Unwanted remote configuration for home routers [Update]
It has long been recognised that Universal Plug and Play (UPnP) on routers can lead to security problems. Any unauthenticated client on the LAN can, for example, activate port forwarding, thus tunnelling through the firewall. Attackers from the far side of the router may, however, also be able to reconfigure it, according to a report by security specialists Petko Petkov and Adrian Pastor on the GNUCitizen website. This requires a cross-site scripting vulnerability in the router's authentication dialog box, but the authors consider this to be all too common. According to the report, this can be used to execute JavaScript in the browser in the router's context and to communicate with the UPnP API or the router's SOAP interface via XMLHttpRequests.
Not only can this JavaScript be used to forward ports, but, depending on the router used, it is also possible to make further changes to the configuration. A router with UPnP support usually even responds to queries as to which services can be controlled via UPnP. In the worst case, it is even possible to modify the IP address of the DNS server (SetDNSServer) in order to divert queries to a crafted name server and return fake addresses. A victim could thus be directed to a phishing website without knowing anything about it.
According to the report, the models affected include the widely used Speedtouch router from Thomson and BT's Home Hub. For an attack to succeed, the victim must, as ever for cross-site scripting attacks, click on a link on an attacker's website and UPnP must be activated on the device. This is by default the case on many routers.
Tools such as NoScript usually protect users from attacks using malicious JavaScript. Petkov demonstrates, however, how routers can also be reconfigured via UPnP using ActionScript in Flash applets – without the need of a cross-site scripting vulnerability in the router. This neatly circumvents normal JavaScript filters. Petkov's demo does not work with the most recent version of Flash Player. Therefor the problem mya rely on flaws in older version of the player.
No-one has yet created an ActionScript filter, as this would require real-time decompilation of Flash applets. To be on the safe side, users should ensure that UPnP is deactivated on their routers.
Update: The UPnP specialist Armijn Hemel points out that at least changing the DNS server does not work that easy. In his tests with firmware 6.2.6.E the UPnP function SetDNSServer only returns an error. He guesses that it is only there, because the specification says it is mandatory to implement it, if you decide to use the LANHostConfigManagement part of the Internet Gateway Device specification.
- BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP, report by Adrian Pastor
- Hacking The Interwebs, report by Petko Petkov
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
