Jump to content



Photo

Test your router to see if its vulnerable to the UPnP Exploit.

upnpvulnerabilitytest

  • Please log in to reply
75 replies to this topic

#61 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 12 February 2013 - 10:26

So grandma is going to be running trackmania server? You can play the game without having to run a server on your box, and you can also play on other players servers again without having to open up any ports. You can even book free server time can you not? And rent servers? If your not bright enough to figure out how to forward a single port.


and where did I say anything about running servers ? maybe if you read what I posted and/or knew how trackmania works. Trackmania allows you to make and share tracks and in this case, more importantly skins for your car. in order for other people to see your car skins you need an open port for the trackmania P2P sharing system. otherwise your car only shows up as grey or with a default skin for others, or if you're running with a custom car model then you also need this.

as for Grandma, people of any age who aren't computer knowledgeable run TM , people who I would never let near the router config.

for this and similar stuff, UPnP is a great solution for them. And for people with large families who don't want to manually map ports for their 5+ computers in their house that keeps needing or changing the ports they need.

and as long as the router/software isn't affected by this bug exploit, there's no reason not to have UPnP on, after all if the malware is already on your side of the firewall, you've already lost. and UPnP on or off will have pretty much no effect.


#62 cork1958

cork1958

    Neowinian

  • Tech Issues Solved: 2
  • Joined: 04-October 02

Posted 12 February 2013 - 11:26

Yay!! Disabled

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

Double Yay!!
Enabled

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!

#63 Elessar

Elessar

    Professional Daydreamer

  • Joined: 10-August 05
  • Location: New York

Posted 12 February 2013 - 11:56

Disabled by default on Gargoyle. I can't believe it took me so long to put this on my WNDR3700.


I'm running Gargoyle as well and have UPnP / NAT-PMP enabled. I also passed.

#64 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 12 February 2013 - 13:26

Im not saying its not a useful feature - what I am saying is its a SECURITY NIGHTMARE, has been since the get go.. There is no AUTH, not even identification..

You state
"people who I would never let near the router config."

But you would allow any software they run to access modify your router config without boo from you the admin?

As to sharing your skins - again UPnP not needed, and ports not required to be allowed inbound either.. Just use a locator url and place your custom skin file on the net somewhere.

No I don't play trackmania - so no I am not up to speed on all the ins and outs of how protocols work in that game.. But what I can tell you is UPnP is NOT required for that game to work.. And allowing it is a security risk you may be willing to take, but not something most people would be happy to allow to run on their network.

This protocol needs to fixed, it needed to be fixed 10 years ago!

#65 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 5
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 12 February 2013 - 13:42

Skype may have been a bad example, but WLM (for example) needs an open port to transfer files (same with Jabber too), while they can use other methods they're also much slower.

If you need a direct connection between two systems with a then you need that "hole punching" behaviour with either port forwarding or a firewall, unless you want to proxy everything through a 3rd party.

#66 vcfan

vcfan

    Doing the Humpty Dance

  • Tech Issues Solved: 3
  • Joined: 12-June 11

Posted 12 February 2013 - 13:56

Skype may have been a bad example, but WLM (for example) needs an open port to transfer files (same with Jabber too), while they can use other methods they're also much slower.

If you need a direct connection between two systems with a then you need that "hole punching" behaviour with either port forwarding or a firewall, unless you want to proxy everything through a 3rd party.


obviously,if these people are not tech savvy,then they would ask their computer expert to make these applications work. I mean,its not like they set up their own router.

believe it or not,there are a lot of application that will listen on a port for a connection. somewhere out there, people have found exploits in some of these and all they would have to do is port scan your ass to find out if you're running this vulnerable application, then take you down.

I personally can't trust uPnP.

#67 PGHammer

PGHammer

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 31-August 03
  • Location: Accokeek, MD
  • OS: Windows 8 Pro with Media Center x64

Posted 12 February 2013 - 13:57

All good here as well. :)


All clean here as well (Netgear WNDR3700v4 with factory firmware).

#68 OP +warwagon

warwagon

    Only you can prevent forest fires.

  • Tech Issues Solved: 2
  • Joined: 30-November 01
  • Location: Iowa

Posted 12 February 2013 - 15:07

You state
"people who I would never let near the router config."

But you would allow any software they run to access modify your router config without boo from you the admin?


So True!!!! :D

I've always said that anyone who takes security seriously should feel uneasy at just the thought of UPnP! My moms router also has UPnP disabled. If she has a program which needs ports opened up she can call and I can help her out.

#69 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 12 February 2013 - 16:44

Im not saying its not a useful feature - what I am saying is its a SECURITY NIGHTMARE, has been since the get go.. There is no AUTH, not even identification..

You state
"people who I would never let near the router config."

But you would allow any software they run to access modify your router config without boo from you the admin?

As to sharing your skins - again UPnP not needed, and ports not required to be allowed inbound either.. Just use a locator url and place your custom skin file on the net somewhere.

No I don't play trackmania - so no I am not up to speed on all the ins and outs of how protocols work in that game.. But what I can tell you is UPnP is NOT required for that game to work.. And allowing it is a security risk you may be willing to take, but not something most people would be happy to allow to run on their network.

