficient enough to prove a point.
The fact that ports can be forwarded to a given host is not the real point of this article. More serious would be someone resetting the admin password, allowing the attacker to do things like set the DHCP-assigned primary DNS server to a malicious one, just as an example. Given how often phishing attacks succeed, this seems like a legitimate threat. Notice that in this case the clients could be as hardened as can be, and they would still (unless a static DNS was manually entered) use the DNS server provided by the compromised router.
Hmm, but UPnP is special, in that it does quite serious things at the behest of unauthenticated requests, by design. Let's repeat that -- this isn't a 'bug' on the routers. UPnP is /designed/ to forward ports when it gets a request from inside the network, no questions asked.

Whereas, you do need at least a password (or a more esoteric vulnerability than UPnP; one that won't be as homogenous across various brands of router) to actually compromise the router in ways such as you describe.

Re:Open WiFi + this = trouble? (2, Informative)

wbren (682133) | more than 6 years ago | (#22034526)

Open WiFi access points are a security nightmare regardless of exploits like this, so the same basic advice still holds: open WiFi access points should be isolated from your "trusted" network. Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.) In other words, avoid them. Regarding your specific question about this UPnP exploit and open APs, the open AP could be potentially used as a phishing goldmine, especially in high-traffic areas. Since the exploit is not limited to port forwarding (in fact almost anything could be done to the router's configuration), users could potentially be tricked into doing all sorts of things (via DNS spoofs, packet manipulation, etc.) The only difference in the case of an open AP is the scope of the damage, as more users will likely connect to an open vs. closed network. Obviously that attack really only makes sense for non-encrypted sites, since this is exactly the type of thing SSL is designed to prevent.

Re:Open WiFi + this = trouble? (1)

slim (1652) | more than 6 years ago | (#22034896)

Security vulnerabilities aside, open access points are a legal nightmare waiting to happen (child pornography, phishers, DDoS attacks, intrusion, etc.)
You've either missed the recent debate, or missed its point. The argument goes:

- If someone uses your open access point for nefarious means, you have a defence -- "But anyone could have done that".
- If someone uses your 'secured' access point for nefarious means, your defence requires a jury to understand the ease with which (say) WEP can be cracked.

And the likelihood of spammers, DDoSers, phishers etc. using your WiFi connection rather than their massive botnet is negligible.

Just repeating the argument. FWIW my own access point is secured with 64 bit WEP, which I suppose is worst of both worlds. But it keeps my bandwidth available for myself, and uses a short passphrase I can remember.

Re:Open WiFi + this = trouble? (0)

Anonymous Coward | more than 6 years ago | (#22035122)

No, not insightful. This attack is a so-called "reflection" attack, because an inside host reflects an attack which originates on the outside network to the target host. It exploits that the inside network is seen as a "trusted" network. Most wireless routers bridge the wireless network and the inside network, so an attacker who uses the wireless network is already on the inside and doesn't need to use reflection at all. Similarly it would be pointless for him to use UPnP to open inbound ports, because he already has access to the inside network. Operating an open access point requires either additional network equipment, advanced router configuration or hardened computers. If you apply none of those methods, this attack doesn't make things worse. If you do use these methods, this attack doesn't work.

DD-WRT? (0)

Anonymous Coward | more than 6 years ago | (#22033952)

Is it only the factory firmware that's vulnerable or are you safe if you flash to one of the open-source hacks?

Re:DD-WRT? (1)

Minwee (522556) | more than 6 years ago | (#22034182)

That depends. Did you install UPnP [dd-wrt.com] , presumably because you want random ports to open up on your DD-WRT router without your consent?

If not then you're probably quite safe from UPnP based attacks.

Re:DD-WRT? (5, Informative)

jrumney (197329) | more than 6 years ago | (#22034272)

If the firmware has UPnP IGD enabled, then your machine is vulnerable to this attack.

