Most Home Routers Vulnerable to Flash UPnP Attack 253
An Anonymous reader noted that some folks at GNU Citizen have been researching
UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.
Re:Nothing new, really (Score:5, Informative)
And some sites may become malicious suddenly because of all those syndicated ads around.
Re:Nothing new, really (Score:5, Informative)
I'm not really surprised to be honest - I always thought UPnP looked fishy to me so I disabled it on my router. I don't like the idea that anyone coming to visit can plug in their malware-ridden Windows laptop and reconfigure my router. Sure, having it turned off means X-Box Live is less happy but that only decreases the number of people who can call me "fag" on a daily basis. I wonder if Microsoft will update the X-Box Live support page where they say that UPnP doesn't make your network insecure...
I also have Flash disabled by default because it is well known to be insecure and buggy and a delivery system for malware. Most proper web-browsers either let you enable flash on a per-site basis or will allow you to do so with a plug-in and this is really the way to go.
Let me be the first... (Score:2, Informative)
I installed it a couple of weeks ago, and really enjoy it. Banner ads have all but disappeared, and I don't even really notice (except for faster page loads and cleaner page layouts). If I want to see a YouTube video, that's easily accomplished--just click on the "F" icon in the blocked section of the page.
As an added bonus, I'm protected from all of these recent security breaches we've seen for Flash...aren't I?
Browsers (Score:4, Informative)
Re:Turn off UPNP (Score:5, Informative)
Re:Turn off UPNP (Score:5, Informative)
Re:Turn off UPNP (Score:5, Informative)
Re:Nothing new, really (Score:2, Informative)
Re:DD-WRT? (Score:5, Informative)
If the firmware has UPnP IGD enabled, then your machine is vulnerable to this attack.
The vulnerability is really Flash not restricting what untrusted scripts can do. The router's UPnP IGD profile is working as designed - an application on a machine within the firewall requests that an incoming port be forwarded, so the router does that. This is useful for VoIP, IM, P2P and other applications that need to be contactable from the outside world. Malicious programs that are running on your machine can always initiate outgoing connections, so generally the UPnP IGD is not allowing anything that cannot already be done. In the case of Flash, it is probably blocking most outgoing connections, so UPnP does expand the possibilities for a malicious Flash app to initiate connections with your machine. But unless Flash also allows you to open server sockets, the attacker would also need to find an exploitable service running on your machine.
All this should be detectable by a decent firewall program running on your local machine.
Re:Turn off UPNP (Score:5, Informative)
Re:My Home router is a Linux NAT Box. (Score:2, Informative)
Re:Open WiFi + this = trouble? (Score:3, Informative)
Re:Turn off UPNP (Score:3, Informative)
Re:Turn off UPNP (Score:2, Informative)
Personally, I just run a standard ISC DHCP daemon on one of my boxes and then configure it to dole out addresses to machines that need 'static' IPs for server functionality. I also have a dynamic port range for other boxes and devices that can change without any adverse effects.
On a Linux machine (currently there are packages for Ubuntu, Debian and Fedora, plus some others), this can be made easy by the use of the gadmintools' ghdpcd [85.214.17.244].
Re:Questions about Wireless Router Security (Score:5, Informative)
There are some ports.. 137,139,445,etc. that you really don't want on the open internet. If the plugin does something like a port forward of 0-65535 to your machine suddenly *every* service on there is wide open to any attack. It'll bypass protections from eg. the default XP firewall as the packets will appear to be coming from the local LAN (the router) rather than the original source.
It's not just flash (although a malicious advert on a page is the most obvious vector for this). Anything that runs on your machine can do it.. I reckon you could craft such an attack in javascript even (XMLHttpRequest with the right code).
Once the ports are open anything that manages to run on your machine can leave itself wide open without having to make telltale outgoing port connections (although it's often said that outgoing connections are the reason upnp is 'not worse' than existing protections, no working trojan would work in that manner, since the target of the outgoing connection would quickly be found and shut down.. OTOH leaving a trojan on your machine listening on your machine waiting for the command to send spam/infect others/distribute child porn/whatever is much more real a thread).
