Re: [Linux-igd-devel] Security issues to address...
Status: Beta
Brought to you by:
krazydime
Menu
▾
▴
Re: [Linux-igd-devel] Security issues to address...
|
From: Nektarios K. P. <npa...@in...> - 2006-08-18 09:01:56
|
Hi, Armijn Hemel wrote: > hi, > > [cut] >> I'm not sure I understand the final comment in the Armijn report: >> >> <quote> >> ...,but there is no check to see whether or not NewInternalClient is an >> external IP address. >> </quote> >> >> Why is it important whether or not it is an external IP address. I think >> the right input/output interface is properly set in the iptables >> invocation so having an external IP address in the NewInternalClient >> will just result in an ACCEPT rule that is impossible to trigger. >> What do I miss here? > > I was able to trigger this (repeatedly) with several routers that use > linux-igd. If NewInternalClient is actually an external IP address it will > make a firewalling rule for that external IP address. Connect to the port > that is opened from the outside and your traffic will nicely go through NAT > to the destination port (NewInternalPort if I remember correctly) without a > problem. > > armijn > You are right, when adding a port mappings only the 'in' interface is set to the 'WAN' interface of the IGD in the iptables rule. The 'out' interface of the rule is set to 'any'. I intend add the check anyway, but let me continue the discussion: So, the security issue here is that a malicious control point can add a port mapping that let an external entity to connect to your IGD on a port and then forward this connection to another external host pretending to be your IGD? I see only two minor bad issues with this scenario: - Unnecessary traffic is passing through your IGD - The external host (RemoteHost upnp arg) can be fulled to allow the connection based on your IP. Don't get me wrong. I *do* appreciate your vulnerability report and the check should be implemented. However, unless we implement e.g. DeviceSecurity service, a malicious control point in the LAN can open up whatever port pleases it and be upnp correct anyway ;-) -- ______________________________________________________________ Nektarios K. Papadopoulos Senior Engineer Software Engineering Group inAccess Networks 95A Pentelis Avenue. Tel : +30-210-6837640 152 34 Halandri Athens Fax : +30-210-6899504 ______________________________________________________________ |
