upnp revisited
play

UPnP Revisited The useful plug and pwn protocol Arron finux Finnon - PowerPoint PPT Presentation

Dec 25, 2022 •398 likes •855 views

UPnP Revisited The useful plug and pwn protocol Arron finux Finnon BSidesLondon 25/04/12 Disclaimer Expect The Following; Bad Language Mild Ranting Some Technical Stuff Plenty of Lulz Some Pwnage Jail Time If You Hack Someone Arron

  1. UPnP Revisited The useful plug and pwn protocol Arron “finux” Finnon BSidesLondon 25/04/12

  2. Disclaimer Expect The Following; Bad Language Mild Ranting Some Technical Stuff Plenty of Lulz Some Pwnage Jail Time If You Hack Someone Arron “finux” Finnon BSidesLondon 25/04/12

  3. Today's Outcomes What you should leave with Arron “finux” Finnon BSidesLondon 25/04/12

  4. UPnP Is Inherently Insecure Shit be batshit insane bro!!!! Arron “finux” Finnon BSidesLondon 25/04/12

  5. UPnP Is Hard To Mitigate Disabling it will not fix it! Arron “finux” Finnon BSidesLondon 25/04/12

  6. How You Can Audit UPnP Yeah right, show me the hacks! Arron “finux” Finnon BSidesLondon 25/04/12

  7. So What Is UPnP You know, its the thing you all disable Arron “finux” Finnon BSidesLondon 25/04/12

  8. One Definition for UPnP: “A protocol that allows devices on a network to communicate with each other seamlessly” bittorrent.com Arron “finux” Finnon BSidesLondon 25/04/12

  9. Another Definition of UPnP: “Its like a dynamic firewall protocol” Lee Hughes - BSidesVienna 2011 Arron “finux” Finnon BSidesLondon 25/04/12

  10. Seamless Interconnectivity Fancy way of saying “linking shit together” Arron “finux” Finnon BSidesLondon 25/04/12

  11. The First Gotcha - Seamlessly another way of saying no validation Arron “finux” Finnon BSidesLondon 25/04/12

  12. THE TRUSTING PROTOCOL Well in most cases your on the network. Which Obviously means your welcome to make UPnP requests Arron “finux” Finnon BSidesLondon 25/04/12

  13. Lack of Authentication It's a pretty big issue Arron “finux” Finnon BSidesLondon 25/04/12

  14. Many UPnP Implementations Its everywhere, no where is safe! Arron “finux” Finnon BSidesLondon 25/04/12

  15. Examples Personal Computers Windows Skype Torrent Clients PS3 Printers Smart Phones Internet Gateways MSN VoIP Media Servers iPhones Wifi Access Points Arron “finux” Finnon BSidesLondon 25/04/12

  16. How Does It Work This will be the techie bit Arron “finux” Finnon BSidesLondon 25/04/12

  17. UPnP Process 0 – Addressing Addressing methods used by devices in addition to rules being established for devices that are unable to obtain an address through DHCP. 1 – Discovery Announcements using SSDP. Devices send multicast search requests using HTTPU. Control points respond with HTTPU packets that specify a location for the XML description file. 2 – Description After the discovery of the XML description file location, the device downloads the XML to discover the different services and actions that the device has available Through the description process, vital information for interaction 3 – Control with the control point is delivered. SOAP requests are sent to the specified control points, different functions are executed. This is where the actual execution of the actions like port mapping happen. 4 – Eventing Control points listen to changes in devices. 5 – Presentation The referral to an HTML-based user interface for controlling and/or viewing the device status. Arron “finux” Finnon BSidesLondon 25/04/12

  18. Simple Process Discovery, Description, Control Arron “finux” Finnon BSidesLondon 25/04/12

  19. Abilities Detailed By XML Ask and you shall receive Arron “finux” Finnon BSidesLondon 25/04/12

  20. Example XML I'll fire up the description files!!! Arron “finux” Finnon BSidesLondon 25/04/12

  21. How It Is Used In Practice You know, its intended use Arron “finux” Finnon BSidesLondon 25/04/12

  22. Skype: Ding, Ding, Service Please IGD: What Can I Do For You Today Skype: I would Like A Port Please, and its traffic please. IGD: Sure, what table are you at? Skype: I'm sitting at 192.168.1.100 *IGD = Internet Gateway Device – aka router Arron “finux” Finnon BSidesLondon 25/04/12

