Forgot your password?
typodupeerror
Security The Internet IT Technology

50 Million Potentially Vulnerable To UPnP Flaws 138

Posted by Soulskill
from the much-lower-than-expected dept.
Gunkerty Jeb writes "In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"
This discussion has been archived. No new comments can be posted.

50 Million Potentially Vulnerable To UPnP Flaws

Comments Filter:
  • by Anonymous Coward

    Little incentive to contribute code as it will be snatched by Micro$oft and App£e.

    • by NotBorg (829820)

      Upstreaming your work can save you time (money) regardless of license. You can maintain your patch set independently indefinitely, but pushing your patch upstream makes it more likely that someone else will do it for you and perhaps do it better than you. Even if your patch is trivial, sometimes a small change can inspire more work.

      I once submitted a patch fixing an obscure overflow. It was a simple off-by-one flaw. Someone else scratched their head and decided to check the software for more code defec

  • by girlinatrainingbra (2738457) on Wednesday January 30, 2013 @03:59AM (#42735461)
    So did they come up with the number of vulnerable sites from
    (a) -- sales figures of devices with UPnP enabled by default,

    or did they actually do active spidering of (b):

    1 -- a representative sample of IP addresses in a particular space
    2 -- a wide ranging probe of many many IP addresses all around the world?
    .

    If they did (a) above, then sure it makes sense. If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?

    • by Anonymous Coward on Wednesday January 30, 2013 @04:11AM (#42735507)

      Their methodology is explained in the report. Halfway through the first page of executive summary you'll find the following:

      UPnP discovery requests were sent to every routable IPv4 address approximately once a week from
      June 1 to November 17, 2012.

      • yep, i noticed that too when i RTFA'd after posting, just like every other dottir here on /. ;>)
        • by mellon (7048)

          It's good to know that the slashdottir are looking out for us.

          • by Anonymous Coward

            If your last name is Slashdottir, that probably means that you're a girl whose Icelandic mom got to "hang out" backstage at a Guns n Roses concert a few years back.

    • by AC-x (735297)

      If they did (b1) or (b2) above, especially if they didn't get the permission of every IP address which they probed/tested, then aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port?

      Would it be illegal though? For example how would it be illegal to scan port 80 on every public IP address?

      • by Bengie (1121981)
        As far as I can tell, scanning ports is not illegal unless you do so in a manner that can DOS them.
      • Yeah, scanning port 80 ought not be illegal, as port 80 is recognized as a resource point for the WWW, but if you kept trying out ports 25 for SMTP looking for an accessible proxy or 23 or 107 for telnet or even banging on 22 for ssh and even trying a few default user/pw combos, that somehow feels wronger, doesn't it? That's more like walking up to the door and not just rattling the knob but telling the butler, "hey it's me, let me in, you know me!, c'mon let me in!"
    • " aren't they doing illegal penetration testing, even if all they are doing is checking for the existence of a responding port? I mean one or two or an accidental port knock would be like knocking IRL on a random stranger's door, but a sequential serialized intentional attempt to knock on so many doors to test vulnerability, well that's just annoying and wrong, and possibly illegal,eh?"

      You are kidding right? Also, a better but still imperfect analogy would be that they are walking down streets observing i

  • Long standing bet (Score:5, Insightful)

    by EmperorOfCanada (1332175) on Wednesday January 30, 2013 @04:02AM (#42735469)
    I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.

    The closest that I have seen to a good widespread attack was when a certain DSL modem would crash when script-kiddies were attacking NT machines and the same attack jammed up that model DSL modem. That wasn't really an attack and it didn't amount to much.

    So my bet still stands with modification: there will be an attack, it will be soon, it will be a worm, and people will (mostly) be blissfully unaware of (why is my internet so slow) it and certainly be incapable of dealing with it. Thus it will come down to the ISPs to deal with it which should be interesting to watch.
    • Interesting thought, which has probably occurred to other people, of course.
      I suppose the reason why we have not seen large-scale attacks on routers so far, (and maybe there are some out there already, undetected) is that it has just been easier to infect PCs and use them in botnets, with the tools widely available.
      Would probably take a little more time and ingenuity to setup a net of zombie routers, with the need to tailor the worm or whatever a little to each model/software stack.
      However, once it was in p

      • by peragrin (659227)

        It is simple processing power.

        you hack a router the victims internet slows down. Whether your using bandwidth or not. They notice it, eventually call the ISP. The ISP makes you plug a real computer in and suddenly everything is moving fast again.

        You go to best buy plunk down some cash get another router. The old one goes in the garbage.

        no more bot node.

