1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

New Upnp exploit affecting most Asus routers - "UPNproxy: Blackhat Proxies via NAT Injections"

Discussion in 'ASUSWRT - Official' started by o-l-a-v, Apr 12, 2018.

  1. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    Of course it effects the WAN, that's whole point of it. Just like the other settings on that page.

    "...the router's UPnP service can only be controlled from a device on the LAN..."
     
  2. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,019
    Location:
    Canada
    It's in the WAN settings just like the other port forward and port trigger settings because its goal is to open a port to the WAN interface.
     
    st1ngy likes this.
  3. st1ngy

    st1ngy New Around Here

    Joined:
    Apr 13, 2018
    Messages:
    3
    Thanks for the simple explanation. But I must be missing something because that seems contrary to what you said about Asus not exposing UPnP ports to WAN. Maybe it's just the terminology that's got me confused.
     
    Last edited: Apr 13, 2018
  4. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    145
    Location:
    Vero Beach, FL
    TM-AC1900 was updated for Krack attack in Dec. 2017. Asus may or may not have included all known security fixes. No announcement was made.
     
  5. KevTech

    KevTech Very Senior Member

    Joined:
    Feb 27, 2012
    Messages:
    761
    Location:
    United States
    In case anyone wants to test this you can go here: https://www.grc.com/x/ne.dll?bh0bkyd2

    Click on Proceed then when the next page loads click on GRC's Instant UPnP Exposure Test

    I have UPnP enabled in the router and get this result.

    Capture.JPG
     
    Flying Dutchman likes this.
  6. Ronald Schwerer

    Ronald Schwerer Senior Member

    Joined:
    Jan 8, 2017
    Messages:
    347
    Watching the Security Now video from that link (which was from 2013), Steve Gibson mentioned ISPs should block UDP port 1900 and that would solve the problem. So without knowing whether it is blocked at a higher level, that test might not indicate that the router itself is safe. Of course, in practical terms it doesn't matter who blocked it.
     
  7. huygens_25

    huygens_25 Occasional Visitor

    Joined:
    Apr 16, 2015
    Messages:
    18
    Hi RMerlin,

    From reading their (Akamai) paper, I think they need that the Router (e.g. a vulnerable ASUS router) has already at least a UPnP service active (potentially several). So imagine, one has launched an application on your computer on the LAN (e.g. a video conferencing tool or game for which the exploit could work, it seems that not all UPnp opened port can be exploited), that application has opened a port on the router using UPnP.

    Then the attacker just need to scan the router WAN interface, it will detect the opened port, and it seems it can then craft a SSDP probe toward this port or send a specially craft HTTP URL using the `Location: ` header. If the UPnP port is "vulnerable", it can then be exploited to open other UPnP port from the remote WAN interface.

    For the attack to work, you need a vulnerable router where UPnP is activated. Then you also need to have an application on your LAN requiring UPnP and which is currently running (so has probably opened the port), and that port needs to be exploitable (it is not clear from the article which are vulnerable but potentially UDP opened port cannot be exploited using crafted HTTP, or TCP opened port cannot be used for SSDP probes, etc.) and they are I guess other factors which could prevent the exploitation. I agree that my description is still vague but the current document is not particularly clear on how this can be exploited (for good reasons in a way).

    But anyway, while waiting for Asus to provide a patch, better disable UPnP (if you know how to configure Port Forwarding, and application can have a fixed port defined, then usually you can avoid UPnP all together).
     
  8. eddiez

    eddiez Senior Member

    Joined:
    Jun 29, 2015
    Messages:
    466
    Location:
    Netherlands
    So what 'patch' should Asus provide? There are so many 'ifs' in your statement...You are referring to potential firmware vulnerabilities that are pre 378.x ... I've read the article and can not find why the mentioned routers are vulnerable with the current firmware...

    Verstuurd vanaf mijn SM-G965F met Tapatalk
     
  9. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    @huygens_25 I thought you might be onto something there... but no.

    To me the entire vulnerability is built on the ability to do an unsolicited SSDP probe from the WAN side (page 2, "The Basics"; page 14, "How to Fix It"). Akamai claim they built their list of vulnerable routers from the "leaky TCP daemons" on "devices that we could positively identify". Given the size and credibility of a company like Akamai their claim shouldn't be taken lightly.

    The other thing that is suspicious (as @eddiez alluded to) is that all of the Asus routers listed are old models. There are no models listed that were released in the last few years.

