Universal plug and play (UPnP) mapping attacks



Similar documents
SSDP REFLECTION DDOS ATTACKS

How to configure your Thomson SpeedTouch 780WL for ADSL2+

GETTING STARTED WITH THE ISCAN ONLINE DATA BREACH PREVENTION LIFECYCLE

Chapter 3 Security and Firewall Protection

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

Chapter 8 Router and Network Management

Smart Telephone System

Chapter 4 Customizing Your Network Settings

Chapter 4 Customizing Your Network Settings

About Firewall Protection

Web Application Security

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Definition of firewall

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

The Trivial Cisco IP Phones Compromise

Firewalls. Chapter 3

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

How to Hack Millions of Routers. Craig Heffner, Seismic LLC

Protecting the Home Network (Firewall)

Remote Attacks Against SOHO Routers. 08 February, 2010 Craig Heffner

Voice Over IP (VoIP) Denial of Service (DoS)

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Lab Configuring Access Policies and DMZ Settings

Firewall Defaults and Some Basic Rules

Security Vulnerabilities in SOHO Routers Craig Heffner, Derek Yap

On the Deficiencies of Active Network Discovery Systems

NETWORK SET UP GUIDE FOR

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Chapter 4 Firewall Protection and Content Filtering

Securing end devices

Chapter 4 Firewall Protection and Content Filtering

M2M Series Routers. Port Forwarding / DMZ Setup

Digi Connect WAN Application Guide Using the Digi Connect WAN and Digi Connect VPN with a Wireless Router/Access Point

What is Web Security? Motivation

Explaining DMZ s and Port Forwarding for home networking, broadband routers, and NAT connection sharing. First some definitions (greatly simplified)

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Chapter 5 Customizing Your Network Settings

Internet Security and Acceleration Server 2000 with Service Pack 1 Audit. An analysis by Foundstone, Inc.

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

networking revision B

Using a VPN with Niagara Systems. v0.3 6, July 2013

INTRODUCTION TO FIREWALL SECURITY

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Multi-Homing Security Gateway

TELUS Business Connect Customer Onboarding Guide. How to successfully set up your service

CC File Transfer. User Manual

Deploying Secure Internet Connectivity

Windows Remote Access

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

CS5008: Internet Computing

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Internet Banking System Web Application Penetration Test Report

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Voice over IP Communications

Release Version 3 The 2X Software Server Based Computing Guide

Securing your Linksys Wireless Router BEFW11S4 Abstract

Chapter 4 Security and Firewall Protection

UIP1868P User Interface Guide

Penetration Testing LAB Setup Guide

How to Hack Millions of Routers. Craig Heffner

An overwhelming majority of IaaS clouds leverage virtualization for their foundation.

Chapter 4 Managing Your Network

Chapter 12 Supporting Network Address Translation (NAT)

SonicOS Enhanced Release Notes

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Automatic Configuration and Service Discovery for Networked Smart Devices

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

DLink-655 Router Configuration Guide for VoIP

IBM Managed Security Services Vulnerability Scanning:

Broadband Phone Gateway BPG510 Technical Users Guide

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications

Lab Configuring Access Policies and DMZ Settings

Chapter 1 Configuring Basic Connectivity

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Web Authentication Application Note

Chapter 4 Management. Viewing the Activity Log

Using a VPN with CentraLine AX Systems

How to deploy console cable to connect WIAS-3200N and PC, to reset setting or check status via console

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Recommended IP Telephony Architecture

Virtualization System Security

Internet and Intranet Calling with Polycom PVX 8.0.1

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Packet Sniffer Detection with AntiSniff

CS 558 Internet Systems and Technologies

RingCentral Router Configuration. Basic Start Guide for Administrators

Attacking Automatic Wireless Network Selection. Dino A. Dai Zovi and Shane A. Macaulay

IBM. Vulnerability scanning and best practices

Broadband Router ALL1294B

Chapter 6 Using Network Monitoring Tools

Transcription:

Universal plug and play (UPnP) mapping attacks Daniel Garcia Abstract Universal Plug and Play is a popular method for NAT traversal used by common household devices. This document explores the different techniques attackers can use to exploit port mapping services of UPnP/IGD devices on WAN ports. It also details a tool called Umap that can do manual port-mapping(wan to LAN, WAN to WAN), nattraversal and SOCKSv4 proxy service that automatically maps to UPnP devices. Devices with WAN ports allowing UPnP actions are the minority, but still a big threat.

Introduction Universal Plug and Play(UPnP) is a technology developed by the UPnP Forum in 1999, after funding mainly by Microsoft. The goal set by the UPnP forum, at that time, was to allow devices to connect seamlessly and simplify network implementations. The only problem with this goal is that it is inherently insecure. A secure system can't be plug and play, it needs to ask questions and validate information. This is exactly one of the main problems in UPnP, as it lacks any form of authentication. To worsen the situation, control points are sometimes configured to accept requests from the LAN and WAN side of the device. The control points are URL's where the SOAP requests are directed for the execution of actions in UPnP. The most common actions used are AddPortMapping and DeletePortMapping, used for the port mapping of devices wanting to traverse the NAT. UPnP Steps 0. Addressing: Interaction with the addressing methods used by the devices. It also establishes rules for devices that are unable to get an address through DHCP. 1. Discovery: Discovery and announcement of the devices using SSDP. The devices send multicast search requests using HTTPU. Control points respond with HTTPU packets that specify a location for the XML description file. 2. Description: After the discovery of the XML description file location, the device downloads the XML to discover the different services and actions that the device has available. 3. Control: Through the description process, the device learns vital information to interact with the control point. At this point it sends SOAP requests(actions) to the specified control points to execute the different functions on the control point. This is where the actual execution of the actions like AddPortMapping and DeletePortMapping happen. 4. Eventing: Control points listen to changes in devices 5. Presentation: The referral to an HTML-based user interface for controlling and/or viewing the device status.

