SmallNetBuilder Forums
Go Back   SmallNetBuilder Forums > Security > General Network Security

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 01-29-2013, 11:19 PM
sfx2000 sfx2000 is online now
Very Senior Member
 
Join Date: Aug 2011
Location: San Diego, CA
Posts: 1,069
Thanks: 13
Thanked 118 Times in 107 Posts
sfx2000 is just starting out
Default UPnP Security Issues

From time to time, I do post items that may be of interest to the community...

Rapid7 (think Metasploit commercialized) has recented released a post/whitepaper on UPnP security concerns.

The "Portable UPNP SDK" is used in many Linux/BSD based devices, and depending on your configuration, you might be at risk. This may include Routers, SOHO WiFi Access Points, NAS Boxes, Network Media Players, etc...

Link here -- https://community.rapid7.com/communi...plug-dont-play

They also provide a tool that you (and the bad guys) can use to scan your internal network (and the bad guys to scan your WAN side).
Reply With Quote
  #2  
Old 01-31-2013, 09:40 PM
sfx2000 sfx2000 is online now
Very Senior Member
 
Join Date: Aug 2011
Location: San Diego, CA
Posts: 1,069
Thanks: 13
Thanked 118 Times in 107 Posts
sfx2000 is just starting out
Eek

This is starting to look like a very big deal - the error in the UPnP stack provided with the base Broadcom Board Support Package - which many OEM's skin for their brands - this bug allows for root privilege escalation from the WAN side of the device.

I don't have the CVE handy right now - thing is, the fix needs to come from the OEM to resolve this high risk security issue - this is a bigger deal than the WPS issue I brought up a few months back.

Vendors that may be affected:
  • Broadcom
  • Linksys
  • Asus
  • Cisco
  • TP-Link
  • Zyxel
  • D-Link
  • Netgear
  • US Robotics

The vulnerability is located within the wanipc and wanppp modules of the Broadcom UPnP stack, which is used by manufacturers that deliver routers based on the Broadcom chipset.

A variety of routers have their UPnP interface available over the WAN interface, so the vulnerability can also be exploited over the Internet. It seems that, at the moment, the only popular UPnP implementation not hit by the remote preauth security vulnerability is MiniUPnP.

The remote preauth format string vulnerability in the Broadcom UPnP stack can be exploited to write arbitrary values to an arbitrary memory address, and also to remotely read router memory. When exploited, it allows an unauthenticated attacker to execute arbitrary code under the root account.

The vulnerability present in the SetConnectionType function of wanipc and wanppp modules can be reached with a single SOAP request that calls SetConnectionType function.

The format string vulnerability is present because the user-input from the SOAP request is supplied as a format string argument to the snprintf() function in wanipc.c and wanpp.c. The vulnerable code lines are located in the following files:

/upnp/igd/wanipc.c:

/upnp/igd/wanppp.c:

More info can be found here:

http://www.net-security.org/secworld...et+Security%29
Reply With Quote
  #3  
Old 01-31-2013, 10:22 PM
KevTech KevTech is online now
Very Senior Member
 
Join Date: Feb 2012
Location: United States
Posts: 282
Thanks: 2
Thanked 48 Times in 40 Posts
KevTech is just starting out
Default

Maybe you should get out your tin foil hat.
Reply With Quote
The Following User Says Thank You to KevTech For This Useful Post:
  #4  
Old 02-01-2013, 10:00 PM
sfx2000 sfx2000 is online now
Very Senior Member
 
Join Date: Aug 2011
Location: San Diego, CA
Posts: 1,069
Thanks: 13
Thanked 118 Times in 107 Posts
sfx2000 is just starting out
Default

Quote:
Originally Posted by KevTech View Post
Maybe you should get out your tin foil hat.
Uncontrolled Root Access on the WAN side of a SOHO router is not a tin-foil hat category issue... root access there give bad guys access to everything on the LAN side.

And it's an easy enough fix.

sfx
Reply With Quote
  #5  
Old 02-06-2013, 10:07 AM
Mat77 Mat77 is offline
Senior Member
 
Join Date: Feb 2013
Posts: 139
Thanks: 34
Thanked 9 Times in 8 Posts
Mat77 is just starting out
Default

here is a german site where you can test your UPNP

http://www.heise.de/security/dienste...html?scanart=4
Reply With Quote
Reply

Tags
metasploit, security, upnp

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT -4. The time now is 01:53 AM.


Top 10 Stats
Top Posters* Top Thanked
RMerlin  491
azazel1024  153
KGB7  135
stevech  133
sinshiva  113
hggomes  92
Kel-L  88
microchip  86
sm00thpapa  82
fistv  81
RMerlin  5515
stevech  322
ryzhov_al  264
TeHashX  214
L&LD  188
RogerSC  187
sinshiva  140
joegreat  123
jlake  122
sfx2000  118
Most Viewed Threads* Hottest Threads*
Old Asuswrt-Merli...  73670
Old Asuswrt-Merli...  58520
Old Asuswrt-Merli...  21158
Old Asus locking...  8945
Old [Fork]...  7456
Old ASUS...  6705
Old Incoming...  5908
Old Asus...  5213
Old How many of...  4496
Old Share What...  2938
Old Asuswrt-Merli...  392
Old Asuswrt-Merli...  389
Old Asuswrt-Merli...  129
Old Asus locking...  125
Old [Fork]...  82
Old Asus...  52
Old ASUS...  48
Old How many of...  47
Old Inherited PC...  45
Old 376.44 -...  40


Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2006-2014 Pudai LLC All Rights Reserved.