On Using Application-Layer Middlebox Protocols for Peeking Behind - PowerPoint PPT Presentation

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti, Thorsten Holz Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020 1

Motivation External Network Internal Network B O A S U N D A R Y 2

Motivation External Network Internal Network B O A S U N D A R Y 2

Motivation External Network Internal Network B O A S U N D A R Y 2

Motivation Proxy Protocols Open connection for me! HTTP SOCKS 2

Motivation Proxy Protocols Open connection for me! HTTP SOCKS NAT Traversal Protocols Forward tra ffi c to me! UPnP IGD NAT-PMP PCP 2

Idea! What if we could use these protocols to access networks that are otherwise “hidden”? 3

Universal Plug’n’Play (UPnP)

UPnP - Discovering Devices Local Network 4

UPnP - Discovering Devices Local Network Hey, anyone out there? 4

UPnP - Discovering Devices Local Network Hi, it's me, your telly! H a l l o , y o u r r o u t e r h e r e ! 4

UPnP - Discovering Devices Local Network 4

UPnP - Finding Services Ah, there you are! What can you do for me? 5

UPnP - Finding Services Ah, there you are! What can you do for me? W e l l , I c a n d o m a n y t h i n g s ! H o w a b o u t a p o r t f o r w a r d ? 5

UPnP - Executing Actions Good idea! I'm waiting for friends on 1234/UDP . Would you mind letting them in? 6

UPnP - Executing Actions Good idea! I'm waiting for friends on 1234/UDP . Would you mind letting them in? C o n s i d e r i t d o n e ! 6

Food for Thought What if I say that there are UPnP devices exposed to the Internet? 7

Finding UPnP IGD Devices on the Internet Our Approach 1. Discovering UPnP Devices 2. Finding IGD Services 3. Enumerating Existing Forwards 8

1. Discovering UPnP Devices 1900/UDP M-SEARCH ZMap ST: " ssdp:all " 200 OK LOCATION: http://10.0.0.1/gatedesc.xml 9

UPnP Devices (2,800,000 hosts) DoS Ampli fi ers: 2.8M non-1900 66% 1900 34% 10

UPnP Devices (2,800,000 hosts) DoS Ampli fi ers: 2.8M non-1900 66% 1900 34% With vanilla ZMap 10

2. Finding WAN*Connection services Our Scanner GET / gatedesc.xml Device Description File <service> <serviceT ype> WANIPConnection </servicetype> <controlURL> /ctl/IPConn </controlURL> </service> 11

Exposed HTTP endpoints (1,100,000 hosts) DoS Ampli fi ers: 2.8M Control endpoints: 1,1M 4 2 % non-1900 66% 1900 34% 31% 12

Exposed Port Forward Controls (480,000 hosts) DoS Ampli fi ers: 2.8M Control endpoints: 1,1M Port forward controls: 480k 4 2 % non-1900 66% 34% 1900 34% 31% 74% 13

3. Listing Existing Port Forwards Enumerate incrementing index until receiving an error. POST /ctl/IPConn HTTP/1.1 Our Scanner <GetGenericPortMappingEntry> <NewPortMappingIndex> index </NewPortMappingIndex> </GetGenericPortMappingEntry> 14

3. Listing Existing Port Forwards Enumerate incrementing index until receiving an error. POST /ctl/IPConn HTTP/1.1 Our Scanner <GetGenericPortMappingEntry> <NewPortMappingIndex> index </NewPortMappingIndex> </GetGenericPortMappingEntry> <GetGenericPortMappingEntryResponse> <NewExternalPort> 1337 </NewExternalPort> <NewInternalClient> 127.0.0.1 </NewInternalClient> <NewInternalPort> 443 </NewInternalPort> <NewProtocol> TCP </NewProtocol> <NewPortMappingDescription> Allow remote con fi guration! </NewPortMappingDescription> </GetGenericPortMappingEntryResponse> 14

3. Listing Existing Port Forwards Enumerate incrementing index until receiving an error. POST /ctl/IPConn HTTP/1.1 Our Scanner <GetGenericPortMappingEntry> Source & destination, <NewPortMappingIndex> index </NewPortMappingIndex> protocol </GetGenericPortMappingEntry> <GetGenericPortMappingEntryResponse> <NewExternalPort> 1337 </NewExternalPort> <NewInternalClient> 127.0.0.1 </NewInternalClient> <NewInternalPort> 443 </NewInternalPort> <NewProtocol> TCP </NewProtocol> <NewPortMappingDescription> Allow remote con fi guration! </NewPortMappingDescription> Description </GetGenericPortMappingEntryResponse> 14

