Submit Your Article
Home Articles News Tutorials Videos Add An Article
Topics: Design Photoshop Programming PHP CSS Java Database Web Development Javascript Ajax
– Close + Open

Find Out More About DevWebPro!

Sign up for the newsletter


» Terms & Conditions

Welcome to the New DevWebPro!

DevWebPro Includes:
  Hundreds Of Tutorials   Developer News
  Unique Gadget Videos   Tons of Topics to Discuss
  Expert Advice   We Will Publish Your Articles

Flash can modify Router’s UPnP Interface

By: Brajeshwar Oinam
Friday, February 1st, 2008
Text: Decrease Font Size Increase Font Size | Print Print Article | Share: Delicious Digg StumbleUpon Post to Twitter Post to Facebook

Isn’t it a perfect day to read another lambast of the Flash Player for Security Issues?

Security firms and Interested Institutes keep stumbling on security issues and vulnerabilities almost every waking hour of the day. Very recently, Google Researchers documented serious vulnerabilities in Adobe Flash SWFs. Another Flash related security issues surfaced about a week ago that the Universal Plug and Play (UPnP) interface of your Router may be highly vulnerable to use by hackers seeking to modify their settings — such as choice of DNS Server — from an external location using Flash.

How?

With Adobe Flash, attackers may corrupt the UPnP interface in the router and modify router settings by leveraging simple object access protocol messages (SOAP) to circumvent password protection or even the WPA (Wi-Fi Protected Access) encryption standard on routers.

Attacks generated by exploiting the UpnP interface may be a hundred times more dangerous than a recent attack in the wild using Flash and built on JavaScript host-scanning techniques. Nonetheless, researchers said they do not expect to see widespread exploit. It may be noted that in many cases, UPnP is remotely exploitable without interaction required from the victim, and all the attackers need to know is the IP address of the exploitable device.

The generation of SOAP messages using the Flash plug-in enables the attacker to avoid the problem of password authentication, and the fact that many home routers are configured to accept SOAP messages without any type of authentication compounds the threat, researchers said.

Adobe’s suggestion to the issue

The suggested work-around from Adobe is that malicious router commands delivered via SOAP requests can be circumvented by disabling this functionality in the router. Turning off your UPnP will make life harder and probably your Skype or MSN wont work as flawlessly as before.

You can download a Harmless/Useless Proof of Concept code from GNU Citizen, for demonstration and eduction purposes.

Topics: , , , ,

About the Author:
Brajeshwar is an ace digerati and an ardent believer of KISS (Keep It Simple Stupid), he envisions pushing the technical envelope time and again for the betterment of commercial and practical applications. http://www.brajeshwar.com/

Leave a Comment

DevWebPro » WebMasterFree.com CSSJuice.com Code-Sucks.com MySpaceAntics.com FreeMacWare.com FreeMacBlog.com
Small Business
Videos | Top News | Blog Talk
Expert Articles | Directories
E-Business
Videos | Top News | Blog Talk
Expert Articles | Directories | WebProWorld
Information Technology
IT Directory | IT Resources | SecurityProNews
Videos | Advertise | About Us | Newsletter
2549 Richmond Road Second Floor Lexington, KY 40509 | Phone: (859) 514-2720 | Fax: (859) 219-9065
Newsletter Archive | RSS Feeds | Terms & Conditions
DevWebPro is an iEntry Network ® publication - © 1998-2010 All Rights Reserved