back to article More UPNP woes: Crashable library bites routers and software

It's a patch for vendors and developers, but it could be nasty: there's a bug in a Universal Plug'N'Play (UPNP), used in a wide range of black-box devices. The bug, in miniupnpc, allows the lightweight UPNP library to be crashed by an attacker – and while the discoverer only confirmed its risk as a denial-of-service vector, …

  1. W Donelson

    Kan you speak Engrish?

    “An integer signedness error was found in miniupnp's `miniwget`..."

    *facepalm* --> "signedness"

    1. Lee D Silver badge

      Re: Kan you speak Engrish?

      Er... which word would you use?

      "Signedness" is a term often used in programming. There's a Wikipedia article on that exact word, for instance.

      Though it may not be fully correct dictionary English, it's certainly an acceptable term in the field.

      It's whether or not the variable is signed. The state of that is its signedness. Not pretty, but certainly not ugly.

      And no, the "sign" of the variable isn't sufficient. That describes, from a mathematical point of view, whether or not it currently holds a negative value or not. NOT whether the variable itself is capable of holding a signed value.

  2. bombastic bob Silver badge
    FAIL

    Why is ANYONE allowing UPNP to run on his router?

    Keep in mind that UPNP enabled on a router can allow a malware application to open up a LISTENING PORT that punches through a firewall. And that's part of the NORMAL functionality.

    It should be DISABLED out of the box by anyone with at least HALF a clue.

    this article casts that particular functionality in a positive light. Read between the lines, and you'll see JUST how dangerous this kind of functionality can be, particularly with "click on the attachment" or web-based exploits.

    https://www.codeproject.com/articles/13285/using-upnp-for-programmatic-port-forwardings-and-n

    and for no OTHER reason (though the one mentioned in the article is certainly a GOOD one as well), UPNP should have been disabled a long time ago if you didn't do it already.

    1. Anonymous Coward
      Joke

      Re: Why is ANYONE allowing UPNP to run on his router?

      Ask gamers or the like to disable it... and see their (online) existence terminated.

      1. Lee D Silver badge

        Re: Why is ANYONE allowing UPNP to run on his router?

        Rubbish.

        It doesn't affect gamers at all.

        1000+ games on my Steam account, including years spent on CS from 1.6 up to GO, and no UPnP whatsoever.

        The only need for UPnP is if you need to punch a PORT-FORWARD which is only necessary if you are running the server yourself (hint: Don't. That's why people rent game and dedicated servers if they are serious).

        I've never had UPnP enabled, and yet I can do EVERYTHING that normal people do, for many years through a double-NAT set of firewalls. It's only use was punching holes for bypassing NAT for, e.g. SIP and video conferencing, but those problems are long-ago dealt with and no workaround like that necessary.

        If your software needs UPnP or even a port-forward (including servers, which shouldn't need UPnP or port-forward, they should just be opening the relevant port and not be behind a NAT), then you have no idea how to program and shouldn't be writing networked games.

        Certainly, nothing on Steam from CS to GTA V, AOE2 to Worms etc. has ever needed UPnP or a port-forward on the client end.

        If you do not understand this, or what UPnP does, or why it's dangerous to even have enabled, you shouldn't be the person giving advice to others.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why is ANYONE allowing UPNP to run on his router?

          It's not me not understanding this, but do you really believe every gamer has the knowledge (and often the money) to rent and setup game servers? Many just simply host a game, UPnP punch the required hole, and they're happy. Nor everybody uses Steam.

          Games are also designed to work behind the common home network setup, which usually don't involve DMZs and the like, make them require complex network setups to work, and they will sell less. People having trouble will find things like this (https://kb.netgear.com/23020/Opening-ports-for-internet-games-and-applications-on-NETGEAR-routers), and will enable UPnP. Or follow even worse "tutorials" available around which opens even more than what UPnP opens.

          There are also the NAS and similar devices that punches holes to be easily accessible from outside. All done in the name of "easiness of use". Any consumer-grade router I've seen comes with UPnP enabled by default. And most users have con clue what UPnP means and works.

          It you believe that every user of technology today has the required knowledge to configure router and firewalls proficiently, you shouldn't be the person giving advice to others - because, really, they can't understand what you're saying, unluckily.

          1. Anonymous Coward
            Anonymous Coward

            Re: Why is ANYONE allowing UPNP to run on his router?

            Have an upvote, as I 100% agree with all your Points.

            Also, plenty of gamers' web site are (stupidily) advocating for UPNP usage ...

          2. Lee D Silver badge

            Re: Why is ANYONE allowing UPNP to run on his router?

            Almost EVERY modern game uses central servers - Steam, Origin or some proprietary server - as a go-between. Peers do not talk direct to peers any more. That was why you required UPnP/port-forwards, as you didn't know what IP would be contacting you in advance, so you had to open the port.

