[ale] nasty UPNP bug allows EXTERNAL hackers INTERNAL access

Thu Feb 7 15:06:10 EST 2013

Hi all,

I wanted to let you know about a nasty bug in the UPNP implementation of 
millions of routers.  This could allow an external hacker free and open 
access to your internal network.  I think this mainly applies to home 
and small office routers, but this could apply to commercial ones as well.

UPNP stands for Universal Plug and Play.  It is a feature of almost all 
routers that is usually on by default.  It allows things INTERNAL to 
your network, like XBox game systems, Skype, DVR's and other things to 
OPEN HOLES for incoming communications through your firewall, usually 
without your knowledge or permission, and sometimes without your ability 
to monitor or control it.  This is designed to allow gamers, for 
example, to instantly participate in network gaming without configuring 
the router.  It generally doesn't require authentication, and assumes 
anyone making a UPNP request from within your network is trustworthy.  
This, in itself, is somewhat of a security risk, and I've had UPNP 
turned off for years on my routers.  It's one of the first things I 
disable when I set up a router, since I have no need for it.

They discussed the new issue, which is much much worse, on the last two 
Security Now podcasts.

http://twit.tv/sn
http://twit.tv/show/security-now/389
https://www.youtube.com/watch?v=wEa43qM4JjQ#t=09m44s  (Youtube video of 
389.  Relevant part starts at 09:44.)
http://media.grc.com/sn/sn-389.mp3 - MP3 audio of 389.
http://twit.tv/show/security-now/390
http://www.grc.com/securitynow.htm  (Episode 390 hasn't been posted here 
yet, but should be shortly.)

UPNP was always intended to be used only on your INTERNAL LAN.  It was 
never intended to be exposed on the Internet on the WAN.  A group of 
security researchers at Rapid7 spent months last year using bots to 
probe EVERY routable IPv4 address on the Internet.  They sent UDP UPNP 
discovery packets to every address several times.  The results of the 
probes were both surprising and very disconcerting.

They found that 2.2% of ALL IPv4 routers exposed to the internet 
responded to UPNP discovery requests.  This corresponds to 81 MILLION 
routers.  This means that they are exposing the UPNP service to the 
EXTERNAL internet at large.  This is a MAJOR security flaw.  Of those, 
20%, or 16.2 MILLION are exposing their SOAP API to the EXTERNAL 
internet at large.

This means that a REMOTE cracker, just by sending a few UDP packets to 
your router's EXTERNAL address, can punch holes in your firewall and 
break into your INTERNAL LAN just as though he was your XBOX sitting in 
your house.  It requires no authentication or decryption on the 
cracker's part, and is trivially easy.

This is very bad news for the 81 million people, most of which, don't 
even know they are vulnerable.

For years, Steve Gibson has been operating the Shields Up service on his 
website.  It provides a way to scan your network from the outside to see 
if net bios is being exposed, or if common TCP service ports are being 
exposed.  In light of these events, he has added testing for the UPNP 
vulnerability.

I would recommend that each person reading this make use of Steve's port 
scanner to test your router's external IPv4 address to determine if you 
are vulnerable to the UPNP attack vector.  Here's how.

Go to the Shields Up main page at: https://www.grc.com/x/ne.dll?bh0bkyd2

You will probably have to trust grc.com in noscript, etc. for everything 
to work.  Read what it says there and click proceed.  Keep in mind, some 
of the verbiage is a decade old, but the site is still very useful.  The 
stuff related to UPNP is new.

Once you're on the second page, you will get to a screen with some menu 
buttons on it.

Click the orange GRC's Instant UPNP Exposure Test button.

His server will query the UPNP ports for your external IPv4 address.  It 
will then report back as to whether your router didn't respond at all 
(PREFERABLE), actively rejected the remote request (OK), or did respond 
to the UPNP discovery request (BAD).  The result page also contains 
verbiage explaining the results.

Note that a simple port scan, like from nmap, will not do the trick 
here.  First, you have to send the scan from outside your router, on the 
internet side.  Second, the UPNP discovery request is a specifically 
formatted UDP packet, not just a simple ping.  Since it's UDP, the 
source address can be spoofed by a cracker.

If your router is in the category that did respond, you are potentially 
vulnerable to attack.  At the very least, a cracker could find out that 
your UPNP service is listening on the WAN, and it will probably tell him 
which UPNP stack you have in its reply.  This may give him the info he 
needs to attack you.  If your router is among the 1 in 5 (of the 81 
million) that exposes its SOAP API to the WAN, you are vulnerable to 
immediate attack.  If your router responds to an external UPNP request, 
which it NEVER should, you should find a way to turn off that 
functionality and retest it.  If you cannot turn it off, you should 
discontinue using this router.

While you're there on the Shields Up page, you can select other buttons 
as follows:

File Sharing - tests to see if your router is exposing any net bios file 
sharing ports to the WAN.
Common Ports - tests to see if certain commonly used TCP service ports 
are listening on the WAN.
All Service Ports - tests to see if the first 1056 TCP service ports are 
listening on the WAN
User Specified Custom Port Probe - used to test a specific TCP port 
number after entering it into the blank.
Lookup Specific Port Information - used to lookup data about what 
certain port numbers are commonly used for.

Here are other resources that Steve provides relative to the UPNP 
problem so you can research it:

https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
http://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdf
http://www.upnp-hacks.org/upnp.html
http://toor.do/upnp.html
http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-Update-1794032.html

I recommend that you test your internet facing IPv4 addresses for UPNP 
vulnerability immediately.  If your router responds to the external UPNP 
inquiry, I suggest turning off UPNP from its control panel and 
retesting.  If it still responds, consider upgrading the firmware and 
retesting, or removing and replacing the router.

I hope you find this information useful.

Sincerely,

Ron

-- 

(To whom it may concern.  My email address has changed.  Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address.  Please send all personal correspondence to the new address.)

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com