| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| docs:guide-user:firewall:upnp:upnp_setup [2018/03/04 16:18] – ↷ Page moved and renamed from docs:guide-user:firewall:upnp to docs:guide-user:firewall:upnp:upnp_setup bobafetthotmail | docs:guide-user:firewall:upnp:upnp_setup [2024/11/29 14:48] – [Universal Plug'n'Play and NAT-PMP on OpenWrt] Grammar memicinn19 |
|---|
| ====== Universal Plug'n'Play and NAT-PMP on OpenWrt ====== | ====== Universal Plug'n'Play and NAT-PMP on OpenWrt ====== |
| |
| [[wp>Universal_Plug_%27n%27_Play|UPnP (Universal Plug'n'Play)]] is a protocol that enables programs running on a host to automatically configure port forwardings on their NAT-Router. UpnP basically allows a program to make the router to open necessary ports, without any intervention from the user, without making any check. For this reason, there is a security risk associated with enabling UPnP on your router: technically a worm or malware program could use this function to compromise security for the entire LAN. | [[wp>Universal_Plug_%27n%27_Play|UPnP (Universal Plug'n'Play)]] is a protocol that enables programs running on a host to automatically configure port forwardings on their NAT-Router. UPnP basically allows a program to make the router to open necessary ports, without any intervention from the user, without making any check. For this reason, there is a security risk associated with enabling UPnP on your router: technically a worm or malware program could use this function to compromise security for the entire LAN. |
| |
| Thus, it is recommended to set up port forwarding manually whenever possible, and leave UPnP disabled. However, in some cases dynamic port forwarding is required and manual port forwarding becomes impractical, leaving the user with no other option than to enable UPnP. | Thus, it is recommended to set up port forwarding manually whenever possible, and leave UPnP disabled. However, in some cases dynamic port forwarding is required and manual port forwarding becomes impractical, leaving the user with no other option than to enable UPnP. |
| |
| [[wp>NAT-PMP|NAT-PMP]] is a protocol similar to UPnP, that is currently an IETF standard, and a number of Windows and Linux applications support it. | [[wp>NAT-PMP|NAT-PMP]] and its newer version [[wp>Port_Control_Protocol|PCP]] is a simpler binary protocol similar to UPnP, that is currently an IETF standard, and a number of Windows and Linux applications support it. It was originally developed by Apple for their routers but didn't receive wide adoption. |
| |
| ===== Setting up UPnP in backfire ===== | ===== Security Concerns ===== |
| |
| {{:meta:icons:tango:48px-emblem-important.svg.png?nolink |Important!}} CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. | {{:meta:icons:tango:48px-emblem-important.svg.png?nolink |Important!}} CAUTION: mixing up WAN and LAN interfaces may introduce [[https://community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities|security risks]]! See also [[https://www.kb.cert.org/vuls/id/184540|Incorrect implementation of NAT-PMP in multiple devices]]. |
| |
| miniupnpd in Backfire is vulnerable to remote code execution [[http://www.cvedetails.com/cve/CVE-2013-0230|CVE-2013-0230]]. It is strongly recommended not to use UPnP on this OpenWRT version. You can check your device with Metasploit: | miniupnpd in OpenWrt 10 Backfire is vulnerable to remote code execution [[http://www.cvedetails.com/cve/CVE-2013-0230|CVE-2013-0230]]. It is strongly recommended not to use UPnP on this OpenWRT version. |
| <code>msfconsole | |
| msf> | |
| msf > use auxiliary/scanner/upnp/ssdp_msearch | |
| msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 | |
| msf auxiliary(ssdp_msearch) > run | |
| </code> | |
| See something like | |
| <code> | |
| [*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml | |
| [+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230) | |
| </code> | |
| |
| The repositories for OpenWrt Backfire contain minidlna and miniupnpd to provide UPnP support. They are configured in ''[[docs:guide-user:services:media_server:minidlna|/etc/config/minidlna]]'' or ''[[docs:guide-user:firewall:miniupnpd|/etc/config/miniupnpd]]'' respectively. Note that the minidlna package is quite large, and may not fit on routers with a fresh install on Openwrt. If you are only looking for UPnP functionality, miniupnpd is all you need. | ===== Setting up UPnP in OpenWrt ===== |
| |
| To enable/disable NAT-PMP edit /etc/config/upnpd file: | The repository for OpenWrt contains ''minidlna'' and ''miniupnpd'' to provide UPnP support. They are configured in ''[[docs:guide-user:services:media_server:minidlna|/etc/config/minidlna]]'' or ''[[docs:guide-user:firewall:upnp:miniupnpd|/etc/config/miniupnpd]]'' respectively. Note that the the ''minidlna'' package is quite large, and may not fit on routers with a fresh install on OpenWrt. If you are only looking for UPnP functionality, the ''miniupnpd'' is all you need. |
| |
| | Once the ''miniupnpd'' is installed, it may be necessary to take an addition step to enable it. |
| | Navigate to ''Services'' > ''UPnP'', and ensure that the ''Start service'' option is enabled. |
