Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

UPnP Security Issues

Discussion in 'General Network Security' started by sfx2000, Jan 29, 2013.

  1. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    7,614
    Location:
    San Diego, CA
    From time to time, I do post items that may be of interest to the community...

    Rapid7 (think Metasploit commercialized) has recented released a post/whitepaper on UPnP security concerns.

    The "Portable UPNP SDK" is used in many Linux/BSD based devices, and depending on your configuration, you might be at risk. This may include Routers, SOHO WiFi Access Points, NAS Boxes, Network Media Players, etc...

    Link here -- https://community.rapid7.com/commun...s-in-universal-plug-and-play-unplug-dont-play

    They also provide a tool that you (and the bad guys) can use to scan your internal network (and the bad guys to scan your WAN side).
     
  2. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    7,614
    Location:
    San Diego, CA
    This is starting to look like a very big deal - the error in the UPnP stack provided with the base Broadcom Board Support Package - which many OEM's skin for their brands - this bug allows for root privilege escalation from the WAN side of the device.

    I don't have the CVE handy right now - thing is, the fix needs to come from the OEM to resolve this high risk security issue - this is a bigger deal than the WPS issue I brought up a few months back.

    Vendors that may be affected:

    • Broadcom
    • Linksys
    • Asus
    • Cisco
    • TP-Link
    • Zyxel
    • D-Link
    • Netgear
    • US Robotics

    The vulnerability is located within the wanipc and wanppp modules of the Broadcom UPnP stack, which is used by manufacturers that deliver routers based on the Broadcom chipset.

    A variety of routers have their UPnP interface available over the WAN interface, so the vulnerability can also be exploited over the Internet. It seems that, at the moment, the only popular UPnP implementation not hit by the remote preauth security vulnerability is MiniUPnP.

    The remote preauth format string vulnerability in the Broadcom UPnP stack can be exploited to write arbitrary values to an arbitrary memory address, and also to remotely read router memory. When exploited, it allows an unauthenticated attacker to execute arbitrary code under the root account.

    The vulnerability present in the SetConnectionType function of wanipc and wanppp modules can be reached with a single SOAP request that calls SetConnectionType function.

    The format string vulnerability is present because the user-input from the SOAP request is supplied as a format string argument to the snprintf() function in wanipc.c and wanpp.c. The vulnerable code lines are located in the following files:

    /upnp/igd/wanipc.c:

    /upnp/igd/wanppp.c:

    More info can be found here:

    http://www.net-security.org/secworl...ign=Feed:+HelpNetSecurity+(Help+Net+Security)
     
  3. KevTech

    KevTech Very Senior Member

    Joined:
    Feb 27, 2012
    Messages:
    502
    Location:
    United States
    Maybe you should get out your tin foil hat.
     
  4. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    7,614
    Location:
    San Diego, CA
    Uncontrolled Root Access on the WAN side of a SOHO router is not a tin-foil hat category issue... root access there give bad guys access to everything on the LAN side.

    And it's an easy enough fix.

    sfx
     
  5. Mat77

    Mat77 Regular Contributor

    Joined:
    Feb 2, 2013
    Messages:
    141

Share This Page