Re: UPnP temporary internet files and security

From: Matt Scarborough (vexversa_at_verizon.net)
Date: 05/09/03 

Date: Fri, 09 May 2003 19:17:17 +0000

On Fri, 09 May 2003 16:57:55 GMT, David Shorthouse wrote
<n6Rua.293979$vs.22683142@news3.calgary.shaw.ca>
> Hey folks,
>
> I have a UPnP-capable router and am using MSN Messenger. I am supposed
> to have an Internet Gateway Device icon in my network connections folder
> with this router. It appears just fine with either a wired or wireless
> connection in my laptop's network connections folder, but not for two of
my
> other wired desktops. I have a suspicion that this may be because of some
> sort of security issue in XP Pro SP1 (on all machines), but don't know how
> to verify this. Here's why I suspect this:
>
> My laptop discovers the UPnP gateway device just fine and several xml
files
> get dumped into C:\WINDOWS\system32\config\systemprofile\Local
> Settings\Temporary Internet Files\Content.IE5 as they should. However, on
> the desktop computers that don't have the icon, these router-specific xml
> files never appear in this folder. In addition to this, upon boot, the
> laptop also gets a rootDesc.xml file in the user account temporary
internet
> files, but none of the problem desktop user account receive this file in
> their temporary internet files folder.
>
> Am I on the right track here and does anyone know how to resolve this
issue?
> I would like to be able to control and configure the UPnP-specific ports
> using this tool in my desktops and not just the laptop, which is
> infrequently connected to the router.

The files in the Temporary Internet Files folder are normal.

To make use of the UPnP-capable router's NAT capabilities you need a UPnP
enabled client or OS. UPnP support is included by default in Windows XP.
UPnP support at the OS level of XP allows you to control the UPnP enabled
device through the Networking applet.

For most UPnP-capable router's, these UPnP enabled controls are merely a
subset of the controls you get using the Web Interface. Meaning, UPnP can
control many of the same NAT capabilities of the router as that which an
authorized user could accomplish with the web interface at (for default
Linksys)
http://192.168.1.1/Forward.htm
UPnP however does this NATting auto-magically.

The critical difference is that to use the Web interface requires a
username:password to access the UPnP-capable router and map ports to
machines (control NAT) with that Web interface. UPnP assumes all users and
machines and code running inside your LAN is trusted. The existing UPnP
protocol does not included authentication or authorization. That is the
security issue, not the presence of any TIF files. rootDesc.xml is available
to any machine on the LAN side that can reach the router at
http://192.168.1.1:5678/rootDesc.xml

I suspect the laptop is running Windows XP and the desktops are running some
other OS or have UPnP suport disabled. For transparent use of the NAT
capabilities for specific applications, Windows 98 users can add DirectX 9.x
and MSN Messenger for example. Or, Windows 98 users can add the Internet
Connection Sharing client and use a Windows XP machine as their Internet
Gateway. That still however may not add to Windows 98 all of the GUI and
networking capabilities you enjoy with Windows XP SP1.

Matt Scarborough 2003-05-09