The vulnerability is really Flash not restricting what untrusted scripts can do. The router's UPnP IGD profile is working as designed - an application on a machine within the firewall requests that an incoming port be forwarded, so the router does that. This is useful for VoIP, IM, P2P and other applications that need to be contactable from the outside world. Malicious programs that are running on your machine can always initiate outgoing connections, so generally the UPnP IGD is not allowing anything that cannot already be done. In the case of Flash, it is probably blocking most outgoing connections, so UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.

All this should be detectable by a decent firewall program running on your local machine.

Questions about Wireless Router Security (1)

NetSettler (460623) | more than 6 years ago | (#22034872)

The vulnerability is really Flash not restricting what untrusted scripts can do. [...] UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.

Excuse my ignorance/confusion, but... I'm not up on the details of either Flash or UPnP, and yet I still need to understand this better and so I have a few questions.

  1. Is the Flash being discussed the Flash player for a browser, right? (Not some sort of Flash related to flash memory and the BIOS and/or USB Flash drives? And the Flash issue is not in the router?)

  2. Why is there a difference between the Flash vulnerability in different browsers? What's the basis of the protection? Is it because the player binaries differ between browsers, or because the security model of the browsers differ, or what?

  3. If a Flash player is running malware already, why does it care any longer about the router? Isn't it already in my machine, and hence inside my network? And can't it generally get out quite easily with whatever data it finds without further problem? Or is there some security model limiting the actions of the Flash player to only certain operations?

    Is it forbidden from writing files, particularly executable files? I assume a virus utility would notice this, but maybe since it's a trusted plug-in, it wouldn't?

  4. If it can access web pages, isn't there also a potential vulnerability that many routers are configurable from inside the firewall over the network? In that case, couldn't it reenable UPnP itself? (Even if it was forbidden to read files from the disk and access the net, couldn't it just do the web page modification and then wait for a later copy of itself to arrive on a separate occasion to exploit the previously and silently opened hole?) If that can happen at all, will having a decent password for one's firewall reduce this risk? (Even though I have WPA-PSK enabled and a pretty long password, internal connections to a router over a secure connection seem like they're going to succeed because of the PSK, leaving the router's admin password the only thing in the way... or is there some other fortunate barrier?) Do routers tend to protect themselves from internal exhaustive or dictionary attacks? Would a virus protection tool notice this, or would it just think it normal that a browser was opening lots of web pages? In other words, do I need to switch my router to be configurable only over a serial link? (Even if I did, would I be vulnerable while the serial line was connected?)

If there's just a FAQ with answers to questions like these, please point me to it. I read the article, but it was pretty thick with device and protocol and program-specific jargon that even a technical person might not understand, depending on their areas of expertise.

Re:Questions about Wireless Router Security (4, Informative)

Tony Hoyle (11698) | more than 6 years ago | (#22035056)

If a flash plugin can make outgoing XML requests it can persuade a upnp server to make your machine wide open, thus completely disabling your firewall. Making those kind of requests sounds like the kind of thing you want Flash to do, so I'd imagine all versions are vulnerable.

There are some ports.. 137,139,445,etc. that you really don't want on the open internet. If the plugin does something like a port forward of 0-65535 to your machine suddenly *every* service on there is wide open to any attack. It'll bypass protections from eg. the default XP firewall as the packets will appear to be coming from the local LAN (the router) rather than the original source.

It's not just flash (although a malicious advert on a page is the most obvious vector for this). Anything that runs on your machine can do it.. I reckon you could craft such an attack in javascript even (XMLHttpRequest with the right code).

Once the ports are open anything that manages to run on your machine can leave itself wide open without having to make telltale outgoing port connections (although it's often said that outgoing connections are the reason upnp is 'not worse' than existing protections, no working trojan would work in that manner, since the target of the outgoing connection would quickly be found and shut down.. OTOH leaving a trojan on your machine listening on your machine waiting for the command to send spam/infect others/distribute child porn/whatever is much more real a thread).

