Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Disable Upnp on your firewall now!


  • Please log in to reply
9 replies to this topic

#1 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:54 AM

Posted 05 February 2013 - 09:07 PM

Last week security researcher HD Moore unveiled his latest paper "Unplug. Don't Play," which looked into vulnerabilities in popular Universal Plug and Play (UPnP) implementations..


An exploit in UpnP can make it easier for malware to get past your firewall


Read more

Edited by firemaster1337, 05 February 2013 - 09:09 PM.

Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:01:54 AM

Posted 12 February 2013 - 11:29 PM

These might be of some help.

 

http://news.cnet.com/8301-1009_3-57566366-83/upnp-networking-flaw-puts-millions-of-pcs-at-risk/

 

http://upnp-check.rapid7.com/

 

https://www.grc.com/x/ne.dll?bh0bkyd2



#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:54 AM

Posted 17 February 2013 - 11:04 AM

Often you'll be able to disable/enable UPnP through your router as well (a lot simpler than finding the correct setting in a firewall usually).

On my routers this is what it looks like:
upnp.png

upnp2.png

It really is a bit guessing where you'll find the option (on the first router its under Advanced > UPnP, on the second under Forwarding > UPnP).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:01:54 AM

Posted 17 February 2013 - 07:36 PM

Am I understanding this problem correctly?

There are various ways to use uPnP. I use uPnP like this. Here are two examples...

1. I plug in a new Xbox360 into my home network. uPnP is used to automatically punch holes through my router for the Xbox to use the ports that it uses to talk to XboxLive on the net. I see this as new Port Forwarding rules that were automatically added to my router.

2. I install Skype on a computer. uPnP is used to automatically punch holes through my router for Skype to use the ports that it uses to talk on the net. I see this as new Port Forwarding rules that were automatically added to my router.

Being a person who regularly checks my router settings, I know this happens but most people don't know this.

It used to be much more difficult back when manufacturers and software had to provide support and instructions to consumers telling them how to manually forward the ports on their routers. uPnP made it standardized and automatic.

Now this report comes out and I think it says that many routers have a flaw where they can be told to punch open holes in the routers by computers and devices OUTSIDE of their local network instead of just from devices INSIDE the network.

Is that what this alert is about?
Do some routers allow uPnP to change the routers port forwarding settings from OUTSIDE the network? Like from anywhere on the internet? As opposed to being able to change the settings ONLY from inside the network (you add a device or install software on your home network)?

I'm a little confused about this and would be shocked if this is what was happening.

 

James



#5 jhayz

jhayz

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 18 February 2013 - 01:05 AM

What about the Windows services UPnP Device Host? Is it a target of only the routers specific intermediate function on connecting devices?


Tekken
 


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:54 AM

Posted 18 February 2013 - 02:57 AM

James, are you sure Skype uses the router's UPnP function? I have UPnP turned off as a rule (the "if I don't use it, I disable it" rule :wink:) and use Skype daily. Never had any issue.

 

Is that what this alert is about?
Do some routers allow uPnP to change the routers port forwarding settings from OUTSIDE the network? Like from anywhere on the internet? As opposed to being able to change the settings ONLY from inside the network (you add a device or install software on your home network)?

It sounds like that is what they are warning for. From the CNet article:

 

Over 80 million unique IPs were identified that responded to UPnP discovery requests from the Internet due to the "misconfiguration" of the UPnP SSDP discovery service across thousands of products. Over 73 percent of all UPnP instances discovered through SSDP were derived from only four software development kits.

 

Its easy to check your computer's settings at the GRC site (Shields Up), which now has a separate UPnP test (link is in the first post of this topic). 

When I have some time later today I'll just enable UPnP, run the test and see if I can figure out what exactly they are testing, that should shed some light on the possible vulnerability. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:01:54 AM

Posted 18 February 2013 - 10:17 AM

Yeah, I'm pretty sure about Skype since I see Port Forwarding rules appear on the router for all devices it is installed on (tablets, laptops, desktops).

 

If it did not do that when I installed Skype, I'm pretty sure that I would have to manually configure the port forwarding in order for it to work (maybe there is another way that I do not know). It only needs to do it once. During setup or I guess during first use on a new network as I do see rules for devices that people visiting me have used on my home network. After the port forwarding is set it doesn't need uPnP anymore to use the software. After that the hole is there so Skype can run without using uPnP after that.


Here is one of the Port Forwarding rules it added when Skype was installed on a laptop on my home network...


portF.jpg

 

Another sort of scary thing that I found while trying to figure out what this uPnP alert means is that on many routers people are saying that selecting to turn off uPnP does not really turn it off as much as you think it would. I don't know if there is any truth to that but it seemed to be an issue that kept coming up in threads that I found.

 

My understanding is that SSDP in my examples is used upon installation of a new decive or software to see if there are any gateways between it and the internet. If it discovers any then uPnP is used to set the neccesary port forwarding rules.

The problem here looks like they used SSDP in a backwards manner and were able to find routers that respond to it from the outside and then using vulnerabilities in uPnP (it is not very hard to trick) act like a device inside the network. Or even worse, it does not need to use vulnerabilities and just uses uPnP to get the list of commands and is able to execute them as if it were a device on the inside of the network.

 

I can think of a lot of naughty ways to ruin a person's day if I had that kind of access to their network from the internet sad.png

 

James



#8 spc3rd

spc3rd

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:02:54 AM

Posted 22 February 2013 - 07:40 PM

Good evening everyone,

 

     From what I am reading here, and at some of the links provided in the posts, it seems this issue with uPnP is directed towards computer users who have a router.  My computer does not have a router, just a modem, and is the sole computer in the house - not on any network.  Could someone please enlighten me as to what someone in my case should do, if anything?

 

Thank you for your time and any feedback!  icon_hello.gif 


spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox


#9 lti

lti

  • Members
  • 581 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 23 February 2013 - 11:17 AM

You should be okay if you don't have a router and the modem doesn't have one built-in.

 

I see an Actiontec GT701-WG in the list. I thought those would have all died by now. Mine did.



#10 spc3rd

spc3rd

  • Members
  • 292 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Mid-Atlantic region (USA)
  • Local time:02:54 AM

Posted 24 February 2013 - 12:23 PM

Thanks very much for the feedback, Iti! thumbup2.gif


spc3rd

Dell Optiplex 755 Desktop | Win 7 Pro, SP 1, 64-bit | Intel Core 2 Duo, 3.00 gHz CPU | 8 GB RAM | 400 GB Seagate SATA HDD | Outpost Security Suite Pro | MBAM Premium 2.0 | Spywareblaster | SAS (on-demand) | Blocklist Pro | IE 11 & FF w/ NoScript | Disconnect | Adblock Plus | Flagfox





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users