Flash is flawed too

It should not allow connections to addresses other than the server on which it is hosted. The Java sandbox imposes this restriction.

Zyxel OK

Looks like at least the Zyxel Prestige 600 series are OK. They seem to have UPnP off by default.

@Bounty

> massive bot nets, turks defacing websites, chinese pen testing DOD computers, spam, prolific viruses and nigerian royalty.

Nothing to do with the interface & protocols, everything to do with poor quality implementations in a worse quality OS.

@Linksys WRT54GL + DDWRTv23

Just got the same kit - now looking forward to upgrading it to a *truly* capable router.

this can only be fixed by fixing flash.

All those saying just switch it off an configure your router manually are missing the point. Most people who benefit from upnp don't have a clue how to do this.

Telling them to switch off upnp is effectively telling them to give up webcam chats with their loved ones via skype or msn, give up having a tech savvy friends help them with their pc via remote assistance, give up playing online games on their pc or games console - basically give up any application that requires ports to be opened in nat a firewall.

As with most things, upnp is safe as long as you can prevent a malicious application from running on a pc within the firewall. The fact that flash can act as a malicious program with regard to upnp is the problem. Flash should be modified to specifically prevent it from issuing upnp commands. It is far more practical to do this than to expect millions of non-technical users to modify their router settings.

HERE is the solution. Please read !!

This may assist ;

http://www.grc.com/unpnp/unpnp.htm

Confusion about WRT54GL

I'm a bit confused by comments about this model. Mine is about 2yr old and running the original firmware (v4.30.7) and it does not have any UPnP that I can find. Supposedly it is listed under "Applications & Gaming" but I can't find anything. I was thinking this would be the time to change the firmware, but maby I'll just leave well enough alone.

Xbox 360 and XBL

Some routers are 'certified' as "Xbox Live Compatible", which is a marketing exercise to promote the router for typical home use. Don't fall for it - it just means the router has UPnP enabled as standard. You don't need UPnP on a typical home router and if you're about to buy one, ensure that it can be disabled from the admin screens, especially in light of this exploit.

To make XBL work on a router without UPnP running, do the following (should work for common Netgear or DLink interfaces, else you'll have to work out the equivalents for your router):

1. Tell the router to always give the Xbox (identified by its MAC address) the same IP each time -OR- set the Xbox to have a static IP. Either way the goal is to make sure the Xbox always has the same IP.

2. Create a new service called XBL88 and set it as TCP and UDP port 88. In the Netgears you can select TCP and UDP and have to specify the start and end port, just make them both 88.

3. Reapeat for a service called XBL3074 for port 3074.

4. In your firewall rules say that anything inbound for the XBL88 and XBL3074 services is forwarded to the IP address reserved earlier for your Xbox. This is two rules in 'Inbound Services' in the Netgears.

5. Make sure you apply changes as you go. Boot up the Xbox and confirm it has the correct IP in the Settings / Network blade. Test the connection to XBL, the NAT type should be 'Open'.

That's it. Forwarding the ports is what UPnP would have done dynamically for you.

Re: Confusion about WRT54GL

On a WRT54GL it's on the Administration tab, Management subtab, right at the bottom. Should be disabled by default.

Re: Dodgy websites

Avoiding dodgy websites isn't so easy...

Never clicked a link in a search engine without checking the url?

Never followed a link that claims to tell you about a upnp exploit?

Never followed a link out of a spam email? (Go on be honest)

Never read hacking sites?

Never followed a link out of a wiki?

Perhaps Flash should be subject to the same kind of security restrictions that a java applet would be under, one of which is that it can only connect to the site it came from.

Dodgy websites?

Even trustworthy websites can be turned dodgy

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

I once looked at the london tickets and several others come as links from google when seraching for tickets eg the directline ones.

There's no (new) risk here

It's been a while since I had any reason to play with UPnP, but I vaguely recall that I needed to give myself admin rights before Windows would let me blow holes in my router. Is that still true?

If you need admin rights then this is a scare story. Any "security hole" that needs admin rights on the local machine to exploit is just FUD. (In this context, Raymond Chen is fond of the Douglas Adams line "It rather involved being on the other side of this airtight hatchway".) On the other hand, if you don't need admin rights to open ports on your firewall/router/whatever, then there's something wrong with your kit.

Of course, far too many people *are* using admin accounts and using IE to download and automatically run whatever the bad guys want, but UPnP is not part of that picture.

Re: Confusion about WRT54GL

@ Steve: Thanks for clearing that up. It's fixed now, but it was on by default as David Shepherd had mentioned above. I find it a bit disheartening that Linksys would do that. Maby thats a good reason for switching to Tomato like Steve Pettifer did. (same Steve?)

I find these kinds of menus confusing. My eyes aren't what they used to be and it's easy to fool me with amateurish layout and odd vocabulary such as putting UPnP with passwords instead of with port forwarding. You'd think a company like Linksys would take a more professional approach.

XBL NAT type

To Robert Cross - XBL still works without the relevant ports forwarding through to the Xbox, but there are various restrictions in terms of what you can do. Simplest way is to go to your network blade in the Xbox and test your connection to XBL. Make a note of the type of NAT reported then go here to see the implications.

http://www.xbox.com/en-US/support/connecttolive/xbox360/connectionmethods/troubleshootliveconnection-testnat.htm

UPnP or manual forwarding will make it of type "open" which is the most compatible.

@Ken Hagan : Admin rights

Admin rights are not required, the code sends a normal xml request via http to the router which, bafflingly, allows changes to the primary DNS of the router.

maybe irrelevant but..

my Bt white-slab-of-plastic-router-thingy went down and while trying to suss it I came across this:

The BT Home Hub contains code that is covered by the GNU General Public License (GPL). In accordance with the GPL, BT makes the relevant code available for download below.

code is on <http://www.btyahoo.com/broadband/adhoc_pages/gplcode.html>

FYI if you want to poke around.

BTW thanks for the book recommendations above, much appreciated.

Is UPnP The Issue?

From what I can see the problem isn't with UPnP but with the home gateway router manufacturers' implementation of it.

Take a look at "Understanding UPnP™: A White Paper" at http://www.upnp.org/resources/whitepapers.asp. Once you get past the Windows ME logo and the 'future tech' verbiage it comes down to an appliance advertising the services it offers.

Now look at consumer internet gateway routers (IGR) and ask why a consumer IGR needs to allow its internet connection settings or password to be changed via UPnP.

I can see why an IGR would allow UPnP to configure port forwarding (external to internal) - this replaces the process that I would otherwise need to undertake manually – but why an IGR should offer any other service is beyond me.

If the only UPnP request that my IGR recognises is one that opens an external port then I’m happy – that’s what I thought it did and my internal application firewall (ZoneAlarm) will let me decide whether a specific application is allowed to listen for incoming internet requests.