Re:Turn off UPNP (Score:5, Informative)
Hidden SSID: One commonly expressed theory behind hiding a SSID is similar to why you lock your car. If your car is locked, it's a less attractive target than one which isn't. Hiding your SSID does make a network a less obvious target than one which is visible. It doesn't impede any serious search for networks by someone knowledgeable, but it will remain hidden to casual view. Is this vaguely inconvenient? Possibly, but then, really, so are locks. Really, I've never been so fond of that analogy.
If you like, I think a better analogy might actually be that hiding your SSID is like planting a bush in your front yard that obscures a direct view of your front door. It doesn't really make your door any more secure, in and of itself, but it might make it less obvious that there's a door there to begin with. Someone simply walking by might not notice it, but someone sitting in their car, watching folks come and go is sure to notice it. It just makes it more likely that a casual passerby might try one of the obvious doors nearby to see if they can get in, rather than trying yours.
MAC Filtering: Similarly, MAC filtering is better than not MAC filtering. The observer can't get on the network unless they spend enough time analyzing active traffic to sift for MAC info. Yes, with the right tools 'enough time' is relative, and not all that long. But, if you're not around using your wireless network when they're doing the analysis, it's difficult to obtain that info, since your MAC isn't being broadcast to begin with. Is it perfect security? Not by any means, but, again, it's a lot easier to get onto a network that's not using it than one which is. Not everyone is running Kismet with a wireless network card configured in promiscuous mode, and even with the number of folks who are, most are more likely to roll a half block down to the completely open network that's almost invariably there than spend time trying to get onto the more secure network, simply for the challenge of it.
Change the default password: If you seriously don't understand this, then you are completely clueless, regardless what tools you're using. Just because you can guess a few passwords using the short list that unimaginative folks commonly use doesn't mean that you can guess any password. (Of course, script kiddies commonly don't have any idea why what they use works, but that doesn't mean it doesn't.) If you were thinking at all about what you were writing, you'd see you make the point yourself as to exactly why it's important. You commonly 'just look up manufacturers default passwords'. If they set a proper password, it makes things more difficult, and you have to try to guess it. With a good password, you're not going to simply guess it.
Crashing the Router: As for your alternative, no decent router should ever come back up with the factory presets after a simple crash. It should always come up with the custom settings, or, failing that, remain hung until manually reset by hand. Even if they do come up with the factory defaults, for modern routers at least, that should be with the external management interface disabled.
Not
Re:Turn off UPNP (Score:3, Informative)
Certain versions, at least, do not. That was the main reason I switched to DD-WRT. The compact version also did not support it last I knew (a friend has this router).
But yes, even the D-Link DI-704 that I purchased in 2000 for $20 (i.e. it was really cheap a really long time ago) did support reserved DHCP, and I'll never again use a router without it. I personally find it unforgivable that Linksys' instructions for port forwarding essentially tell you to completely disable DHCP and just manually configure every device on your network.
Re:My Home router is a Linux NAT Box. (Score:3, Informative)
I have one (I have no financial relationship with them other than customer) and I really love it. Very low power, 4GB flash card (up to 8 now I think), 1GB of RAM, no fans, no noise and if I want to I can put a large USB external drive (or small laptop drive inside) to do NFS/SMB/ETC.
All that and the wonder of Linux IPTables, routing, NATting, OpenVPN, OpenSSH for around $300. I replaced an old P3 box I had been using as a router and my power bill thanks me every month.
Also, each unit ships with a free pudding!! (Warning: Pudding may be evil.)
Re:Turn off UPNP (Score:2, Informative)
Re:Turn off UPNP (Score:4, Informative)
It's a good gig: A Linux box with 5 Ethernet ports and a WiFi radio for ~$50.
Having zero moving parts and negligible power consumption is a big help, too.
Re:Turn off UPNP (Score:2, Informative)
That will set your ip to 192.168.101.2 with a gateway of 192.168.101.1 - Fill in your own home network values.
Here is a 3 line
I have about 6 different batch files in a folder in my Quick Launch toolbar on my WinXP work laptop. It takes 2 clicks for me to change my ip address. If I go to a new site where I need to create a new static ip, I just copy of one the batch files, rename it and put in the new information.
Re:WHERE $money; PUT $mouth (Score:2, Informative)
Changing the settings is a bit more difficult - but I wouldn't class it as impossible by any stretch of the imagination.