UPnP Revisited The useful plug and pwn protocol Arron finux Finnon - - PowerPoint PPT Presentation

upnp revisited
SMART_READER_LITE
LIVE PREVIEW

UPnP Revisited The useful plug and pwn protocol Arron finux Finnon - - PowerPoint PPT Presentation

Dec 25, 2022 398 likes •855 views

UPnP Revisited The useful plug and pwn protocol Arron finux Finnon BSidesLondon 25/04/12 Disclaimer Expect The Following; Bad Language Mild Ranting Some Technical Stuff Plenty of Lulz Some Pwnage Jail Time If You Hack Someone Arron

slide-1
SLIDE 1

UPnP Revisited

The useful plug and pwn protocol

Arron “finux” Finnon BSidesLondon 25/04/12

slide-2
SLIDE 2

Disclaimer

Expect The Following; Bad Language Mild Ranting Some Technical Stuff Plenty of Lulz Some Pwnage Jail Time If You Hack Someone

Arron “finux” Finnon BSidesLondon 25/04/12

slide-3
SLIDE 3

Today's Outcomes

What you should leave with

Arron “finux” Finnon BSidesLondon 25/04/12

slide-4
SLIDE 4

UPnP Is Inherently Insecure

Shit be batshit insane bro!!!!

Arron “finux” Finnon BSidesLondon 25/04/12

slide-5
SLIDE 5

UPnP Is Hard To Mitigate

Disabling it will not fix it!

Arron “finux” Finnon BSidesLondon 25/04/12

slide-6
SLIDE 6

How You Can Audit UPnP

Yeah right, show me the hacks!

Arron “finux” Finnon BSidesLondon 25/04/12

slide-7
SLIDE 7

So What Is UPnP

You know, its the thing you all disable

Arron “finux” Finnon BSidesLondon 25/04/12

slide-8
SLIDE 8

One Definition for UPnP:

“A protocol that allows devices on a network to communicate with each other seamlessly”

bittorrent.com

Arron “finux” Finnon BSidesLondon 25/04/12

slide-9
SLIDE 9

Another Definition of UPnP:

“Its like a dynamic firewall protocol”

Lee Hughes - BSidesVienna 2011

Arron “finux” Finnon BSidesLondon 25/04/12

slide-10
SLIDE 10

Seamless Interconnectivity

Fancy way of saying “linking shit together”

Arron “finux” Finnon BSidesLondon 25/04/12

slide-11
SLIDE 11

The First Gotcha - Seamlessly

another way of saying no validation

Arron “finux” Finnon BSidesLondon 25/04/12

slide-12
SLIDE 12

THE TRUSTING PROTOCOL

Well in most cases your on the network. Which Obviously means your welcome to make UPnP requests

Arron “finux” Finnon BSidesLondon 25/04/12

slide-13
SLIDE 13

Lack of Authentication

It's a pretty big issue

Arron “finux” Finnon BSidesLondon 25/04/12

slide-14
SLIDE 14

Many UPnP Implementations

Its everywhere, no where is safe!

Arron “finux” Finnon BSidesLondon 25/04/12

slide-15
SLIDE 15

Examples

Arron “finux” Finnon BSidesLondon 25/04/12

Skype PS3 Torrent Clients MSN Media Servers VoIP Smart Phones Wifi Access Points Internet Gateways Printers Personal Computers Windows iPhones

slide-16
SLIDE 16

How Does It Work

This will be the techie bit

Arron “finux” Finnon BSidesLondon 25/04/12

slide-17
SLIDE 17

UPnP Process

0 – Addressing

Arron “finux” Finnon BSidesLondon 25/04/12

1 – Discovery 2 – Description 3 – Control 4 – Eventing 5 – Presentation

Through the description process, vital information for interaction with the control point is delivered. SOAP requests are sent to the specified control points, different functions are executed. This is where the actual execution of the actions like port mapping happen. Announcements using SSDP. Devices send multicast search requests using HTTPU. Control points respond with HTTPU packets that specify a location for the XML description file. Addressing methods used by devices in addition to rules being established for devices that are unable to obtain an address through DHCP. The referral to an HTML-based user interface for controlling and/or viewing the device status. Control points listen to changes in devices. After the discovery of the XML description file location, the device downloads the XML to discover the different services and actions that the device has available

slide-18
SLIDE 18

Simple Process

Discovery, Description, Control

Arron “finux” Finnon BSidesLondon 25/04/12

slide-19
SLIDE 19

Abilities Detailed By XML

Ask and you shall receive

Arron “finux” Finnon BSidesLondon 25/04/12

slide-20
SLIDE 20

Example XML

I'll fire up the description files!!!

