Remote UPnP Scanner Puts Home Routers at Risk of Abuse

By on August 25th, 2011 14:29 GMT

Security specialist Daniel Garcia has released a tool that is capable of launching attacks against home networking devices that support Universal Plug and Play (UPnP) on their WAN interfaces.

Garcia revealed at this year's edition of the DEF CON security conference that entire series of routers, cable modems and other networking devices from big manufacturers are vulnerable to UPnP attacks over the Internet.

The Universal Plug and Play technology was developed by Microsoft in 1999 as a solution for automated NAT traversal.

It allows applications to discover network gateways automatically and ask them to forward traffic on special ports back to the computers they are running on.

Until then users trying to make their LAN computers discoverable on the Internet over certain protocols had to manually set up port forwarding rules, a task that is not very straight-forward.

Garcia found that many home networking devices allow UPnP requests to be received on the WAN (Internet) interface, despite this technology having been primarily designed for LAN use.

However, unlike LAN environments where multicast is used, the WAN UPnP traffic uses exact URLs and ports hard-coded into each device. These are all built into the Umap scanning tool created and freely distributed by Garcia.

According to H Security, the IT specialist claims to have identified over 150,000 potentially vulnerable devices in a short period of time by using Umap. The scanner is also capable of sending requests containing AddPortMapping or DeletePortMapping commands to the exposed UPnP interfaces.

To do something meaningful with this, the attacker must guess the LAN IP of a targeted device, something which Umap attempt to do on its own by using known default settings. Using this method an attacker could, for example, open a route from the Internet to an internal unprotected FTP server or other services.

Another abuse technique is to setting up a SOCKSv4 proxy service that automatically maps requests through the UPnP devices. This can help attackers hide their IP addresses when performing illegal activities.

The only methods of protection for users is to disable WAN UPnP access if this is possible from the router's administration interface, or to replace the device with one that doesn't have this feature.

1 Comment