Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Networking Wireless Networking

Remote-Access Router Exploit Finally Revealed (helpnetsecurity.com) 38

"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security: Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit. The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable.
This discussion has been archived. No new comments can be posted.

Remote-Access Router Exploit Finally Revealed

Comments Filter:
  • Not a big deal (Score:4, Insightful)

    by arth1 ( 260657 ) on Saturday April 15, 2017 @09:42AM (#54239761) Homepage Journal

    Anyone who wants to use their router for security will have UPnP turned off (or for halfway decent routers, not even present) anyhow. It's an inherently unsafe protocol, deliberately trading security for convenience. Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

    Hopefully, this can be another nail in the coffin for UPnP, but I doubt it. With consumers, convenience will always win over security.

    • by Anonymous Coward

      Anyone who wants to use their router for security will have UPnP turned off

      Wrong.
      There are millions and millions of people who want to use their router for security that don't know enough or do not take the time to turn off UPnP. That is the entire point of discussing this. It's why this is a fucking issue. You cannot just dismiss it by waving your hands and saying meh, they don't know what they're doing.

      • by Mashiki ( 184564 )

        Well it could be like Bell Canada. Who uses your street address for your wifi password, and uses WEP as the default security. Sometimes there are things far worse, and really the problems here are people either don't look things up(like what UPnP does), or think that because it's set to on by default it's perfectly safe. Second that companies enable this by default because "it makes it easy."

    • by Z00L00K ( 682162 )

      I agree, the amount of F-ups that UPnP offers greatly exceeds the advantages of that protocol.

      I can't imagine that anyone allowed that protocol from the beginning. On the other hand - don't underestimate the power of human stupidity and laziness.

    • by Anonymous Coward

      > [uPnP is] an inherently unsafe protocol, deliberately trading security for convenience.

      How is it more unsafe than giving each machine on your LAN a globally-routable IP address? (Hint: This is exactly what you get with decent IPv6 service.)

      > Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

      On every one of the dozens of routers I've used, uPnP rules come _after_ all admin-specified firewall rules. This means that uPnP rules cannot override admin prohibitions, as t

      • by chihowa ( 366380 )

        You start off by confusing NAT and firewalls, so it's hard to believe that you really have much of a clue.

    • Re:Not a big deal (Score:4, Informative)

      by freax ( 80371 ) on Saturday April 15, 2017 @11:31AM (#54240037) Homepage

      Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.

      We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.

      • by e r ( 2847683 )

        That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code.

        Everyone makes mistakes. But aren't there tools out there that will avoid mistakes like this? In other words, if that rank amateur had been using C++ instead of doing a bunch of manual stuff with C then this particular problem would have been avoided.

        Page 17 from the .pdf [homeerikdo...awsupnppdf]:

        We see that the code has been refactored, but still suffers from three buffer overflows in roughly the same places as before. The strncpy() function is being passed a length based on the distance between two strings in the attacker-supplied request, but is not checked against the size of the destination buffer.

        So... if they had used C++ and std::string instead of doing everything manually in C then this would not have happened (perhaps some other vulnerability would be found instead, but not this one).

        STOP USING C. It is not superior in any

    • Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.

      It's main purpose is to knock holes in the firewall for devices on the LAN, behind the router. If I have an untrusted device on my side of the network that's a problem that I should fix, even without UPnP.

  • most manufacturers don't update their router's firmware -- meaning many routers may still be vulnerable.

    It's great having to buy new hardware because of software issues. Makes me feel like a Windows user.

    • by Anonymous Coward

      +1 Very accurate comment.

      IMHO most consumer routers out there seem to be sold with "one-off" firmware that is NEVER UPDATED by the manufacturer.

      I think the researchers should learn how to do real research before they make clueless comments that consumers don't update their router firmware.

      For those consumers with devices that can be updated, yes, that group of consumers shares responsibility for these exploits getting out of hand.

      Another group of consumers that share responsibility fo exploits getting ou

To stay youthful, stay useful.

Working...