Mozillazine forums had this two years ago (2, Interesting)

dotancohen (1015143) | more than 6 years ago | (#22033954)

There was a thread on the Mozillazine forums [mozillazine.org] about malicious JavaScript changing router settings about two years ago. Unfortunately, in October Mozillazine had a big foulup and many threads (and users, me included) were lost [mozillazine.org] . I cannot find the thread now, but if I do I'll post back with a[n] URL. The thread's conclusion was that one should never leave the default password on the router.

Them forums produce genii (1)

DrSkwid (118965) | more than 6 years ago | (#22034284)

> The thread's conclusion was that one should never leave the default password on the router.

well, duh! Surely you didn't need the backup losers of Mozillazine to work that out!?

Re:Them forums produce genii (0)

Anonymous Coward | more than 6 years ago | (#22034608)

>backup losers

OK, I'll bite - WTF is a "backup loser"?

If there's one thing I hate more than an 0wned box (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22033958)

it's a big-lipped, filthy nigger. FUCK YOU.

Re:If there's one thing I hate more than an 0wned (-1, Offtopic)

DrSkwid (118965) | more than 6 years ago | (#22034056)

what about big-lipped, freshly showered nigger ?

and are medium-lipped, filthy niggers ok ?

I'm confused, your prejudice seems overly specific.

Re:If there's one thing I hate more than an 0wned (1)

theskipper (461997) | more than 6 years ago | (#22035098)

Way OT:

There seems to be a lot more racist AC posts lately. Wondering if the ulterior motive is to suck up mod points and basically dilute the moderation system?

Also, isn't this one word, along with a regexp of it, that should trigger a longer than usual time-out before AC submission? It would avoid censorship since the post would still submit, just severely speedbumped. It's used so infrequently that if someone decides to use it in a "valid" post, the delay would be a minor inconvenience. For trolls creating throwaway accounts, the IP/username association slows them down anyway.

Of course the slippery slope is doing the same for myminicity, goatse links...

It can't be stressed enough... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22033968)

niggers are filthy and they suck.

RON PAUL '08

Just takes a bit of common sense (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22033982)

Unless you're a huge nigger I don't see any cause for concern.

My Home router is a Linux NAT Box. (2, Interesting)

Zombie Ryushu (803103) | more than 6 years ago | (#22033994)

My home router is a Linux NAT Server. (I sorta have a pissant about the fact that those things to be called "Routers" I have a DI-704, and I couldn't get it to route between two actual subnets. It only would NAT.

Anyway, my point. What about things like the Linksys WRT54GL?

The thing is, it would be awesome if there was a flash drive driven Linux device with a Cisco Style com port that ran off flash, could be OpenLDAP Server, Samba DC, Kerberos KDC, NAT Server, or actual router WITH a Cisco style Console port that are cheap. Why does this not exist??

Re:My Home router is a Linux NAT Box. (0)

Anonymous Coward | more than 6 years ago | (#22034042)

The standard answer from the open-source community will likely be "write it yourself if you want it so bad." Whether that's a good or bad thing is entirely up to you.

Your point ? (1)

DrSkwid (118965) | more than 6 years ago | (#22034186)

Your point seems to be a question.

Anyhoo, there's nothing uber special about Flash, you can just put a CF/SD card in an IDE/SATA adapter and attach it to a suitable computer, such as one of the fanless EPIAs [mini-itx.com] , that one even has dual gige.

Re:My Home router is a Linux NAT Box. (2, Informative)

Anonymous Coward | more than 6 years ago | (#22034372)

The WRT54g can have a serial port hacked into it [rwhitby.net] for configuration. It's a fairly simple job if you have a soldering pencil around. They can also mount a SMB file system on boot [dd-wrt.com] so you can run whatever you want on the device. This filesystem can contain a shell script to be executed, allowing you to set up whatever you'd like to run at boot on the router.

Let me be the first... (2, Informative)

sticks_us (150624) | more than 6 years ago | (#22034012)

...in this thread anyway, to recommend the flashblock plugin [mozdev.org] .

I installed it a couple of weeks ago, and really enjoy it. Banner ads have all but disappeared, and I don't even really notice (except for faster page loads and cleaner page layouts). If I want to see a YouTube video, that's easily accomplished--just click on the "F" icon in the blocked section of the page.