Hosts with Forwards (130,000 hosts) DoS Ampli fi ers: 2.8M Control endpoints: 1,1M Port forward controls: 480k 4 2 % With forwards: 130k non-1900 66% 34% 1900 34% 31% 1 0 % 74% 47% 15

Categorizing Forwards 1. Forwards with “galleta silenciosa” (42,000 hosts) 2. Forwards to external target IP addresses (18,000 hosts) 3. Rest of the forwards we consider benign (110,000 hosts) 16

Galleta silenciosa – Silent cookie (On 42,000 hosts) :12345 -> 192.168.1. 2 :139 192.168.1.0/24 9 1 3 3 : . 1 . 6 8 . 1 A 9 2 > 1 S - 3 5 1 2 : 3 17

Galleta silenciosa – Silent cookie (On 42,000 hosts) :12345 -> 192.168.1. 2 :139 192.168.1.0/24 9 1 3 3 : . 1 . 6 8 . 1 A 9 2 > 1 S - 3 5 1 2 : 3 : 1 2 5 2 1 - > 1 9 2 . 1 6 8 . 1 . 2 5 3 : 4 4 5 :43123 -> 192.0.1. 254 :445 17

External Forwards (on 18,000 hosts) :64611 -> : 443 Cloud providers 18

External Forwards (on 18,000 hosts) :64611 -> : 443 Cloud providers :12345 -> : 80 Other vulnerable devices 18

External Forwards (on 18,000 hosts) :64611 -> : 443 Cloud providers :12345 -> : 80 Other vulnerable devices :31234 -> : 53 DNS servers 18

Benign Forwards (on 110,000 hosts) • Torrent clients (uTorrent, libtorrent, ..) • Chat software (Whatsapp, Wechat, ..) 19

Conclusion UPnP • Ubiquous in home networks (tester in our github repo!) • Unfortunately still exposed to the Internet UPnP IGD • Allows configuring port forwards • Actively misused by malicious actors Remediation • Filter ingress 1900/UDP (common industry practice) 20

Internet Proxies

Proxies on the Internet Proxy Protocols Open connection for me! HTTP SOCKS • Non-persistent, temporary relays • We did an extensive analysis of the proxy ecosystem • Found 690,000 proxies, 3% (20,000) were open proxies! 21

Checking for Internal Access (on open proxies) HTTP Proxy Our Scanner CONNECT 127.0.0.1:22 HTTP/1.1 192.168.123.80:1080 22 23 80 21 25 Services listening on localhost 22

Checking for Internal Access (on open proxies) HTTP Proxy Our Scanner CONNECT 127.0.0.1:22 HTTP/1.1 192.168.123.80:1080 Establish TCP connection 22 23 80 21 25 Services listening on localhost 22

Checking for Internal Access (on open proxies) HTTP Proxy Our Scanner CONNECT 127.0.0.1:22 HTTP/1.1 192.168.123.80:1080 Establish TCP connection 22 23 80 21 25 Services listening on localhost HTTP/1.1 200 Connection Established 22

Checking for Internal Access (on open proxies) HTTP Proxy Our Scanner CONNECT 127.0.0.1:22 HTTP/1.1 192.168.123.80:1080 Establish TCP connection 22 23 80 21 25 Services listening on localhost 40% HTTP/1.1 200 Connection Established 22

Checking for Internal Access (on open proxies) HTTP Proxy Our Scanner CONNECT 127.0.0.1:22 HTTP/1.1 192.168.123.80:1080 Establish TCP connection 22 23 80 21 25 Services listening on localhost 40% HTTP/1.1 200 Connection Established SSH-2.0-OpenSSH_7.9p1 Debian-6 22

Checking for Internal Access (on open proxies) HTTP Proxy Our Scanner CONNECT 127.0.0.1:22 HTTP/1.1 192.168.123.80:1080 Establish TCP connection 22 23 80 21 25 Services listening on localhost 40% HTTP/1.1 200 Connection Established 23% SSH-2.0-OpenSSH_7.9p1 Debian-6 22

Takeaways • Two examples of protocols for crossing network boundaries • Enabling unwanted access to internal networks • At least one type is being actively exploited! Thanks for your attention! 23

Takeaways • Two examples of protocols for crossing network boundaries • Enabling unwanted access to internal networks • At least one type is being actively exploited! Thanks for your attention! https://github.com/RUB-SysSec/MiddleboxProtocolStudy/ 23