Universal Plug and Play IGD “A Fox in the Hen House” Jonathan Squire, CISSP August 8, 2008 http://www.bigbrainlabs.com/ Copyright © Jonathan Squire. All rights Reserved. 1 Abstract............................................................................................................................... 3 Introduction......................................................................................................................... 3 UPnP and SSDP - A High Level Overview.................................................................... 4 Addressing .................................................................................................................. 4 Locating Devices ........................................................................................................ 4 Device Descriptions.................................................................................................... 5 Accessing Services...................................................................................................... 6 UPnP IGD ....................................................................................................................... 7 Attacking UPnP IGD Enabled Devices .............................................................................. 7 AddPortMapping............................................................................................................. 7 Protocol Abuse................................................................................................................ 8 Forwarding to another local client .............................................................................. 8 Forwarding to an external system............................................................................... 9 Forwarding to the admin interface............................................................................ 10 Common UPnP IGD Implementation Flaws ................................................................ 11 IGD Management Interface ...................................................................................... 11 Unvalidated Parameters ............................................................................................ 11 UPnP IGD Additional Attack Scenarios....................................................................... 12 PPP Username and Password ................................................................................... 12 Local Network Configuration and MITM ................................................................ 12 Denial of Service....................................................................................................... 13 Vendor Specific Actions........................................................................................... 13 Rouge UPnP Devices................................................................................................ 13 Remote Attacks......................................................................................................... 14 Countermeasures............................................................................................................... 14 Host-Based Firewalls.................................................................................................... 14 Disable UPnP................................................................................................................ 14 IGD Management Interface .......................................................................................... 15 UPnP Authorization and Access Control...................................................................... 15 UPnP Watchdog............................................................................................................ 15 UPnPwn ............................................................................................................................ 16 UPnPwn.rb.................................................................................................................... 16 scpd2ruby.rb.................................................................................................................. 16 UPnPwn Class Library.................................................................................................. 17 IGD Testing Matrix....................................................................................................... 18 Future Work...................................................................................................................... 19 Contributing...................................................................................................................... 19 References and Further Reading....................................................................................... 19 2 Abstract Easy is the mantra of consumer devices these days. “Just plug it in and it works. No configuration needed.” All this simplicity hopefully causes one to pause and wonder, “How is this possible?” This paper will delve into the dangers of the often overlooked Universal Plug and Play (UPnP) Internet Gateway Device (IGD) profile. UPnP IGD is commonly enabled on modern home cable modem/wireless routers. UPnP IGD allows applications such as games and chat clients to request needed port forwards without the user’s intervention. There is no authentication required, and many of these routers do not even display these port mappings in their administrative interfaces. This paper will provide a high level overview of the basics of discovery of and communication with UPnP devices and will then move directly into potential classes of attack and areas of further research. This paper assumes the reader has a basic understanding of networking, SOAP, and other standards which UPnP is based upon. Introduction Universal Plug and Play (UPnP) is a group of protocols defined by the UPnP forum. UPnP’s goal is to simplify the setup and configuration of home networks and data sharing. UPnP is comprised of a number of standard profiles. This paper will chiefly focus on the Internet Gateway Device (IGD) profile and some of the sub profiles that apply to network security. The UPnP protocols are based on a number of internet standards including TCP, UDP, Multicast, XML, SOAP, HTTP and HTTP-U. 3 UPnP and SSDP - A High Level Overview Addressing One of the primary goals of UPnP is simple device setup and configuration. UPnP based devices generally acquire their network addresses via DHCP or in the absence of a DHCP server will select a random address from 169.254.0.0/16. Locating Devices Simple Service Discovery Protocol (SSDP) is used as the primary means of locating UPnP enabled devices. UPnP enabled devices send UDP multicast messages 239.255.255.250:1900 in order to participate in SSDP. All UPnP enabled devices listen on this address and will respond back with the appropriate message if applicable. Active Location 192.168.1.1 (LAN) The SSDP M-Search message is used when a device wishes to actively search for an UPnP resource. 239.255.255.250:1900 In this scenario, 192.168.1.100 wishes to discover all UPnP enabled devices and sends the following message to 239.255.255.250:1900 which will be propagated to all UPnP enabled devices. M-SEARCH * HTTP/1.1 ST: ssdp:all ` MX: 5 MAN: ssdp:discover 192.168.1.100 HOST: 239.255.255.250:1900 Devices which provide the requested services will respond back via a Unicast message to the original sender. In the above scenario 192.168.1.1 will respond directly back to 192.168.1.100. 192.168.1.1 (LAN) HTTP/1.1 200 OK ST: upnp:rootdevice USN: uuid:1329010-1ad7-10c2-9abc-001cc33fa2ca EXT: SERVER: VxWorks/5.0.1 UPnP/1.0 IGD/1.0 LOCATION: http://192.168.1.1:2468/IGDdesc CACHE-CONTROL: max-age = 126 Content-Length: 0 ` 192.168.1.100 4 Passive Location Instead of actively searching for devices, an alternative 192.168.1.1 (LAN) method is to listen passively for NOTIFY announcements. UPnP enabled devices send out these messages to 239.255.255.250:1900 under a number of circumstances and we can passively wait until a message 239.255.255.250:1900 arrives. NOTIFY * HTTP/1.1 ST: upnp:rootdevice USN: uuid:1329010-1ad7-10c2-9abc-001cc33fa2ca EXT: SERVER: VxWorks/5.0.1 UPnP/1.0 IGD/1.0 ` LOCATION: http://192.168.1.1:2468/IGDdesc CACHE-CONTROL: max-age = 126 Content-Length: 0 192.168.1.100 Device Descriptions After locating a device we must determine what services that device is capable of providing. In order to do this we need to locate the Location field in the header of one of our discovery messages. The location field will point to an XML file that can be retrieved via HTTP from the device. Within the XML we are interested in the service definitions that appear in the format: <service> <serviceType></serviceType> <serviceId></serviceId> <controlURL></controlURL> <eventSubURL></eventSubURL> <SCPDURL></SCPDURL> </service> Below is an example service that describes WANIPConnection:1: <service> <serviceType>urn:schemas-upnp-org:service:WANIPConnection:1</serviceType> <serviceId>urn:upnp-org:serviceId:WANIPConnection</serviceId> <controlURL>/WANIPConnectionControl</controlURL> <eventSubURL>/WANIPConnectionEvents</eventSubURL> <SCPDURL>/WANIPConnection.xml</SCPDURL> </service> 5 Accessing Services UPnP Services are accessed via SOAP calls. Each device will implement any number of different services and each service will have a number of actions associated with its specific profile. Each service specifies a controlURL which is the endpoint for SOAP messages. In order to determine what actions a specific service
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages19 Page
-
File Size-