As an added bonus, I'm protected from all of these recent security breaches we've seen for Flash...aren't I?

Re:Let me be the first... (1)

Aladrin (926209) | more than 6 years ago | (#22034070)

Great idea because IE runs Firefox plugins SO well.

Firefox isn't vulnerable to this in the first place, so your advice means nothing here.

Re:Let me be the first... (1)

sticks_us (150624) | more than 6 years ago | (#22034204)

Firefox isn't vulnerable? Maybe I missed something. TFA says different:


This may make the attack to fail if you use Firefox, Opera or Safari and the attacked router or UPnP device is picky about CR and CRLF line endings. Earlier flash versions does not have this problem/bug.


It looks like you're safe *if* the router is or UPnP device needs to be picky about CR/CRLF line endings.

It also looks like you're safe UNLESS you're using an "earlier flash version."

Re:Let me be the first... (2, Funny)

TheCRAIGGERS (909877) | more than 6 years ago | (#22034334)

Firefox is safe anyway, for the time being.

Still, NoFlash... NoScript... soon I'll have to install NoImage and NoCSS. I guess it's time to go back to Gopher.

UPnP (1)

Wiseman1024 (993899) | more than 6 years ago | (#22034022)

Like all "automagic" bullshit for lusers, whatcouldpossiblygowrong

Browsers (4, Informative)

JackSpratts (660957) | more than 6 years ago | (#22034036)

as usual opera is resistant.

Re:Browsers (1)

aerthling (796790) | more than 6 years ago | (#22034346)

I only skimmed the article, but I'm pretty sure it said the attack failed in Firefox, Opera, etc. because of a flaw in the Flash plugin, not because those browsers are more secure.

Re:Browsers (0)

Anonymous Coward | more than 6 years ago | (#22034982)

Probably because it's not popular enough to be specifically targeted.

As usual.

Truth hurts doesn't it? Incidentally, since Firefox actually has extension support and a wide community following creating great utilities, I wasn't vulnerable to this problem even with Flash enabled. As usual.

I use Opera. (1)

Apoorv (1019864) | more than 6 years ago | (#22034044)

Opera users are safe too.

Open open... (5, Funny)

ElGanzoLoco (642888) | more than 6 years ago | (#22034046)

[...] a flash swf file capable of opening open ports into your network [...]

Hold on, now I'm confused: does this attack open open ports, or does it open ports open? Or even worse, does it open open open ports? :D

Re:Open open... (1)

wbren (682133) | more than 6 years ago | (#22034784)

It opens ports on your router that are open on your computer. The ports are clearly already open, but they need to be opened again by the router. For example, my local Wal-Mart* is open in that is isn't "out of business", but it must be opened every morning (and "closed" into its original open state every night) anyway, so people can walk in and buy stuff. So in that regard, my local Wal-Mart* was opened twice, just like opening open ports. It's all very complicated, having to do with the lowest levels of TCP/IP, kernel code, and lasers. Yes, lasers.

Or maybe it was just a typo :-)

*Excludes 24-hour locations.

Re:Open open... (1)

Tony Hoyle (11698) | more than 6 years ago | (#22034808)

I presume it means that it allows open ports (on the lan) to be seen by everyone (on the wan).

In some upnp implementations it's been shown that you can even do it the other way around - do things like forward port 80 outgoing to $hackers_proxy.

upnp is kinda useless anyway.. nothing that can't be done more safely and more controlled by static DHCP and standard port forwarding (or, better, getting multiple IP addresses from your ISP).

most homes/owners vulnerable to nazi FraUD (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22034108)

as we become unwitting or unwilling hostages of/or cheerleaders for, yOUR fearful 'leaders' the georgewellian wolfowitz plan to conquer the world or nuke it doesn't make any sense either. let yOUR conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.yahoo.com/s/ap/20071229/ap_on_sc/ye_climate_records;_ylt=A0WTcVgednZHP2gB9wms0NUE [yahoo.com]
http://news.yahoo.com/s/afp/20080108/ts_alt_afp/ushealthfrancemortality;_ylt=A9G_RngbRIVHsYAAfCas0NUE [yahoo.com]
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A [nytimes.com]