This protocol needs to fixed, it needed to be fixed 10 years ago!

I dont' really have any problem with them opening ports, why would I. they're the ones who open up their access anyway, and all windows computers have their own software firewalls that block based on software anyway.

And trackmania only supports sharing through it's built in P2P system, which for a new is a lot easier since it's all integrated into the game, then going and uploading to a site. you edit the skin in the game apply it, and it's available to everyone you race with anywhere.
And yes, for the P2P sharing features of the game to work, you either need UPnP or manual port mapping.

and actually, "most" people would be willing to, I think you're confusing most people with "me". which is two entirely different concepts. And the whole security thing is again, mostly scaremongering unless your router is one of the very few faulty ones with the exploit open.

There's no inherrent increased security with UPnP off as opposed to on. just more work for the "admin". which is a stupid term on any home network no matter how big and fancy it is.

No malware needs open ports to spam itself inside or outside the network. or to give access inside.

#70 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 96
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 12 February 2013 - 17:09

I highly suggest you read up on the UPnP protocol in general.. Did you read the article I linked to from 2006?

I think your confusing your lack of caring about what goes in and out of your network with what normal security minded people would care about. No I doubt the grandma playing trackmania person cares..

An active issue is not scare mongering.. Now is the list of routers that are open to UPnP from the wan side a short one??.. I would sure hope so, but the issue is a long list of versions of libupnp that goes all the way back to 1.4

My points are not really about this test, nor the current issue with libupnp -- my issue is the protocol in general.. There is NO security mechanism included.. Has not been since the get go, this is a problem. And has been since day one.

Do a simple google for UPnP and security.. Where do you find anyone saying that there is no issue with it? Leaving it on is trading security for convenience.. Maybe that is fine with you, but no its not fine with "me" nor would it be with anyone that cares about security.

Please find a source that says there is no security issues with UPnP other than yourself? ;) I would be happy to read such an article. To be honest I don't think I recall ever hearing anyone other than you think that there is not an issue with UPnP at the general level because of the lack of auth.

Do you recall a few years back the issue with using flash to send traffic to your UPnP router, there could be issues with rerouting your dns - just a long list of nasty things that allowing it could open up, when there is little reason too other than convenience or a lazy admin of their own network. Not going to say that you never need inbound unsolicited traffic - but its not something that needs to change on the fly every other hour that would make it such a pain to maintain in most home networks.

#71 HawkMan

HawkMan

    Neowinian Senior

  • Tech Issues Solved: 4
  • Joined: 31-August 04
  • Location: Norway
  • Phone: Noka Lumia 1020

Posted 12 February 2013 - 17:20

The fact that everyone I this thread tested successfully and that the site itself only shows number of failed tests not the non fails shows its scaremongering and the amount of effected routers isn't nearly as if as the scaremongers make it out to be.

And what's with the grandma playing TM. millions of people play TM regular people from 9 and up, who don't care about their router as long as it works, gives them Internet and lets them do what they want.

As for the security, again, unless your router is effected by the exploit, you still need malware on your side of the router. In which case the malware can give full access to your network to the hacker without UPnP.

So by that logic, any security minded person would not be connected to the Internet.

Sure it could be more secure, but then you also add in complexity that confuse the average person.

#72 Yusuf M.

Yusuf M.

  • Tech Issues Solved: 1
  • Joined: 25-May 04
  • Location: Toronto, ON
  • OS: Windows 8.1 Pro
  • Phone: OnePlus One 64GB

Posted 12 February 2013 - 17:37

UPnP was enabled by default on my ASUS RT-N66U router.

THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!


According to the test, my router isn't vulnerable to the exploit. I guess I'll just leave it enabled.

#73 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 5
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 13 February 2013 - 05:17

obviously,if these people are not tech savvy,then they would ask their computer expert to make these applications work. I mean,its not like they set up their own router.

believe it or not,there are a lot of application that will listen on a port for a connection. somewhere out there, people have found exploits in some of these and all they would have to do is port scan your ass to find out if you're running this vulnerable application, then take you down.

I personally can't trust uPnP.


So every time they want to send photos to somebody they call out a computer technician?

#74 CrashGordon

CrashGordon

    The Perfect Threesome: Lime, Salt & Tequila

  • Joined: 31-January 04
  • Location: Atlanta, GA
  • Phone: Jackson JS3 Kelly Bird IV through a Fender Rumble 150. Can ya hear me now?

Posted 13 February 2013 - 05:31

guys please be sure you specify the router you are using for the tests... some of you didn't and that's not helpful...

Sorry, I guess that would be helpful.

Passed test, Netgear WNDR2700 v1 with F/W version V1.0.7.98NA

#75 belto

belto

    Neowinian

  • Joined: 06-October 01
  • Location: USA, Georgia
  • OS: OS X Mountain Lion
  • Phone: iPhone 5s Gold 64GB

Posted 13 February 2013 - 05:57

all clear and passed.

Actiontec V1000H

Actiontec V1000H