[god_I-pardon-you]

Could you add UPnP support for router please?

[dani_555]

It would be nice to see this in the official client.

[No-Way]

No Way!!!

I first heard about it on NPR. Windows XP had a major security flaw [1,2], even Microsoft was saying that this one was serious. That got my attention as Microsoft generally denied the importance of security flaws claiming that the flaw 'isn't in the wild' or 'doesn't affect real users' or 'has never been used', etc. What really focused my attention was when I found out that the flaw was in a system called Universal Plug and Play. I was the network architect for UPnP and was the lead author for SSDP, the algorithm at the center of the security hole. You can imagine the shape my stomach was in at the thought that I might be responsible for a security hole so egregious that even Microsoft agreed it was a problem.

So I decided to investigate.

The three holes that have been found so far are:

• A buffer overflow that allows a remote machine to take over the UPnP machine.
  
• Performing a HTTP GET without checking how much information has been downloaded which allows an attacker to cause the machine to run out of memory.
  
• Not checking for excessive network announcements that leaves UPnP machines open to be used for DDOS attacks.

As a member of the architecture team my job was to write specifications, the actual code was developed by a separate program management/development/test team. So it's tempting to just write the first two holes off as typical bad Microsoft programming practices. But the uncomfortable reality is that I was fully aware that the UPnP team's programming/testing practices left something to be desired. For example, at one point a snippet of code from the checked in source tree, real code that was supposed to ship in the final product, was sent around and a contest was held to see who could figure out what it was supposed to do. I say supposed to do because the code didn't actually work. There were two contests, one for developers and one for PMs. I won the PM contest. The page of code was an AtoI function. Once you fixed the endless loop it turned out to require O(N2) iterations where N was the number of digits in the original ASCII number.

We had one or two testers depending on what other projects were around and only one of the testers understood what was going on and she could only cover a tiny bit of the code base. When I worked for IE the rule of thumb for network code was to have between 2 to 3 testers per developer, although we were lucky to have a 1 to 1 ratio. As a side note, the testers we did have for networking in IE were absolutely rock solid and easily the equivalent of 2 bodies a piece. UPnP had something like 2 testers for 5 or so developers.

Yes, I talked about the problem with the group's management. Yes, I talked about the problem with several of the testers and developers on the team. Some cared, most didn't. Eventually those of us who had any pride in our work just got up and left. Without support from management there really wasn't much else to do. The feeling of apathy and doom was pretty consistent throughout the project.

The third hole was a known problem. I had even written up a fairly nice way to deal with it. But I was shot down. The team felt that the threat was so small it wasn't worth dealing with. Microsoft seems to view security as primarily a PR issue and the third bug just didn't seem to be much of a PR threat.

Bug #1 - The Buffer Overflow
Sending a stream of NOTIFY messages at the right frequency with the right content will cause a buffer overflow. Even worse, the overflow behavior is apparently fairly predictable so that a knowledgeable attacker can use the overflow to take control of the machine. For what it's worth Microsoft software development practices at the time specifically required looking for buffer overflow and tools were available to check for them but I have it on fairly good authority that no serious attempts were ever made to detect overflow conditions.

Bug #2 - The Unchecked Buffer
When the client receives a NOTIFY it takes the URL in the location header, which points to the device's description, and execute a HTTP GET. My guess is that what happens next is that UPnP tries to download the description and once the download is complete then tries to parse it. The problem is - what if the server is malicious and sends an infinite length response? In that case UPnP will suck up the data until it finally runs out of memory, which is exactly what the www.eeye.com attack does.

Bug #3 - Assuming there is no evil in the world
The third bug is a bit more subtle. UPnP by it's nature is the potential basis for a DDOS attack. This is unavoidable in a distributed, un-administered discovery service. The attack is to send out a multicast announcement saying "I'm a new service, find out about me" then include a URL that points at some victim's server.

Every machine within range of the multicast will make a GET request to the URL. This isn't so bad in itself since each machine will only send out one GET. What's bad is that the black hat could just keep pumping out announcements, all pointing to the same victim's machine. This acts as a request multiplier since every one announcement the bad guy sends out will result in N GET requests.

There is no un-administered way to stop this kind of attack but it can be slowed down to the point of not being very useful to black hats by doing simple analysis of announcement behavior. UPnP when run only in the administrative scope was designed to handle 20 to 50 discoverable devices. Think about a typical home or small office (the target markets for V1 of UPnP). Even with 802.11b and intelligent refrigerators the average office isn't going to have more than say 50 devices maximum. If the client finds itself having to deal, in a short period of time, with more than 50 unique devices or with more then a few announcements per second then something has clearly gone wrong and the UPnP service should temporarily de-activate itself. Section 6.3.1 of v1-03 discusses just such an auto-shut off algorithm. We had developed a specification for the algorithm which would have explicitly defined 'best practices' for dealing with this type of situation but it was pulled from the specification at the last minute because the development team, over my objections, did not feel that the threat was sufficient to justify the effort of implementing the algorithm.

