sabato, 15 dicembre 2018, 17:13 UTC+1

Non risulti loggato.

  • Login
  • Registrazione

Gentile visitatore,
Benvenuto su NAS Forum. Se questa è la tua prima visita, ti chiediamo di leggere la sezione Aiuto. Questa guida ti spiegherà il funzionamento di questa pagina. Prima di poter utilizzare tutte le funzioni di questo software dovrai registrarti. Usa la form di registrazione per registrarti adesso, oppure visualizza maggiori informazioni sul processo di registrazione. Se sei già un utente registrato, allora dovrai solamente procedere con il login da qui.



Posts: 467

Località: Zu Hause


martedì, 06 aprile 2010, 10:06

UpNP Security Exploit !?!

Hello world! :coffee:

Anyone of you using the Twonky or MediaTomb? What about your Router? UpNP Mode activated? I did and I feel a little bit endangerd, reading that an attack is as easy as counting one to one.
After having read several UPnP security research materials I realized that all the described attacks assume that the attacker (be it human or malware) comes from inside the network. So how to exploit IGDs remotely via UPnP even when no services are publicly available (WAN interface)?
If you sniff yourself while running software that uses UPnP in the background to help you configure your router, you’ll see that UPnP is nothing more than SOAP. Our AJAX knowledge tells us about a feature that allows us to craft arbitrary XML requests: the
XMLHttpRequest object. Trouble is, such object can only be used within the context of the site that the requests are submitted to. So if we host the malicious scripting code on a third-party site, and a victim user located in the same LAN as the target IGD visits such page, the request wouldn’t go through due to XMLHttpRequest same-origin policy restriction. Or put in a different way: you aren’t allowed to make XMLHttpRequests to any server except the server where your web page came from.
However, if you find a pre-auth XSS vulnerability on the target device you can bypass such restriction. For instance, many devices such as the BT Home Hub and Speedtouch routers offer certain pages before authenticating. Some of these pages are cgi scripts which are vulnerable to XSS. Although offering certain “useless” functionalities before logging into the router might not seem like a big deal, it can actually lead to UPnP being exploited remotely, even if the web admin console is not visible from the Internet!
A first sniff showed several lacks in a testfield scenario with RS2001, Twonky, a D-LINK 524 with the newest FW and UpNP support turned off, NAT was activated and stricly closed (No Portforwarding from LAN 2 WAN).
Der Mensch ist das wichtigste und kostbarste Peripheriegerät einer Computeranlage.

myStuff: NAS2001+4220(1000Gb-ext3)+Dlink524+KabelD. (120 Mbit)