08:17 am, 14 Jan 08
Not to reduce their work, but this article on UPnP "hacking" [site's currently not loading very reliably] uses a lot of words to make a small point. So here it is in shorter form:
- Many (most) routers use UPnP for configuration, which uses SOAP over HTTP.
- Despite there being an autodiscovery phase to UPnP that involves non-HTTP packets, you can guess a router's IP anyway and you don't need to do autodiscovery to run commands.
- Flash lets you set arbitrary HTTP headers and POST to arbitrary hosts. This is standard XSRF -- the POSTing could be done with DHTML, so Flash is just needed to set the SOAP header.
- Therefore, malicious Flash can run port-opening commands on your router.