Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] UPnP Flawed Application

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] UPnP Flawed Application
Date: 28 Dec 2005 11:49:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  UPnP Flawed Application
------------------------------------------------------------------------


SUMMARY

"The  <http://www.upnp.org/> UPnP architecture offers pervasive 
peer-to-peer network connectivity of PCs of all form factors, intelligent 
appliances, and wireless devices. The UPnP  architecture is a distributed, 
open networking architecture that leverages TCP/IP and the Web to enable 
seamless proximity networking in addition to control and data transfer 
among networked devices in the home, office, and everywhere in between."

So you feel so safe with that shiny new Linksys, D-Link, or Net-gear Home 
router of yours don't you? Its Firewall function is impenetrable isn't it? 
No its not. In fact, any program that has network access can change that, 
regardless of that unbreakable password you've set on the device. Why? 
Because they are UPnP enabled devices, and UPnP allows for unauthenticated 
access to viewing and modifying your settings.

DETAILS

In order to understand this article, you must first understand how UPnP 
works and what practical applications it serves. As defined by 
www.streamium.com,

"Universal Plug and Play is making home networking simple for users. UPnP 
offers network connectivity of PCs, intelligent appliances, and wireless 
devices. UPnP leverages TCP/IP and the Web to enable control and data 
transfer among networked devices in the home and around the home. UPnP 
technology can be supported on essentially any operating system and works 
with almost any type of physical networking media - wired or wireless. The 
Universal Plug and Play is an industry initiative designed to enable 
simple and robust connectivity among stand-alone devices and PCs from many 
different vendors. Currently there signed up over 500 members, including 
them Microsoft, Intel, Philips, Sony, Samsung and other companies."

In other words, UPnP attempts to make networking between your PC and any 
network device simple. In many instances, it does just that. UPnP can be 
found on some home lighting and automation systems, as well as quite a few 
TCP/IP enabled security cameras.

For the first two, no major security is really needed, but the third, 
obviously has need for some security. What about your home router, the 
gateway to the cyber playground? The only defense is that the UPnP 
interface is on the LAN side. But what if you or a family member is fooled 
into inadvertently clicking on a insidious hyperlink to a webpage that 
exploits the latest Internet explorer flaw? The process is simple really, 
a malicious user could write a program to send out commands to the UPnP 
interface, which is usually on the same port as the web interface.

The compromised computer will probably have all that information already 
stored in its registry, and so the program could easily access it and 
start commanding your router to lower its defenses. For instance, most 
backdoor software will listen for requests from another computer. The 
router should by default block any traffic from the outside that is 
inbound to your computer.

However, if a malicious user sends UPnP commands to the router, he or she 
could allow that inbound traffic to easily go right past the firewall 
function, and right to your computer. The result, a compromised router 
will not defend your system, allowing for major vulnerability towards the 
Internet.

Even worse, if an attacker wishes to attack a port that is blocked by your 
ISP, such as 139 or 445, the attacker could use port forwarding to change 
the WAN side port to something like 14934, thus providing you with even 
less security than if you had not used the firewall/router device in the 
first place.

You may be surprised, but this problem has been used by software like 
LimeWire, in order to allow protected systems to share files on p2p 
networks. Here s how it works. The program(LimeWire in this scenario) 
makes a request to your router that looks something like this:

GET /upnp/service/descrip.xml HTTP/1.1
User-Agent: LimeWire/4.8.1 Java/1.5.0_01
Host: 192.168.1.1
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded

Your router will then return a rather large XML list of functions and 
capabilities it has:
HTTP/1.0 200 OK
Server: UPnP/1.0 UPnP-Device-Host/1.0
Connection: close
Content-type: text/xml

