‘UPnP Flawed Application’

Summary

”The UPnP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. The UPnP architecture is a distributed, open networking architecture that leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between.’

So you feel so safe with that shiny new Linksys, D-Link, or Net-gear Home router of yours don’t you? Its Firewall function is impenetrable isn’t it? No its not. In fact, any program that has network access can change that, regardless of that unbreakable password you’ve set on the device. Why? Because they are UPnP enabled devices, and UPnP allows for unauthenticated access to viewing and modifying your settings.’

Credit:

‘The information has been provided by David Ferril.’


Details

‘In order to understand this article, you must first understand how UPnP works and what practical applications it serves. As defined by www.streamium.com,

‘Universal Plug and Play is making home networking simple for users. UPnP offers network connectivity of PCs, intelligent appliances, and wireless devices. UPnP leverages TCP/IP and the Web to enable control and data transfer among networked devices in the home and around the home. UPnP technology can be supported on essentially any operating system and works with almost any type of physical networking media – wired or wireless. The Universal Plug and Play is an industry initiative designed to enable simple and robust connectivity among stand-alone devices and PCs from many different vendors. Currently there signed up over 500 members, including them Microsoft, Intel, Philips, Sony, Samsung and other companies.’

In other words, UPnP attempts to make networking between your PC and any network device simple. In many instances, it does just that. UPnP can be found on some home lighting and automation systems, as well as quite a few TCP/IP enabled security cameras.

For the first two, no major security is really needed, but the third, obviously has need for some security. What about your home router, the gateway to the cyber playground? The only defense is that the UPnP interface is on the LAN side. But what if you or a family member is fooled into inadvertently clicking on a insidious hyperlink to a webpage that exploits the latest Internet explorer flaw? The process is simple really, a malicious user could write a program to send out commands to the UPnP interface, which is usually on the same port as the web interface.

The compromised computer will probably have all that information already stored in its registry, and so the program could easily access it and start commanding your router to lower its defenses. For instance, most backdoor software will listen for requests from another computer. The router should by default block any traffic from the outside that is inbound to your computer.

However, if a malicious user sends UPnP commands to the router, he or she could allow that inbound traffic to easily go right past the firewall function, and right to your computer. The result, a compromised router will not defend your system, allowing for major vulnerability towards the Internet.

Even worse, if an attacker wishes to attack a port that is blocked by your ISP, such as 139 or 445, the attacker could use port forwarding to change the WAN side port to something like 14934, thus providing you with even less security than if you had not used the firewall/router device in the first place.

You may be surprised, but this problem has been used by software like LimeWire, in order to allow protected systems to share files on p2p networks. Here s how it works. The program(LimeWire in this scenario) makes a request to your router that looks something like this:

GET /upnp/service/descrip.xml HTTP/1.1
User-Agent: LimeWire/4.8.1 Java/1.5.0_01
Host: 192.168.1.1
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded

Your router will then return a rather large XML list of functions and capabilities it has:
HTTP/1.0 200 OK
Server: UPnP/1.0 UPnP-Device-Host/1.0
Connection: close
Content-type: text/xml

< ?xml version=’1.0′?>
< root >
 < specVersion>
  < major>1< /major>
  < minor>0< /minor>
 < /specVersion>
 < URLBase>http://192.168.1.1:80< /URLBase>
 < device>
  < deviceType>urn:schemas-upnp-org:device:InternetGatewayDevice:1< /deviceType>
  < friendlyName>Residential Gateway< /friendlyName>
  < manufacturer>< /manufacturer>
  < manufacturerURL>< /manufacturerURL>
  < modelDescription>Residential Gateway< /modelDescription>
  < modelName>Residential Gateway< /modelName>
  < UDN>uuid:upnp-InternetGatewayDevice-1_0-00e09851be7c< /UDN>
  < UPC>00000-00001< /UPC>
< serviceList>
   < service>
    < serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1< /serviceType>
    < serviceId>urn:upnp-org:serviceId:L3Forwarding1< /serviceId>
    < controlURL>/upnp/service/Layer3Forwarding< /controlURL>
    < eventSubURL>/upnp/service/Layer3Forwarding< /eventSubURL>
    < SCPDURL>/upnp/service/L3Frwd.xml< /SCPDURL>
    < /service>
  < /serviceList>

