Remote-Access Router Exploit Finally Revealed (helpnetsecurity.com) 38
"Back in the days, Cisco fixed the vulnerability, but we are not sure about all other router vendors and models because there are too many of them," writes the DefenseCode team. Orome1 quotes a new report from Help Net Security:
Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom's UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices out there, the researchers refrained from publishing the exploit they created for the flaw, but now, four years later, they've released their full research again, and this time they've also revealed the exploit.
The researchers pointed out that most users don't update their router's firmware -- meaning many routers may still be vulnerable.
Not a big deal (Score:4, Insightful)
Anyone who wants to use their router for security will have UPnP turned off (or for halfway decent routers, not even present) anyhow. It's an inherently unsafe protocol, deliberately trading security for convenience. Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.
Hopefully, this can be another nail in the coffin for UPnP, but I doubt it. With consumers, convenience will always win over security.
Re: (Score:1)
Anyone who wants to use their router for security will have UPnP turned off
Wrong.
There are millions and millions of people who want to use their router for security that don't know enough or do not take the time to turn off UPnP. That is the entire point of discussing this. It's why this is a fucking issue. You cannot just dismiss it by waving your hands and saying meh, they don't know what they're doing.
Re: (Score:1)
Go ahead, maintain their computers for them. When you've done all the work to make their setup secure, they'll throw it out and buy something new because it works with the latest fad, or won't get in their way so often like the old thing that you practically made unusable, or for no reason at all. UPnP exists because of these people. Of course they'll say they want security. But they choose convenience over security every time. Why would I question their priorities?
Re: (Score:2)
Well it could be like Bell Canada. Who uses your street address for your wifi password, and uses WEP as the default security. Sometimes there are things far worse, and really the problems here are people either don't look things up(like what UPnP does), or think that because it's set to on by default it's perfectly safe. Second that companies enable this by default because "it makes it easy."
Re: (Score:2)
I agree, the amount of F-ups that UPnP offers greatly exceeds the advantages of that protocol.
I can't imagine that anyone allowed that protocol from the beginning. On the other hand - don't underestimate the power of human stupidity and laziness.
Re: (Score:1)
> [uPnP is] an inherently unsafe protocol, deliberately trading security for convenience.
How is it more unsafe than giving each machine on your LAN a globally-routable IP address? (Hint: This is exactly what you get with decent IPv6 service.)
> Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.
On every one of the dozens of routers I've used, uPnP rules come _after_ all admin-specified firewall rules. This means that uPnP rules cannot override admin prohibitions, as t
Re: (Score:2)
You start off by confusing NAT and firewalls, so it's hard to believe that you really have much of a clue.
Re:Not a big deal (Score:4, Informative)
Download the PDF. Go to page 15 and read the implementation of the unique_service_name function. There are 7!! rash amateur code exploits in about 30 - 50 lines of code, brackets and return calls included. That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code. The amount of stink you see in each and every line of the implementation is what makes any serious programming speechless.vA minimal amount of code review would have blocked the contribution entirely.
We should put the blame of this one on the programmer. Not on the protocol. That doesn't mean UPnP doesn't stink together with the implementation. Especially since often the guys writing reference and often-used libraries for a protocol, are also the ones who defined the protocol. So of the implementation is like that code, which it likely is, then I'm pretty sure the protocol isn't going to conform to RFC 1925.
Re: (Score:2)
That means every strcpy and even every strncpy is creating an exploitable situation. That kind of rash amateurism in implementation has nothing to do with the protocol. A mind boggling stupid idiot must have written that code.
Everyone makes mistakes. But aren't there tools out there that will avoid mistakes like this? In other words, if that rank amateur had been using C++ instead of doing a bunch of manual stuff with C then this particular problem would have been avoided.
.pdf [homeerikdo...awsupnppdf]:
Page 17 from the
We see that the code has been refactored, but still suffers from three buffer overflows in roughly the same places as before. The strncpy() function is being passed a length based on the distance between two strings in the attacker-supplied request, but is not checked against the size of the destination buffer.
So... if they had used C++ and std::string instead of doing everything manually in C then this would not have happened (perhaps some other vulnerability would be found instead, but not this one).
STOP USING C. It is not superior in any
Re: (Score:1)
Well i've never used it myself, but i think the main purpose people use it for is to allow untrustworthy devices to poke holes their firewall, so that remote exploits are easier to create and security of the person's local network is compromised. That way, a person does not have to be a networking guru to create security problems in their own network. It's all handled transparently behind the scenes, which makes things easier for the average person to deal with. It's all about ease of use.
Re: (Score:3)
Here's a question for /. crowd, what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?
Peer to peer communication works better with it. So things like Skype as well as multi player gaming.
Re: (Score:1)
> what's the most common valid use case for UP&P being required to do something the average worker/user needs to do?
Ad-hoc port forwarding. UPnP does a bit more than this, but that's its primary use.
Rather than asking a user to faff about with a shitty login screen, and then three or more frequently poorly-designed screens, the software that needs port forwarding -but doesn't want to try to roll the dice with one of the three or so NAT hole punching techniques that don't work all of the time- can jus
Re: (Score:2)
Its only purpose is to knock holes in a firewall by untrusted / untrustworthy devices.
It's main purpose is to knock holes in the firewall for devices on the LAN, behind the router. If I have an untrusted device on my side of the network that's a problem that I should fix, even without UPnP.
Re: (Score:2)
If you absolutely have to run a game like that, switch the machine over to a dmz. Even consumer routers support dmzs these days.
And then write a complaint to the company stating the need for being able to set fixed ports. They'll only listen if people complain.
FTFY (Score:2)
most manufacturers don't update their router's firmware -- meaning many routers may still be vulnerable.
It's great having to buy new hardware because of software issues. Makes me feel like a Windows user.
Re: (Score:1)
+1 Very accurate comment.
IMHO most consumer routers out there seem to be sold with "one-off" firmware that is NEVER UPDATED by the manufacturer.
I think the researchers should learn how to do real research before they make clueless comments that consumers don't update their router firmware.
For those consumers with devices that can be updated, yes, that group of consumers shares responsibility for these exploits getting out of hand.
Another group of consumers that share responsibility fo exploits getting ou