lundi 24 septembre 2018, 11:42 UTC+2

Vous n’êtes pas connecté.

  • Connexion
  • S’inscrire

Bonjour, visiteur, bienvenue sur les forums NAS Forum. Si c’est votre première visite, nous vous invitons à consulter l’Aide. Elle vous expliquera le fonctionnement de cette page. Pour avoir accès à toutes les fonctionnalités, vous devez vous inscrire. Pour cela, veuillez utiliser le formulaire d’enregistrement, ou bien lisez plus d’informations sur la procédure d’enregistrement. Si vous êtes déjà enregistré, veuillez vous connecter.



Messages: 467

Localisation: Zu Hause


mardi 6 avril 2010, 10:06

UpNP Security Exploit !?!

Hello world! :coffee:

Anyone of you using the Twonky or MediaTomb? What about your Router? UpNP Mode activated? I did and I feel a little bit endangerd, reading that an attack is as easy as counting one to one.
After having read several UPnP security research materials I realized that all the described attacks assume that the attacker (be it human or malware) comes from inside the network. So how to exploit IGDs remotely via UPnP even when no services are publicly available (WAN interface)?
If you sniff yourself while running software that uses UPnP in the background to help you configure your router, you’ll see that UPnP is nothing more than SOAP. Our AJAX knowledge tells us about a feature that allows us to craft arbitrary XML requests: the
XMLHttpRequest object. Trouble is, such object can only be used within the context of the site that the requests are submitted to. So if we host the malicious scripting code on a third-party site, and a victim user located in the same LAN as the target IGD visits such page, the request wouldn’t go through due to XMLHttpRequest same-origin policy restriction. Or put in a different way: you aren’t allowed to make XMLHttpRequests to any server except the server where your web page came from.
However, if you find a pre-auth XSS vulnerability on the target device you can bypass such restriction. For instance, many devices such as the BT Home Hub and Speedtouch routers offer certain pages before authenticating. Some of these pages are cgi scripts which are vulnerable to XSS. Although offering certain “useless” functionalities before logging into the router might not seem like a big deal, it can actually lead to UPnP being exploited remotely, even if the web admin console is not visible from the Internet!
A first sniff showed several lacks in a testfield scenario with RS2001, Twonky, a D-LINK 524 with the newest FW and UpNP support turned off, NAT was activated and stricly closed (No Portforwarding from LAN 2 WAN).
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)