  23. The Second – Gottcha In most cases the data supplied is trusted Arron “finux” Finnon BSidesLondon 25/04/12

  24. UPnP Hack Number 1 I talked about this last year Arron “finux” Finnon BSidesLondon 25/04/12

  25. Dynamic Port Mapping That's what an app opening a port on a IGD is called Arron “finux” Finnon BSidesLondon 25/04/12

  26. A Port Map Looks Like This: TCP 30331->192.168.1.100:30331 'Skype' So the IGD has opened port 30331 externally and is filtering traffic to port 30331 internally to 192.168.1.100 Arron “finux” Finnon BSidesLondon 25/04/12

  27. The Issue In Play We supply the IP address Arron “finux” Finnon BSidesLondon 25/04/12

  28. Think About This: TCP 1337->192.168.1.1:80 'pwn3d' So the IGD has opened port 1337 externally and is filtering traffic to port 80 internally to 192.168.1.1 Arron “finux” Finnon BSidesLondon 25/04/12

  29. That Is Just The Beginning I've banged on enough about what it is Arron “finux” Finnon BSidesLondon 25/04/12

  30. Its Has Long A Long History As far back as '99 Arron “finux” Finnon BSidesLondon 25/04/12

  31. The UPnP Forum Guess what? It was set up by Microsoft Arron “finux” Finnon BSidesLondon 25/04/12

  32. Its Insecurity Time Line 2001 – Multiple DoS attacks in Windows UPnP Stack 2001 – Multiple BoF in Windows UPnP Stack 2003 – Stickler Discusses UPnP information Disclosure 2006 – Hemel Starts www.upnp-hacks.org 2008 – GNUCitizen Totally Pwn's BT HH 2011 – Finux Goes To BSidesVienna to Chat About UPnP 2011 – Garcia – Some IGD will accept remote Commands 2011 – Kaminsky – He also did some UPnP shit! 2012 – You guys voted to hear about UPnP hacking Arron “finux” Finnon BSidesLondon 25/04/12

  33. So Lets Get Some Meat On It Example time!!!!! Arron “finux” Finnon BSidesLondon 25/04/12

  34. I'm Gonna Show Some Videos These tools are in Ubuntu Repositories *Unless Otherwise Stated Arron “finux” Finnon BSidesLondon 25/04/12

  35. So What Did Garcia Discover That UPnP devs batshit inane! Arron “finux” Finnon BSidesLondon 25/04/12

  36. Remote IGD UPnP Command Yeah, you read that right! Arron “finux” Finnon BSidesLondon 25/04/12

  37. The Guilty Parties Arron “finux” Finnon BSidesLondon 25/04/12

  38. UMap Flow Process Arron “finux” Finnon BSidesLondon 25/04/12

  39. Conclusion Time Hang on tight!!!! Arron “finux” Finnon BSidesLondon 25/04/12

  40. Why You So Insecure! Arron “finux” Finnon BSidesLondon 25/04/12

  41. It Will Never Be Secure Arron “finux” Finnon BSidesLondon 25/04/12

  42. My Final Thoughts Arron “finux” Finnon BSidesLondon 25/04/12

  43. Thanks BSidesLondon Ask question, buy me beer! Arron “finux” Finnon BSidesLondon 25/04/12

  44. Contact Details Email : finux@finux.co.uk Twitter : www.twitter.com/f1nux Podcast : www.finux.co.uk Linked in : http://uk.linkedin.com/in/finnon Arron “finux” Finnon BSidesLondon 25/04/12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec @professor__plum Exploits long forgotten UPnP (SSDP) DDoS P n P U Most people think of DDoS attacks when asked about UPnP abuse These attacks are

489 views • 32 slides
UPnP / DLNA plugin Smit Mehta GSoC 2012 - KDE Digikam Akademy 2012 Overview UPnP (Universal

UPnP / DLNA plugin Smit Mehta GSoC 2012 - KDE Digikam Akademy 2012 Overview UPnP (Universal

UPnP / DLNA plugin Smit Mehta GSoC 2012 - KDE Digikam Akademy 2012 Overview UPnP (Universal Plug and Play) is a set of protocols which allows discovery of and access to media contents in a home network (connected via router) DLNA

791 views • 9 slides
1 Introduction continued Introduction continued UPnP is for automatic device configuration

1 Introduction continued Introduction continued UPnP is for automatic device configuration

Acknowledgments Thanks to: Design and Evaluation of Power Dr. Christensen, USF Management Support for UPnP Devices Dr. Nyberg, LTH Dr. Labrador and Dr. Rundus, USF Jakob Klamra and Martin Olsson Department of Communication Systems

349 views • 8 slides
Attacking UPnP The useful plug and pwn protocol Arron "finux" Finnon

Attacking UPnP The useful plug and pwn protocol Arron "finux" Finnon

Attacking UPnP The useful plug and pwn protocol Arron "finux" Finnon www.finux.co.uk finux@finux.co.uk www.twitter.com/f1nux www.facebook.com/finux BsidesVienna June 18 th 2011 Outline What is UPnP?