< ?xml version="1.0"?>
< root xmlns="urn:schemas-upnp-org:device-1-0">
 < specVersion>
  < major>1< /major>
  < minor>0< /minor>
 < /specVersion>
 < URLBase>http://192.168.1.1:80< /URLBase>
 < device>
  < deviceType>urn:schemas-upnp-org:device:InternetGatewayDevice:1< 
/deviceType>
  < friendlyName>Residential Gateway< /friendlyName>
  < manufacturer>< /manufacturer>
  < manufacturerURL>< /manufacturerURL>
  < modelDescription>Residential Gateway< /modelDescription>
  < modelName>Residential Gateway< /modelName>
  < UDN>uuid:upnp-InternetGatewayDevice-1_0-00e09851be7c< /UDN>
  < UPC>00000-00001< /UPC>
  < serviceList>
   < service>
    < serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1< 
/serviceType>
    < serviceId>urn:upnp-org:serviceId:L3Forwarding1< /serviceId>
    < controlURL>/upnp/service/Layer3Forwarding< /controlURL>
    < eventSubURL>/upnp/service/Layer3Forwarding< /eventSubURL>
    < SCPDURL>/upnp/service/L3Frwd.xml< /SCPDURL>
    < /service>
  < /serviceList>
  < deviceList>
   < device>
    < deviceType>urn:schemas-upnp-org:device:WANDevice:1< /deviceType>
    < friendlyName>Residential Gateway< /friendlyName>
    < manufacturer>< /manufacturer>
    < manufacturerURL>< /manufacturerURL>
    < modelDescription>Residential Gateway< /modelDescription>
    < modelName>Residential Gateway< /modelName>
    < modelNumber>1< /modelNumber>
    < modelURL>< /modelURL>
    < serialNumber>0000001< /serialNumber>
    < UDN>uuid:upnp-WANDevice-1_0-00e09851be7c< /UDN>
    < UPC>00000-00001< /UPC>
    < serviceList>
     < service>
      < 
serviceType>urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1< 
/serviceType>
      < serviceId>urn:upnp-org:serviceId:WANCommonInterfaceConfig< 
/serviceId>
      < controlURL>/upnp/service/WANCommonInterfaceConfig< /controlURL>
      < eventSubURL>/upnp/service/WANCommonInterfaceConfig< /eventSubURL>
    < SCPDURL>/upnp/service/WANCICfg.xml< /SCPDURL>
    < /service>
   < /serviceList>
   < deviceList>
    < device>
    < deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1< 
/deviceType>
    < friendlyName>Residential Gateway< /friendlyName>
    < manufacturer>< /manufacturer>
    < manufacturerURL>< /manufacturerURL>
    < modelDescription>Residential Gateway< /modelDescription>
    < modelName>Residential Gateway< /modelName>
    < modelNumber>1< /modelNumber>
    < modelURL>< /modelURL>
    < serialNumber>0000001< /serialNumber>
    < UDN>uuid:upnp-WANConnectionDevice-1_0-00e09851be7c< /UDN>
    < UPC>00000-00001< /UPC>
    < serviceList>
    < service>
    < serviceType>urn:schemas-upnp-org:service:WANIPConnection:1< 
/serviceType>
    < serviceId>urn:upnp-org:serviceId:WANIPConnection< /serviceId>
    < controlURL>/upnp/service/WANIPConnection< /controlURL>
    < eventSubURL>/upnp/service/WANIPConnection< /eventSubURL>
    < SCPDURL>/upnp/service/WANIPCn.xml< /SCPDURL>
    < /service>
    < /serviceList>
    < /device>
  < /deviceList>
  < /device>
  < /deviceList>
  < presentationURL>/home.htm< /presentationURL>
  < /device>
< /root>

All of the items highlighted provide the attacker with a location of 
vulnerability. The location following <SCPDURL> is the XML file that 
contains a complete collection of commands and variables. This document 
acts like a textbook reference for your computer or the attacker, allowing 
either one to look for the commands it needs, and use them accordingly. 
Once this is obtained, the attacker will look through the documents, 
looking for something like this:

< action>
 < name>GetGenericPortMappingEntry< /name>
< argumentList>
 < argument>
 < name>NewPortMappingIndex< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingNumberOfEntries< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewRemoteHost< /name>
 < direction>out< /direction>
 < relatedStateVariable>RemoteHost< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewExternalPort< /name>
 < direction>out< /direction>
 < relatedStateVariable>ExternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewProtocol< /name>
 < direction>out< /direction>
 < relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalPort< /name>
 < direction>out< /direction>
 < relatedStateVariable>InternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalClient< /name>
 < direction>out< /direction>
 < relatedStateVariable>InternalClient< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewEnabled< /name>
 < direction>out< /direction>
< relatedStateVariable>PortMappingEnabled< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewPortMappingDescription< /name>
 < direction>out< /direction>
 < relatedStateVariable>PortMappingDescription< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewLeaseDuration< /name>
 < direction>out< /direction>
 < relatedStateVariable>PortMappingLeaseDuration< /relatedStateVariable>
 < /argument>
 < /argumentList>
 < /action>

The command highlighted above returns the current listing of port 
mappings, which can be used to determine ports already available to the 
internet. Below is what makes this even worse:

< action>
 < name>AddPortMapping< /name>
 < argumentList>
 < argument>
 < name>NewRemoteHost< /name>
 < direction>in< /direction>
 < relatedStateVariable>RemoteHost< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewExternalPort< /name>
 < direction>in< /direction>
 < relatedStateVariable>ExternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewProtocol< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalPort< /name>
 < direction>in< /direction>
 < relatedStateVariable>InternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalClient< /name>
 < direction>in< /direction>
 < relatedStateVariable>InternalClient< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewEnabled< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingEnabled< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewPortMappingDescription< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingDescription< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewLeaseDuration< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingLeaseDuration< /relatedStateVariable>
 < /argument>
 < /argumentList>
 < /action>
 < action>
 < name>DeletePortMapping< /name>
 < argumentList>
 < argument>
 < name>NewRemoteHost< /name>
 < direction>in< /direction>
 < relatedStateVariable>RemoteHost< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewExternalPort< /name>
 < direction>in< /direction>
 < relatedStateVariable>ExternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewProtocol< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
 < /argument>
 < /argumentList>
 < /action>

The above highlighted commands allow the attacker to create an XML file 
and perform an HTTP POST of that file to the device, thereby 
adding/deleting a specific port mapping.

This is clearly a dangerous flaw. What makes it worse is that this is an 
industry standard, meaning that this flaw is universally widespread, 
because devices of this nature must comply with this. In other words, they 
must have this flaw or the product cannot officially be a UPnP product.

Solution:
The solution is simple, add some form of authentication to the UPnP 
protocol, to any request to alter the list of ports mapped to the systems 
protected by the firewall/router. The authentication could be as simple as 
adding an Negotiate: field in the standard request.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:theirishfellow@gmail.com> 
David Ferril.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] UPnP Flawed Application, SecuriTeam <=
Previous by Date:  [EXPL] dBpowerAMP Music Converter Buffer Overflow, SecuriTeam
Previous by Thread:  [EXPL] dBpowerAMP Music Converter Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]