In that vein, we have seen plenty of routers over the years that expose
their administration page over the outward interface on 80/443 and that is a
big reason why ISPs are blocking those ports on residential connections.
It's trivial to control uPnP's behavior at the ISP level in the same way.
I found documentation from Cox saying they do this, I would assume all the
big names have similar policies.
http://ww2.cox.com/residential/centralflorida/support/internet/article.cox?articleId=cacf82f0-6407-11df-ccef-000000000000
On Wed, 20 Feb 2013 08:16:53 -0500, Kwiatkowski, Nicholas
<[log in to unmask]> wrote:
>I think one of the vulnerabilities is that UPnP was accessible from the
external interface, not just the internal one (like it supposed to be).
This would allow a remote attacker to map ports to internal machines without
the end-user knowing to GAIN access to their system. There were even some
cheap routers that allowed you to turn off UPnP on the internal interface
(and claimed it was turned off), but it still answered requests on the
external interface, allowing the attacker to do things like map ports,
change passwords on the device and cause other havoc.
>
>-Nick
|