308 views • 20 slides
Universal Plug and Play (UPnP) Internet Gateway Device (IGD)- Port Control Protocol (PCP)

Universal Plug and Play (UPnP) Internet Gateway Device (IGD)- Port Control Protocol (PCP)

IETF 80 th Universal Plug and Play (UPnP) Internet Gateway Device (IGD)- Port Control Protocol (PCP) Interworking Function draft-bpw-pcp-upnp-igd-interworking-02 IETF 80-Prague, March 2011 M. Boucadair, R. Penno, D. Wing, F. Dupont 1 IETF 80

153 views • 11 slides
Probe and Pray: Using UPnP for Home Network Measurements

Probe and Pray: Using UPnP for Home Network Measurements

Probe and Pray: Using UPnP for Home Network Measurements Renata Teixeira Laboratoire LIP6 CNRS and UPMC Sorbonne Universits Lucas Di Cioccio

446 views • 16 slides
Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and

Hom and Ext, Revisited Hom and Ext, Revisited Justin Lyle Lawrence, KS justin.lyle@ku.edu April 28, 2018 JL Hom and Ext, Revisited Hom and Ext, Revisited Joint work with Hailong Dao and Mohammad Eghbali JL Hom and Ext, Revisited Hom

871 views • 45 slides
6 Decision- -Making Making MVC (revisited) 6 Decision MVC (revisited) decision

6 Decision- -Making Making MVC (revisited) 6 Decision MVC (revisited) decision

6 Decision- -Making Making MVC (revisited) 6 Decision MVC (revisited) decision decision - - m m a a king and games king and games model state instance core structures levels of decision levels of decision- -making

148 views • 4 slides
Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&Sec 09

Calibration Revisited Jan Kodovsk, Jessica Fridrich September 7, 2009 / ACM MM&Sec 09 Calibration Revisited 1 / 16 What is Calibration? 2002 - Calibration introduced (attack on F5) Part of feature extraction procedure for blind

544 views • 43 slides
CEPH WIRE PROTOCOL REVISITED CEPH WIRE PROTOCOL REVISITED MESSENGER V2 MESSENGER V2 Ricardo

CEPH WIRE PROTOCOL REVISITED CEPH WIRE PROTOCOL REVISITED MESSENGER V2 MESSENGER V2 Ricardo

CEPH WIRE PROTOCOL REVISITED CEPH WIRE PROTOCOL REVISITED MESSENGER V2 MESSENGER V2 Ricardo Dias | rdias@suse.com FOSDEM'19 - Soware Defined Storage devroom OUTLINE OUTLINE What is the Ceph messenger Messenger API Messenger V1

1.01k views • 63 slides
lecture 21 Input / Output (I/O) 3 - system bus and memory (lectures 16-18 revisited) -

lecture 21 Input / Output (I/O) 3 - system bus and memory (lectures 16-18 revisited) -

lecture 21 Input / Output (I/O) 3 - system bus and memory (lectures 16-18 revisited) - system bus and interrupts - exceptions (lecture 12 revisited) Wed. March 3, 2016 Let's review what happens when there is a TLB miss. In

504 views • 32 slides
Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of

Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of

CYBER-INSURANCE REVISITED Cyber-Insurance Revisited Workshop on the Economics of Information Security Kennedy School of Government Harvard University 03 June 2005 Rainer Bhme rainer.boehme@inf.tu-dresden.de Department of Computer Science

389 views • 22 slides
Presentation schedule revisited Politeness Positive and negative politeness Form

Presentation schedule revisited Politeness Positive and negative politeness Form

Presentation schedule revisited Politeness Positive and negative politeness Form and Function; Context and Presupposition Politeness, refinement, manners, and cultural capital Presentation schedule revisited Politeness