      • by Gr8Apes (679165)
        I did this a long long time ago. It's true, even rolling your own kernel isn't that hard. But it does add to the noise, heat, and power draw. I would prefer to have a sub 10W silent router over a 180+W noisy one any day of the week. Now, the first thing you do with any router is disable UPnP, especially on ISP provided systems. The next thing you do is use your own router behind the ISP one. Now you're in full control of all in/out traffic and can monitor it if you'd like.
      • by drinkypoo (153816)

        I used to have a PC which was a router. But now I have a router which is a computer.

        I will probably go back to Wireless-G, and then I'll be able to use tomato again. But at least my current router is Linux-based. For some reason there's no alternate distributions for it, probably mostly because the GPL sources/build environment don't actually work. Thanks, D-Link.

    • by 2fuf (993808)

      The way you describe it'll be hard to call your bet. How can one disprove this hasn't already happened?

    • by DarkOx (621550)

      Traditionally the light weight home routers vulnerable or not have just not been targets. It was easy enough to get control of the much more powerful machine behind it. If you wanted a spam bot a PC is much more useful. If you are an identity theif etc, the PC will have information on it, the route probably not so much. If you are script kiddy and you just want metasploit to grab some screen shots for the lolz then again the PC behind the router was more interesting.

      I am not saying that in an attack con

    • by tlhIngan (30335)

      I have had a long standing bet as to how long it would take for someone to really nail most of the routers out there. It has always puzzled me how something like Linux or Windows can have a vulnerability of the week which is (usually) patched by most users in a flash. Yet there are many very old d-link, linksys, etc routers out there doing their thing without being massively attacked.

      Easy - routers are not monocultures. They vary in price and capabilities from sub-$20 specials to $200+ with fast processors

  • by Anonymous Coward

    Let any application open a port to the outside world on your router? Really? and nobody gave a damn about the consequences or even understood its power. Meanwhile I sat back and watched as millions of people enabled it by default on products shipped out worldwide and said nothing because NOBODY CARED they /wanted/ the convenience and turn-key solution that UPnP provided and didn't want to bother learning how to open their own ports manually.

  • by hedley (8715)

    How many vendors are going to patch some obsolete hw to get the lib updated? I would be surprised if they can build images for some of those old products. That said, it seems a bit of an uphill crack, you have to know the target CPU, the lib version, and prepare a useful injection rather than just a denial of service. Still, it is interesting that people are still acting as documented on data coming over the wire, sprintfs into buffers with %s was an eye opener to me. These days for web stuff I use the c++

    • How many vendors are going to patch some obsolete hw to get the lib updated?

      Zero.

      I would be surprised if they can build images for some of those old products.

      I'm certain that most of them have simply lost or let bitrot the toolchains they need to build those images.

      That said, it seems a bit of an uphill crack, you have to know the target CPU, the lib version, and prepare a useful injection rather than just a denial of service.

      Pack several exploits in the worm.

      Still, it is interesting that people are still acting as documented on data coming over the wire, sprintfs into buffers with %s was an eye opener to me. These days for web stuff I use the c++ string class, fixed c buffers look weak to me with unvalidated socket input.

      H.

      Shovelware kit will always be programmed all wrong and never be updated, be it by their rock-fuck owners or greedy makers.

  • find the posts (Score:4, Interesting)

    by r00t (33219) on Wednesday January 30, 2013 @04:29AM (#42735569) Journal

    Just yesterday, lots of Slashdot readers claimed UPnP was totally reasonable for security. It's time for a wall of shame. Here is the story:

    http://it.slashdot.org/story/13/01/29/0111238/58000-security-camera-systems-critically-vulnerable-to-attackers [slashdot.org]

    I'll start.

    adolf: http://it.slashdot.org/comments.pl?sid=3415287&cid=42722879 [slashdot.org]
    Miamicanes: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723217 [slashdot.org]
    julesh: http://it.slashdot.org/comments.pl?sid=3415287&cid=42723393 [slashdot.org]

    • by Anonymous Coward

      Maybe you should start with the link to your comment where you claimed it was not (and specifically because of bad implementation, instead of just being an unauthenticated protocol). Otherwise you don't have the told-you-so right, and your comment is nothing but a flamebait.

    • And... They are still right. Particularly adolf's analysis is pretty much spot on. I didn't bother to read the rest.

      If you are scared that you might get some malware on a device located behind your router, you've already lost the game. The malware could have already grabbed all your important stuff and posted it to an overseas website. Do you also have key locks on the INSIDE of the doors that lead out of your house? I mean what if a burglar snuck into your house somehow, now they would be able to unloc

  • by Anonymous Coward

    Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.

    • Re: (Score:3, Insightful)

      by rvw (755107)

      Rapid7 provide a testing tool. It requires Java. So to find one vulnerability, you have to install another.

      So don't install the Java plugin in your browser and quit bullshitting.