| | If it is not, enable it, and click on ''Save & Apply''. |
| | |
| | You can do this from a command line: |
| <code> | <code> |
| option 'enable_natpmp' '1' | uci set upnpd.config.enabled=1 |
| option 'enable_upnp' '0' | uci commit |
| | /etc/init.d/miniupnpd restart |
| </code> | </code> |
| |
| Also, you need to apply [[https://dev.openwrt.org/changeset/25251|changeset 25251]]: it's basically a matter of editing /etc/init.d/miniupnpd, something you can do directly on your live router using nano; please be advised that failing to apply the patch correctly miniupnpd might stop working correctly. | ==== Troubleshooting ==== |
| |
| Finally, you may need to execute the following command: | Read logs with ''logread -e miniupnpd''. |
| |
| <code> | You can enable verbose logs: |
| root@OpenWrt:~# uci set upnpd.config.enable_natpmp=1 | <code> |
| root@OpenWrt:~# /etc/init.d/miniupnpd restart | uci set upnpd.config.log_output=1 |
| | uci commit |
| | /etc/init.d/miniupnpd restart |
| </code> | </code> |
| |
| Once miniupnpd is installed, it may be necessary to take an addition step to enable it. Navigate to System > Startup, and ensure that the miniupnpd entry is enabled. If it is not, enable it, and click on start. | Use [[https://manpages.debian.org/unstable/miniupnpc/upnpc.1.html|miniupnpc]] to open a port with UPnP. |
| | Or use [[https://manpages.debian.org/bookworm/natpmpc/natpmpc.1.html|natpmpc]] for NAT-PMP/PCP. |
| |
| ==== Checking if UPnP is working ==== | The GUI tool [[https://gitlab.gnome.org/DnaX/upnp-router-control|UPnP Router Control]] allows to see network usage and currently open ports. |
| |
| Click on Status > Firewall. If UPnP has been properly enabled, the chains zone_wan_forward and zone_wan_prerouting will both contain an entry named "miniupnpd". Additionally if you have any UPnP application working, you will be able to find their port mappings. Please note if you have just enabled UPnP, your application may need to be restarted, in order to reconfigure the firewall. | Some apps like Transmission allows to open a port with both UPnP and NAT-PMP/PCP. Internally it uses ''libminiupnpc'' and ''libnatpmp'' libraries from the ''miniupnpd'' author. |
| |
| ==== Checking if NAT-PMP is working ==== | |
| | === Checking if UPnP is working === |
| | |
| | Click on ''Status'' > ''Firewall''. If UPnP has been properly enabled, the chains ''zone_wan_forward'' and ''zone_wan_prerouting'' will both contain an entry named ''miniupnpd''. Additionally if you have any UPnP application working, you will be able to find their port mappings. Please note if you have just enabled UPnP, your application may need to be restarted, in order to reconfigure the firewall. |
| | |
| | === Checking if NAT-PMP is working === |
| |
| From a shell, issue the command: | From a shell, issue the command: |
| |
| <code> | <code> |
| root@oberon:~# logread | grep -i "\-pmp" | logread -e "\-PMP" |
| </code> | </code> |
| |
| |
| <code> | <code> |
| Mar 24 21:16:59 OpenWrt daemon.notice miniupnpd[2631]: Listening for NAT-PMP traffic on port 5351 | Listening for NAT-PMP/PCP traffic on port 5351 |
| </code> | </code> |
| |
| As UPnP provides no authentication mechanisms, it is commonly regarded as one giant security hole. A great deal of concern was also generated by the discovery of a buffer overflow vulnerability in the UPnP stack of Windows XP in 2001, which made it possible to obtain SYSTEM level access, and some institutions recommended disabling it altogether. For an historical perspective, see this page from [[http://www.grc.com/unpnp/unpnp.htm|Gibson Research]]. | As UPnP provides no authentication mechanisms, it is commonly regarded as one giant security hole. A great deal of concern was also generated by the discovery of a buffer overflow vulnerability in the UPnP stack of Windows XP in 2001, which made it possible to obtain SYSTEM level access, and some institutions recommended disabling it altogether. For an historical perspective, see this page from [[http://www.grc.com/unpnp/unpnp.htm|Gibson Research]]. |
| |
| It is also been speculated that the design flaws in UPnP would lead to development of a new class of attacks which relied on UPnP. More information about this and possible exploits can be found on [[http://www.upnp-hacks.org/|UPnP Hacks]]. | It is also been speculated that the design flaws in UPnP would lead to development of a new class of attacks which relied on UPnP. More information about this and possible exploits see in a talk [[https://www.youtube.com/watch?v=rseMaljMcBY|Martin Zeiser: UPnP - Universal Pwn n Play]]. |
| | |
| | ==== Check if a router has the insecure UPnP ==== |
| | |
| | You can check your device with [[https://www.metasploit.com/|Metasploit]]: |
| | <code> |
| | msfconsole |
| | msf> |
| | msf > use auxiliary/scanner/upnp/ssdp_msearch |
| | msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 |
| | msf auxiliary(ssdp_msearch) > run |
| | </code> |
| | See something like |
| | <code> |
| | [*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml |
| | [+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230) |
| | </code> |