471 views • 18 slides
Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase

Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase

Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase CPS 212, Fall 2000 Network File System (NFS) Network File System (NFS) server client syscall layer user programs VFS syscall layer NFS VFS

430 views • 29 slides
VCSE Conference Brave New World Revisited 22 nd March 2016 AJ Bell Stadium Making a

VCSE Conference Brave New World Revisited 22 nd March 2016 AJ Bell Stadium Making a

VCSE Conference Brave New World Revisited 22 nd March 2016 AJ Bell Stadium Making a difference in Salford since 1973 Welcome and Introductions Alison Page Chief Executive Salford CVS Welcome to Brave New World Revisited Huxley

929 views • 62 slides
BroCon 17 Lightning Talks Blacklists Revisited Aashish Sharma asharma@lbl.gov Blacklists

BroCon 17 Lightning Talks Blacklists Revisited Aashish Sharma asharma@lbl.gov Blacklists

BroCon 17 Lightning Talks Blacklists Revisited Aashish Sharma asharma@lbl.gov Blacklists Revisited Lightening Talk BroCon, 2017 Problem Problem: Blocking Bad Badness keeps increasing on the internet How to manage blocking and more so

1.32k views • 70 slides
DENSE: 2D Flow Gating Phil De Jager Aaron Brandes Nov. 30, 2012

DENSE: 2D Flow Gating Phil De Jager Aaron Brandes Nov. 30, 2012

DENSE: 2D Flow Gating Phil De Jager Aaron Brandes Nov. 30, 2012 FlowCAP III Introduction: DENSE Challenge 4: Cyto-trol GaDng Goal: Method that finds

304 views • 12 slides
Half Year Results 2011 Continuing the Phoenix journey 25 August 2011 Agenda Introduction &

Half Year Results 2011 Continuing the Phoenix journey 25 August 2011 Agenda Introduction &

Half Year Results 2011 Continuing the Phoenix journey 25 August 2011 Agenda Introduction & business update Clive Bannister Group Chief Executive Financial review Jonathan Yates Group Finance Director Summary and Q&A Clive

621 views • 35 slides
Improved strategies for branching L. Liberti, G. Nannicini on general disjunctions Introduction

Improved strategies for branching L. Liberti, G. Nannicini on general disjunctions Introduction

Improved strategies for branching on general disjunctions G. Cornu ejols, Improved strategies for branching L. Liberti, G. Nannicini on general disjunctions Introduction Theoretical foundations ejols 1 , Leo Liberti 2 , Giacomo

736 views • 41 slides
Implementing Zero Based Budgeting Click to edit Master subtitle style Chris Winter, Heinz An

Implementing Zero Based Budgeting Click to edit Master subtitle style Chris Winter, Heinz An

Implementing Zero Based Budgeting Click to edit Master subtitle style Chris Winter, Heinz An introduction to Heinz A Brief History of Heinz Founded by Henry J Heinz in 1869 First product was Horseradish in clear jars First order for

349 views • 33 slides
results 15 February 2011 Discussion topics Business update and result overview Tom Gorman, CEO

results 15 February 2011 Discussion topics Business update and result overview Tom Gorman, CEO

2011 first-half results 15 February 2011 Discussion topics Business update and result overview Tom Gorman, CEO Result analysis Greg Hayes, CFO Outlook Growth initiatives update Tom Gorman, CEO Emerging economies focus Summary 2

1.25k views • 46 slides
Multiobjective Optimization Performance Measures in Many-Objective Optimization Facult: Eduardo

Multiobjective Optimization Performance Measures in Many-Objective Optimization Facult: Eduardo

Multiobjective Optimization Performance Measures in Many-Objective Optimization Facult: Eduardo G. Carrano Frederico G. Guimares Lucas S. Batista {egcarrano,fredericoguimaraes,lusoba}@ufmg.br www.ppgee.ufmg.br/ lusoba Universidade

229 views • 12 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
2015 Half Year Results 19th August 2015 Agenda Group Overview Henry Engelhardt, CEO Italy

2015 Half Year Results 19th August 2015 Agenda Group Overview Henry Engelhardt, CEO Italy

2015 Half Year Results 19th August 2015 Agenda Group Overview Henry Engelhardt, CEO Italy Geraint Jones, CFO US Spain Cristina Nestares, Admiral Seguros CEO France Pascal Gonzalvez, Lolivier assurance auto CEO David Stevens, COO UK

658 views • 55 slides

More recommend