ZyXEL Communications P-335WT Manual de usuario descargar pdf (Pagina 7)

3.2.5 Step 4: Eventing

Control points keep state, which devices can read out. A device can register with

the control point to receive event messages whenever the value of a so called state

variable has changed. It does so by sending a request to the control point:

SUBSCRIBE /upnp/event/wanpppcpppoa HTTP/1.1

Host: 10.0.0.138

Callback: <http://10.0.0.150:5000/notify>

Timeout: Second-1800

NT: upnp:event

After a device has registered with a control point it will ﬁrst receive a message with

the current state of all evented messages and it will receive updates whenever the

state of a variable changes. These messages will be sent to all the URLs that are

present in the Callback header.

3.2.6 Step 5: Presentation

Presentation is about how a device “presents” itself to normal human beings. It

nearly always comes down to being able to control the UPnP device via a webin-

terface.

4 UPnP security attacks

UPnP is not a very complex protocol, but it is far reaching, especially when port

mappings can be done via UPnP. Implementation errors of the UPnP protocol stack

in devices, and also omissions in the speciﬁcations, enable an attacker to do quite

severe things, including hijacking of network traﬃc, anonymous proxying of network

traﬃc and exposure of trusted machines to untrusted external networks.

This section describes a range of attacks which are possible with UPnP in general,

or with speciﬁc implementations of UPnP. These attacks all originate from within

the LAN, where a user or malicious program possibly already has full access to

some or all machines in the LAN. Tunnels to the outside are easily created in such

a setup. It can be argued that because access to the internal LAN is a prerequisite

for everything described in this paper these attacks should not be regarded as real

attacks. However, I think that the ease with which a ﬁrewall can be completely

reconﬁgured makes it a big enough threat:

• It takes no special privileges to reconﬁgure a UPnP-enabled ﬁrewall.

• Changes to the ﬁrewall done via UPnP are often persistent across reboots of

the Internet Gateway Device and not always easy to remove.

• A computer that has been taken over by a virus, spyware or cracker is rela-

tively easy to detect, but a reconﬁgured router is a lot harder to ﬁnd, especially

when the router is complying with all standards it implements.

4.1 Exposing internal machines to outside networks

The portmapping feature described earlier is convenient if you want to have ports

forwarded to your own machine, but it can also be abused to forward ports on

1 2 3 4 5 6 7 8 9 10 11 12 ... 17 18

Sin comentarios

ZyXEL Communications P-335WT Manual de usuario Pagina 7