

Umap scans entire address blocks and indicates which routers respond to UPnP requests

Routers from various manufacturers support UPnP (Universal Plug and Play) on their WAN interfaces, which apparently makes it possible for attackers to reconfigure them remotely via the internet and, for example, misuse them as surfing proxies or to infiltrate internal LANs. The problem was discovered by IT security specialist Daniel Garcia, who has developed the Umap tool to demonstrate the problem; the tool is available to download free of charge.

Umap detects UPnP-enabled end devices such as DSL routers and cable modems on the internet by directly retrieving the devices' XML descriptions. The required URLs and ports for some models are hard-coded into the tool. This enables the software to bypass the usual restriction that only allows UPnP to search for compatible hardware via multicast in local networks. Garcia says that entire device series by Edimax, Linksys, Sitecom or Thomson (SpeedTouch) respond to UPnP requests on their WAN interfaces.

Since UPnP isn't designed to include any authentication, the XML description can always be retrieved. Garcia said that, by performing an internet scan, he managed to detect 150,000 potentially vulnerable devices within a short period of time. Once initial contact has been made, the scanner sends such UPnP commands as AddPortMapping or DeletePortMapping to the devices via SOAP requests. LAN devices usually use these commands to access the internet via NAT. However, the devices from the manufacturers in question allow the port to be opened – and redirected to any other LAN device – via the WAN interface. Umap attempts to guess the internal IP address that is required to do so.

This allows attackers to scan the LAN and access devices on the internal network. Garcia says that mapping is even possible with IP addresses on the internet, enabling attackers to redirect someone else's internet connection via umap and, for instance, misuse it to surf the net anonymously or to download illegal content. As a protective measure, Garcia recommends that UPnP be disabled at least for the WAN interface. If this isn't possible, the only other option is to disable the technology completely – which may, however, disrupt the internet connections of such devices as games consoles.

(Uli Ries / ehe)