Loosing the auto-shut off algorithm really hurt. I fought hard to keep it but eventually the lead developer just said straight out that he didn't care what I thought, he wasn't going to implement it. He went to the head of the architecture group and complained that I wasn't a team player. I was given clear marching orders - cut the section. All I could get them to agree to was to leave in the section describing the problem but not put in the solution. I was hoping this would eventually lead to us introducing the auto-shut off algorithm but I left the team soon after and no one seems to have followed up.

[god_I-pardon-you]

oh god............


but I still want the UPnP function.

[MoNKi]

No-Way, the current code of UPnP in some eMule mods do not uses the windows xp services, it uses a ported linux library and is autamatically disabled if you are directly connected to internet (no router).

The problem in WinXP is fixed since more than a year or two now.

[No-Way]

Microsoft fixed the The Buffer Overflow.

And what about all other security flaws?

[MoNKi]

No-Way, on Apr 25 2005, 03:45 PM, said:

Microsoft fixed the The Buffer Overflow. 

And what about all other security flaws? 

Well, really don't know, but i'm prety sure all was fixed. But again, we do not use microsoft code or services.

[GurliGebis]

Universal Plug'N'Play is several things.
The client (READ CLIENT!!) part is attackable if coded correctly for portmapping.

The general idea of UPNP is to be able to put all kinds of devices on a LAN and have them communicate, and some of those used to be causing security issues.

So, enabling UPNP portmapping in emule causes no security threat to the system.
There is quiet a difference in running a program that uses UPNP to open a port in the router, and running the service.

Compare it with running a FTP server and client. The security problems are the same here, looked at from the client side at least.

[leexgx]

problem is windows turns off the Upnp support out of the box (you need to goto the firewall setings in windows and tick use Upnp framework) so most n00bs probly not even be usen it as it will not be able to connect to the router

but i think any Morph based has its Own bult in Upnp client so i dono if that needs it to be ticked or not (it open the ports for you)

and probly yes it can be an securty risk as all you have to say is unblock to an remote admin tool and you never know (small chance it happen tho sP2 has fixed it mosty)

[lunks]

I'd like to request it, too.

[leexgx]

lol

Quote

No-Way  Apr 24 2005, 03:34 PM Post #3 


Splendid Member


Group: Banned
Posts: 168
Joined: 11-April 05
Member No.: 221013

[JediNight2002]

If eMule is to keep up in the ocean of P2P software out there then it MUST incorporate UPnP.

The VAST majority of users do no know how to setup their router firewalls in order for eMule to work - if they cannot easily get eMule to work then they will move onto a different program and the network will cease to grow.

UPnP, like any new software idea has the POTENTIAL to be exploited and cause harm, but only if it that exploit is unaccounted for. Stop being so bloody pessimistic people!!!

UPnP is a very necessary concept with the move to 'always-on' internet connectivity and the increasing number of online programs and devices that need to get through firewalls.

I find it very interesting that people are posting on a technology/pc/software forum basically saying "no, we don’t ever want that because it broke once" - would the world be where it is now with attitudes like that????

Not only that, but if you dont like it - just bloody disable it!!!

eMule MUST become UPnP compatable.

[FAQ]

leexgx, on May 14 2005, 03:23 AM, said:

lol

Quote

No-Way   Apr 24 2005, 03:34 PM Post #3 


Splendid Member


Group: Banned
Posts: 168
Joined: 11-April 05
Member No.: 221013

LOL!!! Did he get banned for this post?

Anyway, I think people should learn how to configure their routers.

I don't think UPnP is enabled by default, so they must configure their router, LOL!!!

[chrisi84]

Please add UPnP-Support.

[fractal.design]

I vote
M$ has to fix its own flaws,

eMule has to use the best options to keep up with the n00b factor.

In my eyes: UPnP = 0 Low ID

[qm2003]

Including UPNP (in whatever form) has some downsideeffect, too.

A spoiled n00b stays a n00b.

If the devs decide to include this feature, it should be disabled by default.
This way noobs still have to read the docs, to know this feature exists and can be enabled.

[fractal.design]

sometimes its better to have a spoiled n00b as High ID, than a spoiled n00b as Low ID.

Enable by default = everyone (mostly) is High ID

some people just arent into reading loads of documentation when all they want to do is share files.

[qm2003]

Well, we probably see things a bit different.

I my world, people who take the time of reading documentation and trying to understand how things work, should have a real advantage over people who are just too lazy.

[fractal.design]

But who gets the advantage?
in a p2p system where everyone = network I think everyone is at a disadvantage if n00bs are low ID.

If everyone was High ID, everyone would be better off (better server, better Kad).

What you are saying only makes sense in a network where the content is hosted on some magnificent server. And the only way to get good service was to know alittle something more. In this scenario I would agree with you. Knowledge is power.

But with ed2k, its a big sorta communist setup, where everyone benefits (and loses) according to how everyone else is doing.

Maybe a comprimise.

Enable UPnP (when its added to emule) by default.
And have various links to documentation (To show how it works) through out.

I feel if everyone had there router working sweet, there would be a better ed2k, and not to mention less support forum posts.

[dani_555]

In my opinion there should be a new option in the first-start-wizard to explain what UPnP is and how to use it (in some routers you have to activate UPnP-support first), if the devs are going to implement it.