Skip Navigation


UPnP combined with Flash may provide way of attacking computers
Tuesday 15 January 2008 12:09:16 by Andrew Ferguson

No security system is ever foolproof but we can do our best to make it hard for those who wish to gain unauthorised access to our networks. In this vein GNUCitizen.org has issued a warning about how Flash on any operating system that supports a reasonably recent version can access UPnP enabled routers or other UPnP enabled devices and cause potential trouble.

The short version is that the best thing to do is turn off UPnP (Universal Plug and Play) on your router. Normally this is done via the routers web interface, although the exact method will vary according to the router and for those not sure what to do, our own home networking forum section is a good place to seek assistance.

The original discussion thread may be too technical for many, and includes a proof of concept demonstration. An easier to follow FAQ for this Flash UPnP attack has been written.

Many websites use Flash and this attack does not rely on any holes in Flash but rather someone crafting Flash code that accesses a UPnP device, then when they have control of this telling the router or other device to carry out some deviant activity. The sorts of things that may be possible are:

  • Setting up port redirections to make holes in a routers firewall exposing computers on the local network.
  • Intercept or redirect DNS requests to alternate sites which phish for usernames and passwords. Online banking websites being the most obvious target.
  • Reconfigure a router breaking the broadband connection, or opening a Wi-Fi connection

This problem with UPnP arises because it does not have an authentication procedure built into the protocol. So disabling it completely seems to be the only sure fire solution. Disabling UPnP can lead to some software applications not working fully, e.g. audio/video conferencing in MSN Messenger, sometimes workarounds like manually configuring port forwarding in a router can fix applications that would otherwise use UPnP. One other option would be to disable Flash on your computers, but with many websites using Flash for legitimate reasons you may break functionality of many websites you regularly visit not to mention that it may be possible to cause problems using other plug-ins in the first place.

Comments

Posted by herdwick over 7 years ago
uPnP has been a security vulnerability from the day it was born, so I'm not surprised by this. Microsoft say "The initial implementation of UPnP technology in Windows XP, however, had some security vulnerabilities" and since then I've defaulted it to off.
Posted by KarlAustin over 7 years ago
Whoever thought it was a good idea to provide no authentication, wants taking out and publicly flogging.
Posted by andrew (Favicon staff member) over 7 years ago
It should be pointed out that the vulnerability does not rely on having UPnP running on the host computer.

So any problems with the Windows XP implementation are immaterial in this case, i.e. it is just as possible with Flash under OSX
Posted by greedy4 over 7 years ago
or indeed a mobile phone, if you use your home wifi connection with your phone.
Posted by jchamier over 7 years ago
Have to measure the risk. Quote "sometimes workarounds like manually configuring port forwarding in a router can fix applications that would otherwise use UPnP"

And opening an inbound NAT rule on your home router/firewall is a lot less secure than letting UPnP open the port for the few minutes its needed and close again automatically.

Technology like UPnP is seriously needed. Flash needs to be fixed fast - where's the update?

Does running IE7 Protected Mode in Vista (with UAC on) prevent this?

Posted by andrew (Favicon staff member) over 7 years ago
Does running IE7 Protected Mode in Vista (with UAC on) prevent this? Only if this mode prevents Flash from running.

The problem is not Flash, this is just a vehicle for the vulnerability. Any exe on the computer could carry out this attack, including linux.

Whether mapping a port that is known and is for a specific application is more of a risk than UPnP is open to debate. So long as the application the port is mapped to is secure and has no exploits you are fine.

UPnP is needed, but it seems the need for security which many have called for before is back on the table.
Posted by herdwick over 7 years ago
for clarification I meant I default to turning UPnP off on routers.

Is UPnP needed ? not really. Putting holes in firewalls should be a concious action by a human to avoid exposure to risks like this.
Posted by Dawn_Falcon over 7 years ago
UPnP is used by a large range of apps today, and having permermant holes in your firewall is a bigger risk. (Some routers offer security features for UPnP connections including refusing requests from certain apps like browsers, but it's not authentication as-such)

Flash's multiple security flaws and other issues mean you should have it disabled anyway.
Posted by CARPETBURN over 7 years ago
I tried about 2 months back telling a handfull of idiots in the forums UPnP was a nasty unsecure pile of poop... http://bbs.adslguide.org.uk/showflat.php?Cat=&Board=ukonline&Number=3174625&page=&view=&sb=&o=&vc=1
Of course they argued... Guess who is grinning now.
Posted by lierobs over 7 years ago
Hope it makes you feel all warm inside... :)

Like the guy said no system is fool proof and it's down to what risks you're willing to take and how prepared you consider your system is at dealing with any threats. Obviously no matter what you do you'll still be vunerable. I'll probably keep using my UPNP anyway - breaks most of the time anyway :(
Posted by AndrueC over 7 years ago
Yeah the alternative is to not use certain apps or to have holes permanently open. Tbh I'm not sure that UPnP is that big an issue if you have a firewall on each machine, keep your AV defense up to date and run as a limited user.

The fact that any application can do something naughty to your firewall is overlooking the harm that kind of application can do on the PC it runs on.
Posted by AndrueC over 7 years ago
...and other machines on the network. You don't need UPnP to wreak havoc on a local network. Once you've downloaded bad software all bets are off anyway.

All that a UPnP attack does is make machines vulnerable to port-based overrun attacks from outside. If you've already downloaded the bad software it's too late.

UPnP is an issue..but not (IMO) such that it should be banned and dropped automatically.
Posted by Jerusahat over 7 years ago
Most home users won't be running many applications that listen to ports. The biggest problems are changing the router DNS, forwarding ports to external addresses, and hijacking the router admin account.

Browsers, email and RSS apps shouldn't generally require access to the local network, so blocking this via an application-layer firewall can help reduce the danger.
Posted by AndrueC over 7 years ago
@Jer:I'm not so sure about that. Windows Live Messenger uses half a dozen (at least) ports. P2P uses one. I'm not sure that the majority are listening but I think it's fair to say that a significant number of people are.

I still think UPnP is a secondary attack vector. Once you're in the position to attack a router you can already do most of what you might want.

Bouncing packets of the router by redirecting is about the only real plus of UPnP and I don't know how many routers can actually do that.
Posted by JDPower over 7 years ago
"...has issued a warning about how Flash on any operating system that supports a reasonably recent version.."
So an up to date Flash version is not vulnerable to this???
Posted by Pixie7 over 7 years ago
I have a Belkin Wireless router which ships with UPnP disabled, Skype and Windows Live Messenger work with no problems. I've used this router for 4 years and have never experienced any problems with UPnP. It has to be stressed that the vulnerability lies within the router settings not Flash or whatever browser you use.
Posted by oliver341 over 7 years ago
The most potentially serious problem mentioned here is the ability for router DNS settings to be changed by UPnP. However, I have verified that my router (Netgear DG834) will not allow DNS settings to be altered by UPnP, and I would hazard a guess that most do not. I've written more about this in the comments section at http://www.gnucitizen.org/blog/hacking-the-interwebs
You must be logged in to post comments. Click here to login.