Security Flaws in Universal Plug and Play: Unplug, Don't Play

Paul_Heery · Paul_Heery's Garage

I have been following some of the recent exploits of UPnP for a couple of weeks now. The script kiddies have found easy ways of taking advantage of the vulns. They have realized that they can p0wn your Internet connection and possibly everything behind the router as well. Then, I saw this report that was released yesterday. The stats are amazing and scary.

We have all learned over the years to protect ourselves from malware and viruses. But, most people will install a home router and not think about it because they tend to just work. I have found that a high percentage of consumer-grade routers have UPnP enabled by default.

Take a couple of minutes and read this link.
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
There is also a link to a Windows tool in the article that helps you to identify if you are vulnerable. There are also instructions for using Metasploit for Mac and Linux users. I recommend that you scan your devices whether they be something you purchased or something that your ISP has provided. (there are reports of some Verizon FIOS devices being vulnerable).

If you run the scan and it reports that your equipment is vulnerable, don't panic. First, disable UPnP on your device. Then check with the vendor to see if they have any firmware updates for your device.

stealthn · 01-30-2013, 05:40 AM

I saw that report too and surprised it was news. Since UPnP was cerated it was always exploitable. I guess the surprising thing is these vendors are allowing it on the WAN/internet interface....

widebody911 · widebody911's Garage

I tried to run the scanner provided in the link, and I got an error "Registration Servers cannot be reached"

GH85Carrera · GH85Carrera's Garage

Quote:

Originally Posted by widebody911

I tried to run the scanner provided in the link, and I got an error "Registration Servers cannot be reached"

When I got to the point I HAD to give them my name, address, job title and email I said screw it. I don't need more junk mail for trying to run a FREE utility.

Aragorn · 01-30-2013, 09:16 AM

What does all this mean in english? Is this a setting on the wifi router that needs turned off? I am leary of running a third party app on my computer that tells me I have security flaws.

onewhippedpuppy · 01-30-2013, 10:47 AM

Quote:

Originally Posted by Aragorn

What does all this mean in english? Is this a setting on the wifi router that needs turned off? I am leary of running a third party app on my computer that tells me I have security flaws.

+1 Can someone interpret the IT speak for the simpletons?

widebody911 · widebody911's Garage

Quote:

Originally Posted by onewhippedpuppy

+1 Can someone interpret the IT speak for the simpletons?

Basically devices which utilize UPnP to make installation and configuration easier of network devices (ie routers, cameras, etc) for the end user also contain security deficiencies which make them easy to exploit.

At face value, this ScanNow tool from rapid7.com appears to be a thinly-veiled collector for sales leads and marketing data.

Scott R · Scott R's Garage

My external router has upnp disabled, on my internal switch it's available. Upnp and most other types of traffic can't leave the DMZ to get to the broadband router.

RWebb · RWebb's Garage

go to Tools or setup or similar after you log in to your router

your router will be at 128.168.1.1 or similar - plug that into your browser

Brando · Brando's Garage

I've always disabled UPnP on my hardware and computers as early as possible. Exploits for UPnP have been around as long as UPnP has been around. Must have been implemented by the same guys who thought ActiveX controls with no security controls were a great idea.

slodave · slodave's Garage

Quote:

your router will be at 128.168.1.1 or similar - plug that into your browser

Correction - 192.168.1.1

widebody911 · widebody911's Garage

The simplest solution is to redirect all traffic to 127.0.0.1

GH85Carrera · GH85Carrera's Garage

Quote:

Originally Posted by slodave

Correction - 192.168.1.1

Mine is 10.0.1.1

Scott R · Scott R's Garage

Quote:

Originally Posted by GH85Carrera

Mine is 10.0.1.1

It's generally whatever your gateway is set to. In Windows you can open a command prompt and type "ipconfig /all" and get that. On MAC you can go to a terminal window and use "netstat -nr"

red-beard · red-beard's Garage

That scan software requires JAVA to be installed. Nope....

slodave · slodave's Garage

Quote:

Quote de slodave

Correction - 192.168.1.1

Mine is 10.0.1.1

That may be.

But the first octet that Randy posted is wrong.

RWebb · RWebb's Garage

yes, 192.168....

thx Dave

Radioactive · 01-31-2013, 01:07 AM

You think UPnP is bad ............. Verizon installs WEP by default on all there FIOS installs

GH85Carrera · GH85Carrera's Garage

Quote:

Originally Posted by slodave

That may be.

But the first octet that Randy posted is wrong.

My router was at the standard 192.168.1.1 for years. One day the internet did not work. I shut down the cable modem and router and computer. Restart and all of a sudden I am at the new IP. I guess my cable provider changed their system.