Problems with Universal Plug and Play (UPnP) Demonstrate Blended Threat risk
Universal Plug and Play (UPnP) is a technology designed to make it easy for different network devices to communicate with each other, but as many people have found in the past, making things easy often leads to security problems, something that has been the case with UPnP plenty of times in the past.
There has been increasing research in recent times focussing on triggering local vulnerabilities through a remote interface, such as using a browser plugin as the vector to activate an exploit that can only work from a local machine.
One such vulnerability has been discovered and disclosed by the well-known web security researcher pdp - who has also been responsible for the publishing and publication of much of the earlier work on triggering local vulnerabilities remotely via web technologies.
As recommended by US-CERT, administrators should look to disable UPnP on devices that are exposed to insecure networks or are a critical security element, and to start filtering the IGMP protocol on internal network segments that do not need to communicate UPnP requests.
Users can achieve results by disabling UPnP support on devices that support it, and disabling support in their OS, such as described in MS07-019 for Windows XP systems.
As demonstrated by pdp, the UPnP vulnerability can be used to take control of pretty much any domestic network router and because it relies upon Flash, it can be executed on any platform that is running a compatible version of Flash (or Flash-equivalents) - making it one of the most cross-platform vulnerability exploits to be disclosed for some time. Since the exploit utilises core functionality in Flash, and not some Flash vulnerability, it is going to prove difficult to overcome.
A similar technique (though Windows only) is being used to exploit a recently discovered Skype vulnerability, where a website vulnerability is being used to activate an issue with the Skype plugin that then allows an attacker to read and write to local disks, launch applications, and generally take complete control over a victim's system.
By blending a number of seemingly harmless techniques, a powerful exploit or vulnerability can be rapidly prototyped and implemented. With the UPnP vulnerability being described above, the real concern is actually that there is designed-in capability with a common Internet technology that has now been moulded to deliver attack code to vulnerable systems.
Readers should expect this combination of automated Flash commands to become a common attack / distribution vector in the near future.
21 January 2008
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.