in Technology

Adobe Flash can modify Router’s UPnP Interface

Isn’t it a perfect Sunday to read another lambast of the Flash Player for Security Issues?

Security firms and Interested Institutes keeps stumbling on security issues and vulnerabilities almost every waking hour of the day. Very recently, Google Researchers documented serious vulnerabilities in Adobe Flash SWFs. Another Flash related security issues surfaced about a weeks ago that the Universal Plug and Play (UPnP) interface of your Router may be highly vulnerable to use by hackers seeking to modify their settings — such as choice of DNS Server — from an external location using Flash.

How?

With Adobe Flash, attackers may corrupt the UPnP interface in the router and modify router settings by leveraging simple object access protocol messages (SOAP) to circumvent password protection or even the WPA (Wi-Fi Protected Access) encryption standard on routers.

Attacks generated by exploiting the UpnP interface may be a hundred times more dangerous than a recent attack in the wild using Flash and built on JavaScript host-scanning techniques. Nonetheless, researchers said they do not expect to see widespread exploit. It may be noted that in many cases, UPnP is remotely exploitable without interaction required from the victim, and all the attackers need to know is the IP address of the exploitable device.

The generation of SOAP messages using the Flash plug-in enables the attacker to avoid the problem of password authentication, and the fact that many home routers are configured to accept SOAP messages without any type of authentication compounds the threat, researchers said.

Adobe’s suggestion to the issue

The suggested work-around from Adobe is that malicious router commands delivered via SOAP requests can be circumvented by disabling this functionality in the router. Turning off your UPnP will make life harder and probably your Skype or MSN wont work as flawlessly as before.

You can download a Harmless/Useless Proof of Concept code from GNU Citizen, for demonstration and eduction purposes.

  1. OK,OK... is this only a "Flash thing"? Most client technologies such as Java applets, AJAX, Silverlight and more are also able to generate SOAP requests. Also I think this is a problem of the device manufacturers. Flash could also be used as a UPNP client so it's not bad that it could access this in general.

  2. OK,OK... is this only a "Flash thing"? Most client technologies such as Java applets, AJAX, Silverlight and more are also able to generate SOAP requests. Also I think this is a problem of the device manufacturers. Flash could also be used as a UPNP client so it's not bad that it could access this in general.

  3. Looking at the code it's just setting up a special request and calling navigateToUrl which causes the browser to go to the router URL. Flash is not making the request, the browser is. Flash is just telling the browser to go there.

    This could be done with flash, javascript, or even a plain old html if the user were to click on a link.

  4. Looking at the code it's just setting up a special request and calling navigateToUrl which causes the browser to go to the router URL. Flash is not making the request, the browser is. Flash is just telling the browser to go there.

    This could be done with flash, javascript, or even a plain old html if the user were to click on a link.

Comments are closed.