Flash Can Modify Router’s UPnP Interface

Friday, February 1, 2008 by Mistlee

Can't see any images? -!

February 01, 2008

Visit the FlashNewz Directory
Download, Desktop...

Communicate, Help...

search, learn...

Animate, Frames...

books, help...

add ons, extra's...

books, help...

Technology, Business...

Submit your site for FREE

Well our office is haunted it seems. In my absence someone has been playing with my Wonder Woman doll. It also appears that our nightly ghost decided to overclock my processor. That resulted in a severe delay of my workday. The delay has not dampened the spirits of this humble author. FlashNewz arrives to you unspoiled nestled warmly in your inbox.

I'll be honest. Our first site today is supremely righteous. Not only is the flash top-notch, but the content is a wonder to behold. If you're a fan of 3D artwork Stefan Morrell will hook you up. He's created a flash portfolio of his 3D cityscapes. And these things are just sick. Unsurmountable detail is crafted into these pieces and the photorealism is simply awe-inspiring.

Next is NinjaMan! This is a side-scrolling action flash game reminiscent of the 80's and 90's. It's a pretty straightforward run-around where you stab other martial artists nowhere near as skilled or cool as yourself. Yes, I played a little NinjaMan at work. S'why my job rules.

Our third site is a super flash heavy site chock full animated goodies and super happy mega fun fun asian girls. The sites set up to promote a cell phone with a gajillion color options. Flash allows them to create a vividly colorful campaign with lots of moving goodies for the web animation connoisseur to enjoy.

This week we've got a FlashNewz regular in our article feature, Brajeshwar, covering more security issues and some suggestions on how to deal with 'em.

Mark Rivera

"I can tell you, with no ego, that this is my finest blade."

~ Hatori Hanzo

For any thoughts or suggestions for a website to be featured in FlashNewz gimme a shout at mark@flashnewz.com

And don't forget to check out our Flash Directory

Featured Sites:
Stefan Morrell

Flash portfolio of this 3D master that showcases his jaw-dropping cityscapes.

Stefan Morrell

Fun flash game fighter where you draw your sword as a ninja while sidescrolling your way to endless baddies.

Cyon Colorphone

Phone promo site for a series of colorful cell phones that put to use a wide spectrum of colors and animation.

Cyon Colorphone

Flash Can Modify Router’s UPnP Interface

By Brajeshwar Oinam

Isn’t it a perfect day to read another lambast of the Flash Player for Security Issues?

Security firms and Interested Institutes keep stumbling on security issues and vulnerabilities almost every waking hour of the day. Very recently, Google Researchers documented serious vulnerabilities in Adobe Flash SWFs. Another Flash related security issues surfaced about a week ago that the Universal Plug and Play (UPnP) interface of your Router may be highly vulnerable to use by hackers seeking to modify their settings — such as choice of DNS Server — from an external location using Flash.


With Adobe Flash, attackers may corrupt the UPnP interface in the router and modify router settings by leveraging simple object access protocol messages (SOAP) to circumvent password protection or even the WPA (Wi-Fi Protected Access) encryption standard on routers.

Attacks generated by exploiting the UpnP interface may be a hundred times more dangerous than a recent attack in the wild using Flash and built on JavaScript host-scanning techniques. Nonetheless, researchers said they do not expect to see widespread exploit. It may be noted that in many cases, UPnP is remotely exploitable without interaction required from the victim, and all the attackers need to know is the IP address of the exploitable device.

The generation of SOAP messages using the Flash plug-in enables the attacker to avoid the problem of password authentication, and the fact that many home routers are configured to accept SOAP messages without any type of authentication compounds the threat, researchers said.

Adobe’s suggestion to the issue

The suggested work-around from Adobe is that malicious router commands delivered via SOAP requests can be circumvented by disabling this functionality in the router. Turning off your UPnP will make life harder and probably your Skype or MSN wont work as flawlessly as before.

You can download a Harmless/Useless Proof of Concept code from GNU Citizen, for demonstration and eduction purposes.


About The Author

Brajeshwar is an ace digerati. . .he envisions pushing the technical envelope time and again for the betterment of commercial and practical applications. http://www.brajeshwar.com/

sign-up | contact us | archives | advertising info | resources | about us

-- FlashNewz is an iEntry.com publication --
iEntry, Inc. 2549 Richmond Road, Lexington, KY 40509
© 2008 iEntry Inc. All Rights Reserved Privacy Policy Legal

Unsubscribe from FlashNewz.
To unsubscribe from FlashNewz or any other iEntry publication, simply send an email request to: support@ientry.com