What is UPnP?
The UPnP is actually a collection of protocols that allow for devices to easily advertise services within a networked environment as well as establish adhoc service paths for file sharing, gaming, printing, and other common services. The UPnP architecture was principally designed for residential environments to allow for consumers to more easily interconnect their devices without need of a central directory. It's important to keep in mind that UPnP isn't a terrible secure protocol framework. It employs no authentication between devices or service sets and therefore is not appropriate for use in Enterprise environments.
What is The Issue?
Rapid7 recently discovered and published a paper and advisory on buffer-overflow vulnerabilities in UPnP for devices that employ older unpatched revisions of UPnP SDK/libraries within their devices. The vulnerability is manifest in the incorrect handling of malformed frames used by the SSDP discovery service protocol. Unfortunately, it really takes only one malformed UDP packet to exploit this weaknesses (anyone remember SQL Slammer?). These buffer overflows may be used for remote code execution attacks against a family or grouping of susceptible devices.
How To Address This
First, you shouldn't assume the sky is falling. However it would be wise to perform a directed risk assessment to determine if you may have devices with UPnP turned on and whether or not they may be vulnerable. Even in Enterprise computing environments, you can expect that printers and other devices may have default configurations that enable UPnP. More seriously, if you deploy any SOHO type router/firewalls then you should definitely check these devices as well.
Here are some tips that can help formulate a plan-of-attack for assessing this issue:
#1. Make Sure that You Are Filtering Unsolicited UPnP
Surprisingly, Rapid7's research into this issue found that 2.2% of all public IPv4 addresses responded to UPnP discovery requests (approx 81 million devices). Don't let this be you! Check your firewall rules and your configurations on WAN side interfaces for any UPnP settings.
UPnP use the following Ports for service discovery
Unicast UPnP Discovery Traffic = tcp/udp 1900
Multicast UPnP Discovery Traffic = 239.255.255.250:1900
(Also, Rapid7 offers a free online UPnP scan that will check to see if your public IP address responds to UPnP service discovery requests.)
For Windows users, there is a free Scanning Tool that will probe for devices that respond to service discovery requests and determine if these devices are using an unpatched revision of UPnP.
Also it is possible to scan for vulnerable devices in Metasploit using the steps listed below.
If the scans uncover known devices that may be vulnerable then you will see response strings like the ones below:
MiniUPnPd ProcessSSDPRequest() Out of Bounds Memory Access Denial of Service
MiniUPnPd ExecuteSoapAction memcpy() Remote Code Execution
Portable SDK for UPnP Devices unique_service_name() Remote Code Execution
If you discover devices that are vulnerable and you don't need UPnP, then disable it within the device and then scan it again to validate that it is off.
If your stuck with UPnP, then check with the vendor for updates on new patch releases. A list of responding vendors can be found here:
Hope this is a helpful quick guide!
Great post. Thank you for sharing.
ReplyDeleteIf come to think, there are lots of vulnerabilities in every data security system or they could be found by a smart IT guy. The question is how to protect important business data from stealing? The answer is to consult with virtual data room companies in order to get quality service.
Excellent script, it's perfect.
ReplyDeleteThank y for sharing.
security-online.net