Dienstag, 21. November 2017, 07:07 UTC+1

Sie sind nicht angemeldet.

  • Anmelden
  • Registrieren

Lieber Besucher, herzlich willkommen bei: NAS Forum. Falls dies Ihr erster Besuch auf dieser Seite ist, lesen Sie sich bitte die Hilfe durch. Dort wird Ihnen die Bedienung dieser Seite näher erläutert. Darüber hinaus sollten Sie sich registrieren, um alle Funktionen dieser Seite nutzen zu können. Benutzen Sie das Registrierungsformular, um sich zu registrieren oder informieren Sie sich ausführlich über den Registrierungsvorgang. Falls Sie sich bereits zu einem früheren Zeitpunkt registriert haben, können Sie sich hier anmelden.

snoopy

NAS2000-Team

Beiträge: 467

Wohnort: Zu Hause

1

Dienstag, 6. April 2010, 10:06

UpNP Security Exploit !?!

Hello world! :coffee:

Anyone of you using the Twonky or MediaTomb? What about your Router? UpNP Mode activated? I did and I feel a little bit endangerd, reading that an attack is as easy as counting one to one.
After having read several UPnP security research materials I realized that all the described attacks assume that the attacker (be it human or malware) comes from inside the network. So how to exploit IGDs remotely via UPnP even when no services are publicly available (WAN interface)?
If you sniff yourself while running software that uses UPnP in the background to help you configure your router, you’ll see that UPnP is nothing more than SOAP. Our AJAX knowledge tells us about a feature that allows us to craft arbitrary XML requests: the
XMLHttpRequest object. Trouble is, such object can only be used within the context of the site that the requests are submitted to. So if we host the malicious scripting code on a third-party site, and a victim user located in the same LAN as the target IGD visits such page, the request wouldn’t go through due to XMLHttpRequest same-origin policy restriction. Or put in a different way: you aren’t allowed to make XMLHttpRequests to any server except the server where your web page came from.
However, if you find a pre-auth XSS vulnerability on the target device you can bypass such restriction. For instance, many devices such as the BT Home Hub and Speedtouch routers offer certain pages before authenticating. Some of these pages are cgi scripts which are vulnerable to XSS. Although offering certain “useless” functionalities before logging into the router might not seem like a big deal, it can actually lead to UPnP being exploited remotely, even if the web admin console is not visible from the Internet!
A first sniff showed several lacks in a testfield scenario with RS2001, Twonky, a D-LINK 524 with the newest FW and UpNP support turned off, NAT was activated and stricly closed (No Portforwarding from LAN 2 WAN).
Greetz.
Snoopy
--------------------------------------------------------------------------
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)