[PPT] - On Using Application-Layer Middlebox Protocols for Peeking Behind PowerPoint Presentation

SLIDE 1

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways

Teemu Rytilahti, Thorsten Holz Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020

1

SLIDE 2

Motivation

Internal Network External Network

S A

B O U N D A R Y

2

SLIDE 3

Motivation

Internal Network External Network

S A

B O U N D A R Y

2

SLIDE 4

Motivation

Internal Network External Network

S A

B O U N D A R Y

2

SLIDE 5

Motivation

SOCKS HTTP

Proxy Protocols Open connection for me!

2

SLIDE 6

Motivation

SOCKS HTTP

Proxy Protocols Open connection for me! NAT Traversal Protocols

NAT-PMP PCP UPnP IGD

Forward traffic to me!

2

SLIDE 7

Idea!

What if we could use these protocols to access networks that are otherwise “hidden”?

3

SLIDE 8

Universal Plug’n’Play (UPnP)

SLIDE 9

UPnP - Discovering Devices

Local Network

4

SLIDE 10

UPnP - Discovering Devices

Local Network

Hey, anyone out there?

4

SLIDE 11

UPnP - Discovering Devices

Local Network

Hi, it's me, your telly! H a l l

,

y

u

r r

u

t e r h e r e !

4

SLIDE 12

UPnP - Discovering Devices

Local Network

4

SLIDE 13

UPnP - Finding Services

Ah, there you are! What can you do for me?

5

SLIDE 14

UPnP - Finding Services

Ah, there you are! What can you do for me? W e l l , I c a n d

m

a n y t h i n g s ! H

w

a b

u

t a p

r

t f

r

w a r d ?

5

SLIDE 15

UPnP - Executing Actions

Good idea! I'm waiting for friends on 1234/UDP . Would you mind letting them in?

6

SLIDE 16

UPnP - Executing Actions

Good idea! I'm waiting for friends on 1234/UDP . Would you mind letting them in? C

n

s i d e r i t d

n

e !

6

SLIDE 17

Food for Thought

What if I say that there are UPnP devices exposed to the Internet?

7

SLIDE 18

Finding UPnP IGD Devices on the Internet

Our Approach

1. Discovering UPnP Devices
2. Finding IGD Services
3. Enumerating Existing Forwards

8

SLIDE 19

1. Discovering UPnP Devices

ZMap

1900/UDP 200 OK LOCATION: http://10.0.0.1/gatedesc.xml M-SEARCH ST: "ssdp:all"

9

SLIDE 20

UPnP Devices (2,800,000 hosts)

non-1900 66% 1900 34%

DoS Amplifiers: 2.8M

10

SLIDE 21

UPnP Devices (2,800,000 hosts)

non-1900 66% 1900 34%

DoS Amplifiers: 2.8M With vanilla ZMap

10

SLIDE 22

2. Finding WAN*Connection services

Our Scanner

GET /gatedesc.xml <service> <serviceT ype>WANIPConnection</servicetype> <controlURL>/ctl/IPConn</controlURL> </service> Device Description File

11

SLIDE 23

Exposed HTTP endpoints (1,100,000 hosts)

non-1900 66% 1900 34%

DoS Amplifiers: 2.8M

4 2 % 31%

Control endpoints: 1,1M

12

SLIDE 24

Exposed Port Forward Controls (480,000 hosts)

non-1900 66% 1900 34%

DoS Amplifiers: 2.8M

4 2 % 31%

Control endpoints: 1,1M

34% 74%

Port forward controls: 480k

13

SLIDE 25

3. Listing Existing Port Forwards

Our Scanner

Enumerate incrementing index until receiving an error. POST /ctl/IPConn HTTP/1.1 <GetGenericPortMappingEntry> <NewPortMappingIndex>index</NewPortMappingIndex> </GetGenericPortMappingEntry>

14

SLIDE 26

3. Listing Existing Port Forwards

Our Scanner

Enumerate incrementing index until receiving an error. POST /ctl/IPConn HTTP/1.1 <GetGenericPortMappingEntry> <NewPortMappingIndex>index</NewPortMappingIndex> </GetGenericPortMappingEntry> <GetGenericPortMappingEntryResponse> <NewExternalPort>1337</NewExternalPort> <NewInternalClient>127.0.0.1</NewInternalClient> <NewInternalPort>443</NewInternalPort> <NewProtocol>TCP</NewProtocol> <NewPortMappingDescription> Allow remote configuration! </NewPortMappingDescription> </GetGenericPortMappingEntryResponse>

14

SLIDE 27

3. Listing Existing Port Forwards

Our Scanner

Enumerate incrementing index until receiving an error. POST /ctl/IPConn HTTP/1.1 <GetGenericPortMappingEntry> <NewPortMappingIndex>index</NewPortMappingIndex> </GetGenericPortMappingEntry> <GetGenericPortMappingEntryResponse> <NewExternalPort>1337</NewExternalPort> <NewInternalClient>127.0.0.1</NewInternalClient> <NewInternalPort>443</NewInternalPort> <NewProtocol>TCP</NewProtocol> <NewPortMappingDescription> Allow remote configuration! </NewPortMappingDescription> </GetGenericPortMappingEntryResponse>

