Most modern routers enable UPnP – Universal Plug and Play – by default. This might be a good time to reconsider that.

Grant Harrelson has just revealed a complex vulnerability which could make UPnP an Achilles Heel in your network. It is now possible for an attacker to exploit a vulnerability in UPnP which could let them run loose on your network.

The attack is rather complex, but as it involves common and popular components, it is all too easy once you know how to combine DNS Rebind (Multiple A record attack), a JavaScript port scanner, and WebRTC private IP disclosure. The sequence runs like this:

1. You point your browser, which must be Google Chrome or Firefox (Safari, Opera, and others are not vulnerable), at the malicious web page.
2. That page first retrieves your private IP address, then runs JavaScript code to discover UPnP ports which are available.
3. Your browser is then redirected to the attacker’s web server.
4. Using more JavaScript, the attacker obtains a list of public to private IP address mappings.
5. That malicious code then take less than a minute to open up all the devices on your network.
6. Once open, each device can be attacked one by one, until the router is restarted.

A detailed account of this is here.

So if

• you are running Chrome or Firefox, and
• you might browse such a malicious site, and
• your browser has JavaScript enabled, and
• your router is vulnerable

be prepared for unwelcome visitors.

The solution follows:

• only visit trusted websites;
• don’t use Chrome or Firefox until they are fixed to prevent this;
• disable JavaScript in your browser;
• disable UPnP in your router, until its firmware is fixed to ensure that it is no longer vulnerable.

This vulnerability and exploit appears to be independent of the operating system which your computer is running. It is also worth noting that unless you are running a network intruder detection system (NIDS) or inspecting your router logs frequently, this attack could pass unnoticed for a long time.

Full details are here.