  • by eksith (2776419) on Wednesday January 30, 2013 @04:38AM (#42735613) Homepage

    ...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.

    But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900 [192.168.1.1]

    Suck it, Verizon!

    • by eksith (2776419)
      Forgot to add, my router model is MI424WR-GEN3I
      • by rvw (755107) on Wednesday January 30, 2013 @06:42AM (#42736035)

        ...Like I do, you may find the router's UPnP page mysteriously missing from the "Advanced" section of your admin panel. This is a brilliant move on their part to avoid users breaking their skype/game access and then calling tech support.

        But the page itself is still there. Only the link was removed. To get to it, visit : http://192.168.1.1/index.cgi?active%5fpage=900 [192.168.1.1]

        Suck it, Verizon!

        Forgot to add, my router model is MI424WR-GEN3I

        Hey I just tried to login to your browser, but it seems to be a Linksys Router, and that link didn't work, got a 404 back. So please - for the next time - make sure what your talking about!

        • by eksith (2776419)
          Not sure if this is trolling or genuine. But just in case it's genuine, please visit YouTube and browse for cat videos. Watch about 4 hours worth and then read this [wikipedia.org]
    • by Anonymous Coward

      Set it into "bridged" mode, & get a GOOD NAT stateful packet inspecting router!

      (E.G./I.E.-> For example, my LinkSys/CISCO BEFSX41 for example, can do this - most, CAN!).

      Why?

      It works, since it sets THEIR FIOS (or DSL) modem into "dummy terminal mode", & then allows YOUR router to take overcontrol duties instead!

      (Which, odds are, since your firewalling router has more features for security, odds are, including UPnP control, "hardware-side" - then, you can also do this OS-side too, in Windows as wel

    • Skype works for me without UPnP being enabled. I also play the odd online game and haven't noticed any issues.
      • You don't notice it on skype much, but in the case that both the sender and receiver are both behind non-UPnP NAT routers, then your entire conversation gets sent to a node somewhere on the network. That node could be Mr Joe badguy who likes to listen in to people's skype calls (Not hard to do). I know sending files didn't used to work at all, but they might have fixed that in the past couple of years, I really didn't keep up on the changes skype made. In any case, not only does it send packets to a 3rd

  • Yes, shovelware applies to hardware too. Hardware like home routers, which are NEVER EVER updated - be it by their rock-dumb owners or their irresponsible manufacturers.

    And then this happens. All the time forever, until the greedy fucks who make those never-updated shit get slapped with fines for gazillions, and THEN the surviving ones would begin to think of SUPPORTING the crap they sell, instead of shoveling poorly-differentiated models that only exist to make the non-castrated one more expensive than it

  • Microsoft was one of the founders of the UPnP Forum, Apple isn't a member. Not to mention that Microsoft pushed this API very hard. We were warned of the vulnerability of this protocol back in 2001. There was a big deal with Windows ME and XP about disabling this service also, It was Microsoft whom ignored all the vulnerabilities at first, if they scared OEMs then the OEMs wouldn't implement this protocol.

    This is yet another example of why Microsoft has too much power and shouldn't be dictating what's in my

  • I followed the link to the article... then the link to the PDF follow the link to their "Vulnerablity Detector"... Start to install... Read the Legalese... The terms are suspicious... Click OK tpo continue... The next screen asks for personal information. Red Lights and Alarms go off. Anytime a "security vendor" lists contract terms like those and then wants my name and address when I did not want or ask to contract a service. I killed the installer.

    Level7 is not preventing a problem --- it is the problem.

  • Why is the uPnP service facing Internet anyway? Shouldn't it be accessible only from LAN?
    • You are correct, it shouldn't be exposed to the WAN. Doing so is an implementation flaw, and this flaw is widespread. uPnP has other problems, but this particular one is truly awful.
  • I've got an old Linksys WRT54GL running the latest Tomato Firmware (v1.28; development seems to have stopped), which has MiniUPNP v1.4 providing Universal PnP services. Version 1.4 is not vulnerable to the exploits listed in the whitepaper (1.0 is), so it's probably safe to keep it turned on.

  • You fool! Anyone who depends on their router for security is an idiot. You assumed that your brand new laptop would be safe when connecting to your home LAN, behind that router? What were you planning on doing when you took it to Starbucks and used their WiFi?

    Security need to be built into each device in the form of a software firewall. Unneeded ports need to be closed, whether you are on a LAN or not. Once this is taken care of, you can assume that your home/office LAN is as hostile as the Internet at lar

  • by Anonymous Coward

    Upnp was spotted as an issue years ago by Gibson research Corp more than 10 years ago. He even made tools to test for it. www.grc.com

Neckties strangle clear thinking. -- Lin Yutang

Working...