Source & destination, protocol Description

14

SLIDE 28

Hosts with Forwards (130,000 hosts)

non-1900 66% 1900 34%

DoS Amplifiers: 2.8M

4 2 % 31%

Control endpoints: 1,1M

34% 74%

Port forward controls: 480k

1 % 47%

With forwards: 130k

15

SLIDE 29

Categorizing Forwards

1. Forwards with “galleta silenciosa” (42,000 hosts)
2. Forwards to external target IP addresses (18,000 hosts)
3. Rest of the forwards we consider benign (110,000 hosts)

16

SLIDE 30

Galleta silenciosa – Silent cookie (On 42,000 hosts)

192.168.1.0/24

S A :12345 -> 192.168.1.2:139 : 3 1 2 3 5

>

1 9 2 . 1 6 8 . 1 . 3 : 1 3 9

17

SLIDE 31

Galleta silenciosa – Silent cookie (On 42,000 hosts)

192.168.1.0/24

S A :12345 -> 192.168.1.2:139 : 3 1 2 3 5

>

1 9 2 . 1 6 8 . 1 . 3 : 1 3 9 : 1 2 5 2 1

>

1 9 2 . 1 6 8 . 1 . 2 5 3 : 4 4 5 :43123 -> 192.0.1.254:445

17

SLIDE 32

External Forwards (on 18,000 hosts)

Cloud providers :64611 -> :443 18

SLIDE 33

External Forwards (on 18,000 hosts)

Cloud providers :64611 -> :443 Other vulnerable devices :12345 -> :80 18

SLIDE 34

External Forwards (on 18,000 hosts)

Cloud providers :64611 -> :443 Other vulnerable devices :12345 -> :80 DNS servers :31234 -> :53 18

SLIDE 35

Benign Forwards (on 110,000 hosts)

Torrent clients (uTorrent, libtorrent, ..)
Chat software (Whatsapp, Wechat, ..)

19

SLIDE 36

Conclusion

UPnP

Ubiquous in home networks (tester in our github repo!)
Unfortunately still exposed to the Internet

UPnP IGD

Allows configuring port forwards
Actively misused by malicious actors

Remediation

Filter ingress 1900/UDP (common industry practice)

20

SLIDE 37

Internet Proxies

SLIDE 38

Proxies on the Internet SOCKS HTTP

Proxy Protocols Open connection for me!

Non-persistent, temporary relays
We did an extensive analysis of the proxy ecosystem
Found 690,000 proxies, 3% (20,000) were open proxies!

21

SLIDE 39

Checking for Internal Access (on open proxies)

Our Scanner

192.168.123.80:1080

HTTP Proxy

Services listening on localhost 22 21 23 25 80 CONNECT 127.0.0.1:22 HTTP/1.1 22

SLIDE 40

Checking for Internal Access (on open proxies)

Our Scanner

192.168.123.80:1080

HTTP Proxy

Services listening on localhost 22 21 23 25 80 CONNECT 127.0.0.1:22 HTTP/1.1 Establish TCP connection 22

SLIDE 41

Checking for Internal Access (on open proxies)

Our Scanner

192.168.123.80:1080

HTTP Proxy

Services listening on localhost 22 21 23 25 80 CONNECT 127.0.0.1:22 HTTP/1.1 Establish TCP connection HTTP/1.1 200 Connection Established 22

SLIDE 42

Checking for Internal Access (on open proxies)

Our Scanner

192.168.123.80:1080

HTTP Proxy

Services listening on localhost 22 21 23 25 80 CONNECT 127.0.0.1:22 HTTP/1.1 Establish TCP connection HTTP/1.1 200 Connection Established

40%

22

SLIDE 43

Checking for Internal Access (on open proxies)

Our Scanner

192.168.123.80:1080

HTTP Proxy

Services listening on localhost 22 21 23 25 80 CONNECT 127.0.0.1:22 HTTP/1.1 Establish TCP connection HTTP/1.1 200 Connection Established

40%

SSH-2.0-OpenSSH_7.9p1 Debian-6 22

SLIDE 44

Checking for Internal Access (on open proxies)

Our Scanner

192.168.123.80:1080

HTTP Proxy

Services listening on localhost 22 21 23 25 80 CONNECT 127.0.0.1:22 HTTP/1.1 Establish TCP connection HTTP/1.1 200 Connection Established

40%

SSH-2.0-OpenSSH_7.9p1 Debian-6

23%

22

SLIDE 45

Takeaways

Two examples of protocols for crossing network boundaries
Enabling unwanted access to internal networks
At least one type is being actively exploited!

Thanks for your attention!

23

SLIDE 46

Takeaways

Two examples of protocols for crossing network boundaries
Enabling unwanted access to internal networks
At least one type is being actively exploited!

Thanks for your attention!

https://github.com/RUB-SysSec/MiddleboxProtocolStudy/

23