Most Home Routers Vulnerable to Flash UPnP Attack 253
An Anonymous reader noted that some folks at GNU Citizen have been researching
UPNP Vulnerabilities in home routers, and have produced a flash swf file capable of opening open ports into your network simply by visiting an unfortunate URL. Looks like Firefox & Safari users are safe for now.
Nothing new, really (Score:4, Interesting)
It all hinges on going to a malicious web site. Just like email trojans, if you resist temptaion and use some common sense, do you really have to worry about this?
Mozillazine forums had this two years ago (Score:3, Interesting)
My Home router is a Linux NAT Box. (Score:3, Interesting)
Anyway, my point. What about things like the Linksys WRT54GL?
The thing is, it would be awesome if there was a flash drive driven Linux device with a Cisco Style com port that ran off flash, could be OpenLDAP Server, Samba DC, Kerberos KDC, NAT Server, or actual router WITH a Cisco style Console port that are cheap. Why does this not exist??
WHERE $money; PUT $mouth (Score:4, Interesting)
I live in Cincinnati, Ohio. You come (wirelessly) break into my router, change the current settings by opening port 1337, and I'll refund the cost of your travel (as determined by hotwire or expedia's fare rates on the day of your travel), and pay you $100 additional, all in cash on the same day.
It's a SOHO router, but I won't tell you what make/model -- if your prowess is as you claim, you should have no trouble determining that. You may not enter the apartment or inspect any systems currently connected -- but you shouldn't need to. I have no other firewalls, proxy servers, or tricks on the front end of this router -- it's straight from modem to unit. You may have 48 consecutive hours to complete the task.
Still confident? Email me at radams theatsign tohuw.net and make arrangements.
Re:Nothing new, really (Score:4, Interesting)
Re:Turn off UPnP! (Score:2, Interesting)
My old router used to have an option to only let hosts modify UPNP bindings to their own IP, which is good enough security for me.
What I don't get about this exploit is, if you already have a flash application running on a victim's machine that can make arbitrary outgoing connections, couldn't you just as easily proxy your connections through the flash application? So it's not like you gain access to anything that you didn't have access to already.
Re:WHERE $money; PUT $mouth (Score:4, Interesting)
Re:Turn off UPNP (Score:3, Interesting)
I have several PCs (one desktop, one old laptop, one ancient laptop) which I've tried to eliminate moving parts from.
The desktop is a machine which I occasionally use through a KVM, which only exists to operate a Soundblaster Live card using (exceptionally fine) KX Audio Driver. This turns an old (and also exceptionally fine), quadraphonic Pioneer receiver into a exquisitely-tweaked biamplification setup for the computer room's audio, while being able to convert to a rather featureful bass guitar amplifier at the push of a button.
The hard drive is gone, its old-skool K6-2 heatsink/fan combo replaced by a huge heatsink from the high-dissipation Socket A days, and its power supply fan replaced with a slow-moving thermostatically-controlled job which should last for decades. Storage is a 2-gigabyte Transcend compact flash card, which seems to contain Windowx XP just fine. (2000 would have worked just as well, but I already had an extra XP license and felt that it might as well be doing something.)
The old laptop is a rather lousy Compaq P166. It sits on my wife's desk for the sole purpose letting her use Thottbot. Again, the hard drive is a 2-gig flash card. It runs some variation of Ubuntu, with Firefox, and that's it. The CPU fan is unmodified, but in this application it's never required to spin anyway.
The ancient laptop is what was once a very high-end (~$3,700) NCR/AT&T 386SLC box with a monochrome VGA screen. There's no floppy drive, no CD drive, and (at this point) no keyboard. Its power supply is a 12VDC wall wart soldered to battery terminals. The CMOS battery died ages ago. The top cover broke into little bits long ago, and has been replaced by a heavy stainless steel and aluminum fabrication bolted to the display hinges. It survived for two days under floodwater without any apparent harm other than a heavy layer of silt over entire motherboard (which it doesn't seem to mind at all). With a 512MB flash card in place of its hard drive, it does fine hanging on the wall displaying a backlit, NTP-synchronized clock. Its only remaining moving parts are the power switch and the contrast control.
At this point, it seems important to note that there is one thing that all of these machines have in common with eachother: They're PCs. They all some combination of expansion, visual output, or human input in order for them to work in their desired capacity. Even the aforementioned Frankenstein laptop needs a PS/2 port, in order to unwedge the BIOS at bootup because of its dead battery.
But a router? It doesn't need these things -- not even the battery. It's got 5 Ethernet ports, which is plenty for my house. They all share the same 100mbps pipe to the CPU, and are only individually addressable by configuring them for VLAN, which is way more than good enough for my cable modem connection at home. It configures just swell with SSH, so it needs no local display or keyboard. And with all that connectivity, it needs no expansion (though I did hack in a 256MB SD card for no particular reason).
And there's one thing it does which your scrap-built m0n0wall box is lacking: WiFi. The WRT54G includes a rather nice dual-diversity 802.11g radio by default, with real antenna connectors and good power output (in case I ever feel like blanketing a city block with WiFi).
I mean, if I were still using a PC as a router (as I did do for the decade between 1995 and 2005), I'd still have to buy an access point/hostap-supported NIC/wireless router in order to use my laptop on the couch.
As I see it, since the WRT54G does all of this stuff for $50, the situation can be looked at in one of two ways: Either the access point was free, or the router was free. Plus, I get to use all of the parts which didn't get used building a PC-based firewall for more interesting projects or spares.
So, let's review: A WRT54G is smaller (more room for real computers), cheaper, better, has lower power consumption (a few do