            All modern games instead communicate to a server (which has open-ports) which co-ordinates the passing of data between you and the people who want to join. It's called matchmaking, but that's a side-effect of being the central server that everyone relies on to be open and handle connection-formation.

            Nothing since DirectPlay has required UPnP to work. P.S. I have Skype. I turn off Skype UPnP options, it works. Same for torrents, for VoIP, for messengers, etc. - all things that you USED to have to port-forward for and don't any more.

            UPnP is an unauthenticated (authentication exist but it's not necessary in teh core protocols unless configured, and nobody configures it, and some software doesn't work when it IS configured) method to forward arbitrary ports on the Internet to arbitrary ports on your local network. This means it can LITERALLY serve requests to open your SMB port to the world. And it will do so, without question, confirmation, password or the user knowing. Literally, any bit of malware can expose your network immediately, permanently, through your firewall, and without you knowing - and there are viruses that do just this.

            It's a stupid idea and needs to die because it's NOT NECESSARY. You can run servers on modern games no problem (matchmaking) and if you're opening up ports to the world for older games, that needs to be a conscious action, not something that happens automatically and without confirmation affecting not just your computer but EVERY computer on your local network.

            Your kids, upstairs in their bedroom, on the isolated wireless VLAN you made for them so they don't infect you, can run a program that will send a UPnP request that will open your router, network and every VLAN / port to the world. And you have no way to stop it, while UPnP is still enabled, because UPnP is basically designed to do just this for ANY request it receives.

            Switch it off.

    2. Mage Silver badge

      Re: Why is ANYONE allowing UPNP to run on his router?

      Same reason they have autorun (even on USB sticks and Network shares), install stupid toolbars on browser, click on links and open attachments in email, and click OK on dialog boxes without reading them.

      Using Noscript and disabling third part cookies is harder.

  3. John Smith 19 Gold badge
    FAIL

    Shock news for developers. Software shouldn't send other software the wrong data.

    But guess what, sometimes it does.

    And when that software can be replaced by a Black hat's code (which applies to practically anything that communicates through a link which has at least 2 ends) it probably will.

    Let me suggest that "I wonder what happens if I put this in that field" (where "this" is anything other than the expected range of values) is SOP for any Black hat.

    But not it seems the people who wrote this.

    Does anyone think this is the first time this has been found?

  4. Nick Sticks

    @ Lee D

    At least one game available on Steam does require UPNP or port forwarding and that's Elite Dangerous from Frontier.

    It requires a P2P connection for the multiplayer aspect.

    I guess you just haven't played that type of game that uses P2P.

    1. Zimmer

      Are you sure?..

      I am pretty sure I have played Elite Dangerous with UPnP disabled on a variety of routers..(as it is my practice to disable UPnP when installing a new one). Are you suggesting the game mysteriously switches it back on without me knowing? Or does it bypass the router settings somehow ??

      Enquiring old gits would like to know, Nick .

      Or is it just your excuse for having left UPnP enabled on your router..?

      1. Nick Sticks

        Re: Are you sure?..

        Well it might have worked for you but you just did not see anybody else in Open or Group mode and/or you were playing in Solo mode.

        Frontier Support on UPNP and setting up port forwarding:

        https://support.frontier.co.uk/kb/faq.php?id=33

        Some players get better connections when they have port forwarding set up.

        Another Old Git.

    2. Lee D Silver badge

      Was an ED pre-orderer.

      You're wrong.

      I literally DO NOT HAVE UPnP enabled on any device.

      Everything works.

      1. Sandtitz Silver badge
        Unhappy

        @Lee D

        "I literally DO NOT HAVE UPnP enabled on any device. Everything works."

        Are you saying that the Frontier FAQ is wrong and unnecessary, and things will work for everyone since you don't have problems? Come on...

        1. Nick Sticks

          Re: @Lee D

          Hmmm. There is something going on that I didn't think could happen.

          I have just spent the last few hours since I posted here testing on my 2 PC's and my 2 ED accounts.

          With UPNP turned off and no port forwarding ED worked as it should. I could see other CMDRs in Open. I could also Wing up or MultiCrew with my other account.

          In fact after turning off UPNP (guilty) and ED still working I thought that my DrayTek router needed rebooting for it to kick in, but it was the same afterwards.

          Much has been made of Frontier's decision to use p2p for the networking between clients and they do use a central server for some transactions, but clients do talk directly to clients. This is why combat logging is a thing. This post does explain quite well how ED's networking happens:

          https://forums.frontier.co.uk/showthread.php/238233-VERY-basic-guide-for-ED-networking

          A Google search will come up with a lot of pages about Elite Dangerous Networking Issues, so it doesn't work for some people as well as we all would like it to.

          The latest update also includes new settings for networking in Options that include port forwarding.

          So, I would say it can work well for some people depending on their router, but there's no doubt that others have problems that can be fixed by port forwarding or having UPNP enabled.

          Fly safe CMDRs

          (ED Kickstarter backer, Founder level)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon