Updated Wednesday, Jan. 23, 2008, at 4:07 p.m. EST.
The Universal Plug and Play (UPnP) interface is highly vulnerable to use by hackers seeking to modify home router settings – such as choice of DNS server – from an external location, researchers warned today.
Using a multimedia application like Adobe Flash, attackers may corrupt the UPnP interface in the router and modify router settings by leveraging simple object access protocol messages (SOAP) to circumvent password protection or even the WPA (Wi-Fi Protected Access) encryption standard on routers, Symantec warned in a posting Monday on its Security Response blog.
Adobe responded to the blog posting by suggesting malicious router commands delivered via SOAP requests can be circumvented by disabling this functionality in the router in accordance with procedures specified by US-CERT.
Symantec, citing research published by the self-styled "ethical hacker" think-tank GNUCITIZEN, said attacks generated by exploiting the UpnP interface may be “a hundred times more dangerous” than a recent attack in the wild using Flash and built on JavaScript host-scanning techniques.
Still, researchers said they do not expect to see widespread exploit.
In a posting this week on its website, GNUCITIZEN said that “in many cases, UPnP is remotely exploitable without interaction required from the victim, and all the attackers need to know is the IP address of the exploitable device.”
The previously reported JavaScript attack relied on the user not changing their default password and the presence of a cross-site request forgery vulnerability on the router, a flaw that is present on most major router models, according to Symantec.
The generation of SOAP messages using the Flash plug-in enables the attacker to avoid the problem of password authentication, and the fact that many home routers are configured to accept SOAP messages without any type of authentication compounds the threat, researchers said.
“When you combine these two observations, it's possible to create a webpage (containing an appropriate malicious Flash object) that when simply viewed will reconfigure your home router settings,” Symantec said in its blog posting. “Even if you employ traditional protections [such as passwords or WPA encryption], you will not be protected against these type of threats,” the Symantic warning stated.
While noting that the interaction between browser plug-ins and router interfaces may represent a new opportunity for hackers, the researchers said they have not yet detected any incidents exploiting this vulnerability and do not expect it to spawn a new wave of attacks.
“Attackers take the simplest approach that works, and the reality is that more attackers leverage human vulnerabilities than technological [ones]. There's little reason to exploit a hole in a particular product when you can simply just convince a computer user into lowering their own security,” according to Symantec's blog posting.