    To check whether my router (see my sig.) was vulnerable I did a little test. We know SSDP takes place over UDP port 1900. I did an SSDP query to my UPnP server and it responded saying that it was listening on port 60568 (Akamai's example was listening on port 52869). Doing a netstat on my router confirmed this to be the case, but also it appeared to be listening on all interfaces :eek:.
    Code:
    # netstat -an | grep -E "1900|60568"
    tcp        0      0 0.0.0.0:60568           0.0.0.0:*               LISTEN
    udp        0      0 0.0.0.0:1900            0.0.0.0:*
    However, doing a port scan on my router from the internet shows that those ports are not open and do not respond :confused:.

    So it would appear that although miniupnpd binds to all network interfaces it doesn't necessarily respond to all of them (listening_ip=br0 in the config file). Which is a good thing. So given that newer routers, and by implication firmware's, don't appear to be vulnerable I'm wondering whether this was actually an old bug in miniupnpd rather than an implementation error by Asus. Looking in the changelog for miniupnpd we see things like this:
    Code:
    2017/05/24:
    get SSDP packet receiving interface index and use it to check if the
      packet is from a LAN
    Anyway, that's my thoughts on it at the moment.
     
    Last edited: Apr 23, 2018
    eddiez likes this.
  10. huygens_25

    huygens_25 Occasional Visitor

    Joined:
    Apr 16, 2015
    Messages:
    18
    I wanted to do also some real test on my ASUS RT-AC68U which is part of the marked vulnerable routers. And before I finally found where the UPnP option was (I know I had deactivated it, so I needed to reactivate it to test it) I found out that:

    1. Asus activated DDNS without me configuring it in the first place!! I'm quite pissed, it is like being tracked without consent, btw Asus the GRDP is coming here in EU, so please ask consent before doing such a thing because by storing and matching ma IP address to simething, you are using my personal data! I never agreed to that!
    2. Even more grave, they "**##**" (censured by myself) activated the remote web access without my consent!!! That's a no go. I was looking to replace my router by a new model, that the drop that will make sure I don't buy Asus. I was happy with that model and I'd been recommending Asus for router around, I no longer will do so!!! Remote web access is an absolute NO GO Asus!

    Anyway, back to the main subject, my UPnP server is running on yet another port but also listening on all interfaces. This is not such a problem because the firewall is blocking access to it. I have currently nmap running it should finish in 30min but I need to take care of the family now. I will report further results later today.
     
  11. OzarkEdge

    OzarkEdge Very Senior Member

    Joined:
    Feb 14, 2018
    Messages:
    1,545
    Location:
    USA
    1,2. Agreed. You probably used the ASUS Router app, so you will likely want to uninstall that app from your Android/IOS device. I certainly did.

    OE
     
    umarmung and Vexira like this.
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,267
    Location:
    UK
    It'll be interesting to see what you discover. I just tried turning off the firewall on my router (note that this restarts miniupnpd so the port number changes) and the UPnP ports were still not accessible from the internet.
     
  13. huygens_25

    huygens_25 Occasional Visitor

    Joined:
    Apr 16, 2015
    Messages:
    18
    I'm wondering if - as you suggested/implied - non-patch older Asus router (so running a default older firmware) would be the only one affected. Asuswrt in its latest release seems to have a recent version of miniupnp, at least it should have the fix you mentioned.

    Nmap is reporting for the WAN interface no other ports on TCP or UDP than those which I explicitely allowed. So the TCP and UDP port for miniupnp are not exposed on the WAN even if UPnP is activated and miniupnp is listening on both interface. On the LAN side I can certainly send probe to the UDP port 1900 and get the information on the TCP port and many information about the router, etc. But not really newsworthy anyway, on the LAN side if you have UPnP you can do many things already by design, and by scanning port you can learn a lot about the router information even without UPnP.

    I have tried to launch some applications on my LAN which make use of UPnP. As I had explicitely activated UPnP on the router, I could see new ports being opened on the WAN interface, all expected behaviour. Then I've been trying to send SSDP probes to these port on the WAN interface (and trying to trick any listener by using the "Host" multicast address), none of my attempts worked. It does not mean the problem isn't there. There is not enough details in the current report from Akamai so that I can understand exactly what is required in order to have a successful SSDP probe over the WAN.

    At least on Asuswrt it is possible to control which UPnP port are being forwarded. Under "System Log" -> "Port Forwarding" are listed all "static" port forwarding rules as well as "dynamic" (set via UPnP) ones. They are not distinguished from one another, but one can see the list and check if one seems odd.

    tl;dr;
    it is too early to understand exactly how the Asus router are vulnerable and which firmware release or particular configuration are vulnerable. We need to wait for more detailed information.