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://video.google.com/videosearch?hl=en&q=video+cloud+spraying [google.com]

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html [cnn.com]

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html [cnn.com]

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html [cnn.com]

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece [timesonline.co.uk]
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece [timesonline.co.uk]

Don't try this at home (1)

spleen_blender (949762) | more than 6 years ago | (#22034116)

I've always wondered about using StumbleUpon as a distribution method. I wonder if it is possible in such an exploit somehow force your profile to Thumbs Up the infected page, making it spread at a maximum exponential rate, since the rating system would only have to be vulnerable on the client side, I imagine.

My larger point though is that in a web where the actual URL of content is becoming more and more meaningless as meta sites start to coagulate content around them, what do users on the client side have to be able to combat such tactics? Is it reasonable to expect some sort of server side content awareness for such content sharing sites. A pruning mechanism of sorts seems like a necessity if you wouldn't want to contribute to the threat.

What about the Wii browser (1)

techpawn (969834) | more than 6 years ago | (#22034148)

It's Opera browser that Runs an OLD version of flash on a Wireless network. I mean, do we need to worry about this when we go to the wrong site from our Nintendo? I hear they update it from the connect24 but not that often...

Turn off UPnP! (4, Insightful)

ledow (319597) | more than 6 years ago | (#22034152)

Turn off UPnP! Why on Earth do you want it on anyway? That's the problem here - an XSS is one matter, although being able to send SOAP-style requests across your local network is a major concern. But having a router that automatically opens ports based on virtually zero authentication? A nightmare waiting to happen.

Never used it. Never wanted it. Never turned it on. Always turned it off on EVERYTHING. UPnP is the problem here - a simple (unauthenticated) HTTP-style page requested in a browser suddenly starts opening ports to your network. It should not happen. Even my DSL router/wireless router/Linux router has SSL only, passworded access to do anything even approaching opening ports. And if a webpage pops up with an authentication dialog with the header "Wireless Router" and you type in your password, then you're a fool, unless you specifically requested the router's configuration page.

There's rarely even a log of what UPnP has done - which ports it's opened in the past etc. for whom.

Just turn the damn thing off. It's too dangerous.

Re:Turn off UPnP! (5, Insightful)

slim (1652) | more than 6 years ago | (#22034304)

The thing is, it's just so damn useful. For a TCP/IP savvy person, setting up, say, a Bittorrent client, or Xbox Live online play without UPnP is a chore. For normal people, it's voodoo. With UPnP (and the right client) it Just Works. Convenient or secure... guess what most people will choose?

But, agreed, it's scary stuff, if you believe your router ought to be a firewall. What's really needed is for home routers to start implementing authenticated UPnP, and for clients to work with it. (I must admit I've only glanced at the UPnP specs, but I seem to recall seeing references to an authenticated flavour).

Re:Turn off UPnP! (1)

wwahammy (765566) | more than 6 years ago | (#22034648)

I know Microsoft is implementing a new standard to supercede UPnP in part due to the lack of security. Whether this new standard acheives that though is another issue entirely.

Re:Turn off UPnP! (1)

Tony Hoyle (11698) | more than 6 years ago | (#22034844)

xbox live works fine without any port forwarding at all.

Any half decent bittorrent client works of a single port and can be setup in minutes.

What is this 'chore' you're on about. I known virtual newbies do it without prompting.

Re:Turn off UPnP! (1)

wwahammy (765566) | more than 6 years ago | (#22034730)

It's not as secure as needed, that is without doubt. But I get tired of trying to figure out the port forwarding needed for various programs. Sometimes you want it to just work and UPnP when implemented accomplishes that goal.

An argument could be made that UPnP is more secure in that it only opens ports while a program uses them (provided the program is coded right), not all the time as most people would have done had they needed to open the ports manually. That doesn't negate the vulnerabilities in the system but its a different way of looking at it.

