Evan Martin (evan) wrote in evan_tech,
Evan Martin

upnp/flash vulnerability

Not to reduce their work, but this article on UPnP "hacking" [site's currently not loading very reliably] uses a lot of words to make a small point. So here it is in shorter form:
  1. Many (most) routers use UPnP for configuration, which uses SOAP over HTTP.
  2. Despite there being an autodiscovery phase to UPnP that involves non-HTTP packets, you can guess a router's IP anyway and you don't need to do autodiscovery to run commands.
  3. Flash lets you set arbitrary HTTP headers and POST to arbitrary hosts. This is standard XSRF -- the POSTing could be done with DHTML, so Flash is just needed to set the SOAP header.
  4. Therefore, malicious Flash can run port-opening commands on your router.
Opening ports doesn't require a password (since software like Skype wants to be able to do it). They claim you can also change the DNS server or admin credentials, which seems to me like it ought to need a password, but maybe they're relying on people leaving default passwords.
Tags: hacking

  • blog moved

    As described elsewhere, I've quit LiveJournal. If you're interested in my continuing posts, you should look at one of these (each contains feed…

  • dremel

    They published a paper on Dremel, my favorite previously-unpublished tool from the Google toolchest. Greg Linden discusses it: "[...] it is capable…

  • treemaps

    I finally wrote up my recent adventures in treemapping, complete with nifty clickable visualizations.

  • Post a new comment


    default userpic
    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.