Unwanted remote configuration for home routers [Update]
According to the report, the models affected include the widely used Speedtouch router from Thomson and BT's Home Hub. For an attack to succeed, the victim must, as ever for cross-site scripting attacks, click on a link on an attacker's website and UPnP must be activated on the device. This is by default the case on many routers.
No-one has yet created an ActionScript filter, as this would require real-time decompilation of Flash applets. To be on the safe side, users should ensure that UPnP is deactivated on their routers.
Update: The UPnP specialist Armijn Hemel points out that at least changing the DNS server does not work that easy. In his tests with firmware 6.2.6.E the UPnP function
SetDNSServer only returns an error. He guesses that it is only there, because the specification says it is mandatory to implement it, if you decide to use the LANHostConfigManagement part of the Internet Gateway Device specification.
- BT Home Flub: Pwnin the BT Home Hub (5) - exploiting IGDs remotely via UPnP, report by Adrian Pastor
- Hacking The Interwebs, report by Petko Petkov