Because it breaks everything (0)

Anonymous Coward | more than 6 years ago | (#22034796)

Why on Earth do you want it on anyway?

Because very few people are using IPv6 and IPv4+NAT breaks a lot of protocols that depend on the computer being available to the outside world. No, static port forwarding doesn't solve the issue as it's pain to setup/maintain if you have multiple computers.

comment filtering (0, Offtopic)

howlingmadhowie (943150) | more than 6 years ago | (#22034166)

i know it would be a dangerous precedent, but could it be possible to block all comments which contain the word 'nigger'? it's really been getting out of hand in the last few weeks and is costing a lot of mod points.

Re:comment filtering (0)

Anonymous Coward | more than 6 years ago | (#22034314)

Instead of dropping the entire comment, why not substitute some other word or phrase. It could become something non-sensical (like making it "boobies" or "smurf") or switched around (like making it "skin-head" or "biggot"). It could make a hateful comment into a funny comment.

Re:comment filtering (1)

Jesus_666 (702802) | more than 6 years ago | (#22034508)

Oh exploitable! Of course replacing words makes everything better, even if there's drama involved. And nobody will ever know what was originally posted and it will certainly not evolve into a special kind of slang.

Re:comment filtering (0)

Anonymous Coward | more than 6 years ago | (#22034726)

As much as I would be for this particular filter, Slashdot is what it is because they don't censor or ban people. I think this is a good thing and I wish more sites on the Internet worked like that.

I am personally sick of all the "public" web communities that get into their little hole and if anyone disagrees with them on even the slightest issue (even suggestions to improve their site) they get blasted away. This hurts the 'Net in my opinion.

How about checking your router configuration (1)

Aging_Newbie (16932) | more than 6 years ago | (#22034350)

My cheapie Belkin access point has an option to turn off UPNP in the configuration. In fact, it is the default. That should kill that exploit rather quickly, shouldn't it?

Opening port does not mean that it is exploitable (1)

JaLooNz (781746) | more than 6 years ago | (#22034642)

Anyone realised that it can only open ports? (Especially since uPnP appears to be only a HTTP based request system, doing it should not be too difficult) But whether it can be made useful is questionable. You need a open client running on that specific port (which most likely cannot be done in any browsers) to be any where near exploitable).

Re:Opening port does not mean that it is exploitab (1)

Tony Hoyle (11698) | more than 6 years ago | (#22034932)

$trojan opens port. Talks to upnp server. Your machine gets pwned.

script/flash/exe/whatever opens port 445. Your network gets pwned.

Because there's no authentication upnp shouldn't be allowed anywhere near a network. At the very least a verified password should be needed to activate the port forwarding each time.

Really, developers shouldn't write shitty protocols that require it. Luckily it's becoming rarer.. few games need it (if any, these days.. certainly nothing recent), even bittorrent clients are getting better (the early ones needed something like 10 ports.. newer ones need 1). There's absolutely no need for a non-server to be requiring open incoming ports - on a client they should all be outgoing and handled naturally by the NAT logic.

I recently bought a Sitecom router (1)

MadJo (674225) | more than 6 years ago | (#22034678)

and was pleasantly surprised to see UPnP disabled out of the box.
Are router manufacturers finally learning?

My Xbox360 requires uPnP to be off (1)

gelfling (6534) | more than 6 years ago | (#22034758)

Only way it works. I can't for the life of me understand what I would need it for anyway.

Transmission client (0)

Anonymous Coward | more than 6 years ago | (#22034886)

For those of us with a large network, it's easier to keep it on when someone wants to use Transmission client on Linux randomly for bittorrent.

Local firewall and other factors (1)

Joe U (443617) | more than 6 years ago | (#22035230)

Ok, for this to succeed the site would have to know your router's internal IP address. 192.168.1.1 is very common in early routers, but this has changed recently.

Now, to actually get to the computer, it would also have to bypass your software firewall as well.

Of course, all this does is open ports, it doesn't actually attack or exploit anything.

This is a potential exploit, but not a working one yet.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?