Saturday, February 09, 2013

UPnP - It was always a bad idea!

UPnP is a protocol that allows a router to listen out for requests to open ports and to make other configurations changes from a client machine WITHIN the LAN. It was popularized a decade ago by Microsoft with the original XBox. If you want to have a game that you're playing with others (who are all sat behind their own NAT routers) then the game has to have a way of opening a port on the router and mapping to the games console. That's what Universal Plug & Play achieves and once it was known that you needed it for XBox gaming no router manufacturer is going to not include it and have it set on by default. For years I've told people to disable it and go to the trouble of opening the required ports manually; Here's how you do it for XBox Live! It seems like a bit of malware on your LAN could have a field day opening up dangerous ports (think Windows filesharing etc) and all the benefit of having a NAT firewall has vanished; you're exposed to the Internet and nobody wants that! 

Anyhow - it turn out that some routers have UPnP enabled on their Internet-facing port! That's right; you send the correctly formed UDP-discovery packet at the Internet side of the router and along with being able to open ports you can query the router for lots of details about itself, allowing you to better tailor your attack for other known vulnerabilities of that specific model. HD Moore (of Metasploit fame) has had a cluster of machines probing the public Internet to see how many public-facing IP addresses had UPnP enabled and it turns out around 2% of hosts respond to WAN-borne UDP discovery packets. He repeated his scan weekly for six months and those eighty-one million routers remained reasonably constant. His blog post makes great reading and is here
In case your wondering if your router is vulnerable you can find a list of effected models here, and you'd be surprised how many big-name manufacturers are there. I suppose not many people ever bother to patch their router and so a lot of this code is probably a decade old. I encourage you to get a Linux-based router and load it up with DD-WRT or one of the other many good open-source router firmwares (I use DD-WRT but have used Tomato in the past). It goes without saying they are not vulnerable and they add so much functionality that you'll kick yourself for not using them sooner. 

Steve Gibson did an excellent Security Now! podcast on the matter last week; 

Steve has also extended his Shields Up!! router test to check for the vulnerability.

No comments: