Comments on: How does the UPnP flaw works

By: RK

RK — Mon, 03 Jul 2006 14:29:25 +0000

What if you just disable UPnP on the router? Wouldn’t this vulnerablity be closed? That is an option on some Linksys products…

By: armijn

armijn — Tue, 30 May 2006 00:15:00 +0000

True, it is a LAN only attack. But getting on a LAN, that’s what you’ve got KaZaA and friends for.
The fact that you can completely reconfigure the router in seconds to do stuff
you don’t want to (and which is often persistent in routers that store
the forwards in flash memory, so they will be saved when the router is rebooted) makes it
a lot scarier. Add in that these routers are nearly impossible to detect by a mere mortal…

By: WARPWRAP

WARPWRAP — Wed, 24 May 2006 00:56:45 +0000

As far as I understand, this is still possible from intranet only (LAN side)?Then, it is is not a big deal.

LAN users can cause a serious problems to wast major waste of routers, just because they’re capable to send 100Mbit huge dataflow and small device unable to deal with it.For example I found way to flood my D-Link 504T so aggressively with TCP connections request+DNS requests that it
1) stops to respond and
2) re-boots.
Defaults are used upon reboot Voila, I got root on router without root (admin) password knowledge.Just login with default admin\admin (root\admin) and control it as u wish.However this causes PPPoE password lost too so you’ll be unable to use internet channel at all… but at least this is heavy DoS for whole LAN.

P.S. there is fixed firmwares are existing, I was not able to flood unofficial fixed and improved firmware from McMcc but definitely you can expect more surprises in dozens of devices and firmwares.World getting complex and we all about to pay price for it.

By: TK

TK — Fri, 19 May 2006 18:53:29 +0000

Q: are there any reports of spyware out in the wild that use UPNP gateway device to operate a server?
A: not that I’m aware of.
Spyware collates statistics/histories then calls home, no need to run a server that requires port forwarding since the spyware home site has no way to know the current IP of the infected machines Dynamic IP’s etc.
Most effective solution to avoid Malware is not run WindowsNT based Operating systems they may have mediocre additional “security” measures but they are all badlt designed and badly coded and layered ontop of a badly thought out foundation

By: DivisionByZero WebLog»Blog Archive » UPnP kwetsbaar

DivisionByZero WebLog»Blog Archive » UPnP kwetsbaar — Thu, 18 May 2006 17:17:51 +0000

[...] Hier vindt je een artikel over deze zaak. Opmerking geheel terzijde: Heeft Microsoft dat protocol niet ontwikkeld? • • • [...]

By: I’ve NEVER liked UPNP…. now I have another reason….-- Avery J. Parker - Web site hosting and computer service

Thu, 18 May 2006 16:42:11 +0000

[...] Nice, simple, easy…. Or, what if you’re little firewall is happily cloaking traffic from one internet machine to another internet machine. (Maybe even LONG after your spyware infestation has been cleaned up.) Or, what if you’re companies hvac controls are upnp enabled? is it hot in here? There are some GOOD details at securityview.org on these Upnp vulnerabilties the core of it is that authentication may be in the standard, but it doesn’t appear to be used. [...]

By: Anonymous

Anonymous — Thu, 18 May 2006 16:29:34 +0000

On PnP, an interesting note. The US Robotics routers 8000A series ( of which there is the 8000A, 8000A-02, and the prefered 8000A-03 ) , the PnP is there to stay. There is no way to turn it off and it does alot of talking on a scheduled basis. On the router, the -03 is the one to have, different chip set and so on. BUT very hard to get this one by odering, since they seem to label the box and the tag on the box with 8000A..

//charlie//

By: SANS recommend disabling UPnP » The PC Doctor

SANS recommend disabling UPnP » The PC Doctor — Thu, 18 May 2006 15:07:34 +0000

[...] Details of this issue can be found on Securityview . Technorati Tags: UPnP, Universal Plug and Play Bookmark SANS recommend disabling UPnP at: [...]