Arron “finux” Finnon BSidesLondon 25/04/12

slide-21
SLIDE 21

How It Is Used In Practice

You know, its intended use

Arron “finux” Finnon BSidesLondon 25/04/12

slide-22
SLIDE 22

Skype: Ding, Ding, Service Please

Arron “finux” Finnon BSidesLondon 25/04/12

IGD: What Can I Do For You Today Skype: I would Like A Port Please, and its traffic please. IGD: Sure, what table are you at? Skype: I'm sitting at 192.168.1.100

*IGD = Internet Gateway Device – aka router

slide-23
SLIDE 23

The Second – Gottcha

In most cases the data supplied is trusted

Arron “finux” Finnon BSidesLondon 25/04/12

slide-24
SLIDE 24

UPnP Hack Number 1

I talked about this last year

Arron “finux” Finnon BSidesLondon 25/04/12

slide-25
SLIDE 25

Dynamic Port Mapping

That's what an app opening a port on a IGD is called

Arron “finux” Finnon BSidesLondon 25/04/12

slide-26
SLIDE 26

TCP 30331->192.168.1.100:30331 'Skype'

Arron “finux” Finnon BSidesLondon 25/04/12

A Port Map Looks Like This:

So the IGD has opened port 30331 externally and is filtering traffic to port 30331 internally to 192.168.1.100

slide-27
SLIDE 27

We supply the IP address

Arron “finux” Finnon BSidesLondon 25/04/12

The Issue In Play

slide-28
SLIDE 28

TCP 1337->192.168.1.1:80 'pwn3d'

Arron “finux” Finnon BSidesLondon 25/04/12

Think About This:

So the IGD has opened port 1337 externally and is filtering traffic to port 80 internally to 192.168.1.1

slide-29
SLIDE 29

I've banged on enough about what it is

Arron “finux” Finnon BSidesLondon 25/04/12

That Is Just The Beginning

slide-30
SLIDE 30

As far back as '99

Arron “finux” Finnon BSidesLondon 25/04/12

Its Has Long A Long History

slide-31
SLIDE 31

Guess what? It was set up by Microsoft

Arron “finux” Finnon BSidesLondon 25/04/12

The UPnP Forum

slide-32
SLIDE 32

2001 – Multiple DoS attacks in Windows UPnP Stack

Arron “finux” Finnon BSidesLondon 25/04/12

Its Insecurity Time Line

2001 – Multiple BoF in Windows UPnP Stack 2003 – Stickler Discusses UPnP information Disclosure 2006 – Hemel Starts www.upnp-hacks.org 2008 – GNUCitizen Totally Pwn's BT HH 2011 – Finux Goes To BSidesVienna to Chat About UPnP 2011 – Kaminsky – He also did some UPnP shit! 2011 – Garcia – Some IGD will accept remote Commands 2012 – You guys voted to hear about UPnP hacking

slide-33
SLIDE 33

Example time!!!!!

Arron “finux” Finnon BSidesLondon 25/04/12

So Lets Get Some Meat On It

slide-34
SLIDE 34

These tools are in Ubuntu Repositories

Arron “finux” Finnon BSidesLondon 25/04/12

I'm Gonna Show Some Videos

*Unless Otherwise Stated

slide-35
SLIDE 35

That UPnP devs batshit inane!

Arron “finux” Finnon BSidesLondon 25/04/12

So What Did Garcia Discover

slide-36
SLIDE 36

Yeah, you read that right!

Arron “finux” Finnon BSidesLondon 25/04/12

Remote IGD UPnP Command

slide-37
SLIDE 37

Arron “finux” Finnon BSidesLondon 25/04/12

The Guilty Parties

slide-38
SLIDE 38

Arron “finux” Finnon BSidesLondon 25/04/12

UMap Flow Process

slide-39
SLIDE 39

Hang on tight!!!!

Arron “finux” Finnon BSidesLondon 25/04/12

Conclusion Time

slide-40
SLIDE 40

Arron “finux” Finnon BSidesLondon 25/04/12

Why You So Insecure!

slide-41
SLIDE 41

Arron “finux” Finnon BSidesLondon 25/04/12

It Will Never Be Secure

slide-42
SLIDE 42

Arron “finux” Finnon BSidesLondon 25/04/12

My Final Thoughts

slide-43
SLIDE 43

Ask question, buy me beer!

Arron “finux” Finnon BSidesLondon 25/04/12

Thanks BSidesLondon

slide-44
SLIDE 44

Email : finux@finux.co.uk

Arron “finux” Finnon BSidesLondon 25/04/12

Contact Details

Twitter : www.twitter.com/f1nux Podcast : www.finux.co.uk Linked in : http://uk.linkedin.com/in/finnon