With great interest I read the research and the corresponding FAQ by pdp and pagvac at GNUCitizen about UPnP insecurity. In a nutshell they found out that with Adobe Flash it’s possible to change UPnP settings in the internal network over the Internet. This is due to the Flash function navigateToURL that allows to craft arbitrary HTTP requests. They published their results as they didn’t have anybody to go to.
“[...] we cannot go to any vendor to ask for a solution, because it is not a bug what we have to deal with, but rather a combination of design problems. It is an issue, which needs to be resolved right now and the only way to do that is to go public with whatever we’ve got on our table. [...] The attack is based on the navigateToURL function and the URLRequest object. Both of them are used as described in the Flash ActionScript specifications.”
While it’s true that these two functions work as they were designed to, in my opinion that does not mean that it’s not a flaw in Flash. Even though it’s not possible to use the functions to read the output of the HTTP request, it should not be possible to craft arbitrary HTTP requests.
Actually, while I was writing the above paragraph, I thought about the enctype attribute to the HTML <form>-Tag. Setting it to application/xml might yield the same results. A short test showed however that at least Firefox still uses the application/x-www-form-urlencoded content-type, even though enctype contains application/xml. I have not been able to try it out with other browsers, but as the specification of HTML4 defines the enctype to be the content-type, I don’t think that all browsers are as considerate as Firefox (or perhaps my HTML crafts were too weak to get it right).
So, to sum it up: I agree that this is a design flaw. The design should not allow arbitrary HTTP requests to be sent out. So it’s a design flaw in Flash (probably among others). The implications of the flaw are not limited to exploiting UPnP. Practically all unauthenticated web services on the internal network are at risk. The attacker cannot get a response, but change all the settings he wants to. This makes the flaw a kind of CSRF-like vulnerability.
A good implementation is the XMLHttpRequest API. Due to the same origin policy it prohibits sending out arbitrary requests to different domains. This behaviour should be replicated by all means to send out requests. It’s not the best solution (I’d rather propose a general solution for CSRF 
but it’s the only idea I got.
Picture of old Polaroid camera by rougerouge
Tags: Browsers, CSRF, Exploit, Flash, Hack, Security, UPnP, Web
