Hacking The Interwebs

["pdp (architect)" <pdp.gnucitizen () googlemail com>]

http://www.gnucitizen.org/blog/hacking-the-interwebs

When the victim visits a malicious SWF file, a 4 step ATTACK will silently
execute in the background. At that moment the attacker will have control
over their router, pretty much regardless of its model. *Many of the home
routers are vulnerable to this attack as many of them support UPnP to one
degree or another.*

The attack does not rely on any bugs. Simply put, when two completely
legitimate technologies, Flash and UPnP, are combined together, they compose
a vulnerability, which exposes many home networks to a great risk. The
attack depends on the fact that most, if not all, routers are UPnP enabled.
The UPnP SOAP service can be accessed without authorization over the default
Web Admin Interface. With the help of Flash, the attacker can send arbitrary
SOAP messages to the router's UPnP control point and as such reconfigure the
device in order to enable further attacks..

The most malicious of all malicious things to do when a device is
compromised via the attack described in the link pointed at the top of this
email, is to change the primary DNS server. That will effectively turn the
router and the network it controls into a zombie which the attacker can take
advantage of whenever they feel like it. It is also possible to reset the
admin credentials and create the sort of onion routing network all bad guys
want. Many routers come with Layer3 portforwarding UPnP service. This is
also a potential vector that attackers can use. In cases like this, they
will simply expose ports behind the router on the Internet facing side.

***We hope that by exposing this information, we will drastically improve
the situation for the future. I think that this is a lot better than keeping
it for ourselves or risking it all by given the criminals the opportunity to
have in possession a secret which no one else is aware of.* The best way to
protect against this attack is turn off UPnP if your router's Admin
Interface allows it. It seams that many routers simply does not have this
feature.

More information on related UPnP research can be found here:
http://www.gnucitizen.org/
http://www.gnucitizen.org/blog/steal-his-wi-fi
http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5
http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play

GNUCITIZEN is a Cutting Edge, Ethical Hacker Outfit, Information Think Tank,
which primarily deals with all aspects of the art of hacking. Our work has
been featured in established magazines and information portals, such as
Wired, Eweek, The Register, PC Week, IDG, BBC and many others. The members
of the GNUCITIZEN group are well known and well established experts in the
Information Security, Black Public Relations (PR) Industries and Hacker
Circles with widely recognized experience in the government and corporate
sectors and the open source community.

GNUCITIZEN is an ethical, white-hat organization that doesn't hide anything.
We strongly believe that knowledge belongs to everyone and we make
everything to ensure that our readers have access to the latest cutting-edge
research and get alerted of the newest security threats when they come. Our
experience shows that the best way of protection is mass information. And we
mean that literally!!! It is in the public's best interest to make our
findings accessible to vast majority of people, simply because it is proven
that the more people know about a certain problem, the better.

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org http://www.hakiri.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/