Vulnerabilities The first problem reported for UPnP was a Denial of Service attack reported by Ken from FTUSecurity and applied to the Microsoft Windows 98/ME/XP stack. Afterwards eeye published an advisory for a buffer overflow attack, also on the Microsoft stack. In 2003 Björn Stickler published an information disclosure advisory for the Netgear FM114P, the information disclosure was based on using the GetUserName action of UPnP. Then in 2006 Armijn Hemel reported the vulnerability on remote users being able to use UPnP to forward packets on external hosts. He also published his findings on the www.upnp-hacks.org site, one of the best sources of UPnP hacking information up to date. This flaw highlighted by Armijn is what Umap relies on for the port mapping. The main workings of Umap rely on the AddPortMapping and DeletePortMapping actions in the UPnP protocol. They are meant to be used by devices on a LAN that want to traverse a NAT. Unfortunately, these control points are also available on the WAN interfaces of the devices, allowing attackers to add a port map from the external WAN IP to any host desired. The attacker can map a port on the external IP and forward that traffic to another external host. The attacker can also map external ports on the WAN IP to internal hosts behind the NAT of the device. This allows the attackers to scan for hosts inside the NAT, forward traffic to external hosts and forward traffic to internal hosts. Some routers, have an open control point by default. In fact, some routers keep accepting UPnP requests after disabling UPnP WAN requests. There are many problems besides port mapping: information disclosure, command execution and DoS. For example, another problem that is less intrusive is the disclosure of information regarding the device. On average the minimum information you can get from UPnP IGD devices on the WAN side are the MAC address, serial number and device model. This information could be used by attackers as an identifier to locate modems on dynamic IP pools or just to target. Umap Umap is designed to work in different modes: Scanner for UPnP devices with exposed WAN control points SOCKSv4 proxy that forwards traffic through devices with exposed control points Scanner/mapper of internal hosts behind a NAT of a device with exposed control points Manual TCP/UDP mapping of exposed control points

There is not a lot of PoC on UPnP publicly available. A clever exploit that sends UPnP commands through the execution of javascript on the victim's browser was created by GNUCitizen. There is also a tool available named Miranda by SecuriTeam. Its pretty good and works well manipulating UPnP devices to execute actions. This tool, however, is designed for LAN use only as it relies on SSDP and multicast for the discovery of UPnP devices, which makes a lot of sense since the UPnP protocol v1.0 states that it is the standard way of discovering UPnP devices. Umap, on the other hand, skips this step and simply tries to fetch the XML descriptions of the devices. Relying on the Unicast part of the UPnP transaction makes it suitable for scanning UPnP on WAN scenarios. It relies on a database of common locations and ports for XML description files on UPnP devices. After it fetches those description files it tries to execute the AddPortMapping and DeletePortMapping actions. For the internal network scanning, it tries to guess the internal IP set by the device and scans each host for a group of common ports or the ports specified by argument.

Flow diagram on SOCKSv4 mode Flow diagram on scanner mode

Negative aspects of UPnP mapping There are many aspects on UPnP mapping that are not favorable. The biggest impact is performance when using other routers. Most UPnP devices are residential gateways/cpes that have a very limited upload bandwidth. Another factor that affects performance greatly is the unpredictability of the different UPnP stacks on executing the actions for the mapping. Most vendors cap the amount of port mappings in the stack, limiting the amount of mappings. Some devices only allow, 10 mappings at a given time, which lowers the performance of UPnP mapping in heavy connection scenarios like web-browsing. In terms of the noise made by the attack, some devices actively log the port mappings with the source IP of the request. Unfortunately, residential users do not care/read the logs of their devices. The operators that own the lines for the devices could implement centralized logging solutions which could allow some kind of mitigation for the problem. Mitigations The mitigation falls down to two elements: Operators and Users. Users can mitigate by reconfiguring their devices to disallow WAN traffic to a UPnP control point. Some IGD devices only allow enabling/disabling UPnP services, without the ability to indicate if you want to receive WAN traffic to the UPnP control point. Disabling UPnP completely is sometimes troublesome, some devices require UPnP for NAT traversal. Operators can mitigate either by blocking WAN requests to client devices or by deploying the devices with base configurations that disable the UPnP WAN requests. Using base configuration packages is a better solution because some UPnP stacks rely on port 80 for the transmission of UPnP SOAP requests. Blocking WAN traffic could block user management interfaces for the devices. Disabling UPnP totally is a nightmare, because a lot of devices use UPnP to traverse. Gaming consoles are the perfect example of devices that need UPnP for better performance. The only reason I would recommend disabling UPnP is if you have a stack that keeps accepting WAN requests even if you specify that you don't want WAN requests.

Affected devices I have scanned different IP pools around the world looking for different stacks of UPnP devices. During a 1 week period I discovered more than 150,000 devices, just by scanning random DSL IP pools. The speedtouch stack is by far the most common. There may be many other devices vulnerable on-line, but I don't think there has been a lot of research around that subject. Manufacturer Model Version Linksys WRT54GX < 4.30.5 Edimax BR-6104K < 3.21 Sitecom WL-153 < 1.39 Speedtouch/Alcatel/Thomson 5x6 < 6.2.29 Thomson TG585 v7 < 7.4.3.2

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information