  < deviceList>
   < device>
    < deviceType>urn:schemas-upnp-org:device:WANDevice:1< /deviceType>
    < friendlyName>Residential Gateway< /friendlyName>
    < manufacturer>< /manufacturer>
    < manufacturerURL>< /manufacturerURL>
    < modelDescription>Residential Gateway< /modelDescription>
    < modelName>Residential Gateway< /modelName>
    < modelNumber>1< /modelNumber>
    < modelURL>< /modelURL>
    < serialNumber>0000001< /serialNumber>
    < UDN>uuid:upnp-WANDevice-1_0-00e09851be7c< /UDN>
    < UPC>00000-00001< /UPC>
< serviceList>
     < service>
      < serviceType>urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1< /serviceType>
      < serviceId>urn:upnp-org:serviceId:WANCommonInterfaceConfig< /serviceId>
      < controlURL>/upnp/service/WANCommonInterfaceConfig< /controlURL>
      < eventSubURL>/upnp/service/WANCommonInterfaceConfig< /eventSubURL>
    < SCPDURL>/upnp/service/WANCICfg.xml< /SCPDURL>
    < /service>
   < /serviceList>

   < deviceList>
    < device>
    < deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1< /deviceType>
    < friendlyName>Residential Gateway< /friendlyName>
    < manufacturer>< /manufacturer>
    < manufacturerURL>< /manufacturerURL>
    < modelDescription>Residential Gateway< /modelDescription>
    < modelName>Residential Gateway< /modelName>
    < modelNumber>1< /modelNumber>
    < modelURL>< /modelURL>
    < serialNumber>0000001< /serialNumber>
    < UDN>uuid:upnp-WANConnectionDevice-1_0-00e09851be7c< /UDN>
    < UPC>00000-00001< /UPC>
< serviceList>
    < service>
    < serviceType>urn:schemas-upnp-org:service:WANIPConnection:1< /serviceType>
    < serviceId>urn:upnp-org:serviceId:WANIPConnection< /serviceId>
    < controlURL>/upnp/service/WANIPConnection< /controlURL>
    < eventSubURL>/upnp/service/WANIPConnection< /eventSubURL>
    < SCPDURL>/upnp/service/WANIPCn.xml< /SCPDURL>
    < /service>
    < /serviceList>

    < /device>
  < /deviceList>
  < /device>
  < /deviceList>
  < presentationURL>/home.htm< /presentationURL>
  < /device>
< /root>

All of the items highlighted provide the attacker with a location of vulnerability. The location following <SCPDURL> is the XML file that contains a complete collection of commands and variables. This document acts like a textbook reference for your computer or the attacker, allowing either one to look for the commands it needs, and use them accordingly. Once this is obtained, the attacker will look through the documents, looking for something like this:

< action>
 < name>GetGenericPortMappingEntry< /name>
< argumentList>
 < argument>
 < name>NewPortMappingIndex< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingNumberOfEntries< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewRemoteHost< /name>
 < direction>out< /direction>
 < relatedStateVariable>RemoteHost< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewExternalPort< /name>
 < direction>out< /direction>
 < relatedStateVariable>ExternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewProtocol< /name>
 < direction>out< /direction>
 < relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalPort< /name>
 < direction>out< /direction>
 < relatedStateVariable>InternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalClient< /name>
 < direction>out< /direction>
 < relatedStateVariable>InternalClient< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewEnabled< /name>
 < direction>out< /direction>
< relatedStateVariable>PortMappingEnabled< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewPortMappingDescription< /name>
 < direction>out< /direction>
 < relatedStateVariable>PortMappingDescription< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewLeaseDuration< /name>
 < direction>out< /direction>
 < relatedStateVariable>PortMappingLeaseDuration< /relatedStateVariable>
 < /argument>
 < /argumentList>
 < /action>

The command highlighted above returns the current listing of port mappings, which can be used to determine ports already available to the internet. Below is what makes this even worse:

< action>
 < name>AddPortMapping< /name>
 < argumentList>
 < argument>
 < name>NewRemoteHost< /name>
 < direction>in< /direction>
 < relatedStateVariable>RemoteHost< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewExternalPort< /name>
 < direction>in< /direction>
 < relatedStateVariable>ExternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewProtocol< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalPort< /name>
 < direction>in< /direction>
 < relatedStateVariable>InternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewInternalClient< /name>
 < direction>in< /direction>
 < relatedStateVariable>InternalClient< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewEnabled< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingEnabled< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewPortMappingDescription< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingDescription< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewLeaseDuration< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingLeaseDuration< /relatedStateVariable>
 < /argument>
 < /argumentList>
 < /action>
 < action>
 < name>DeletePortMapping< /name>
 < argumentList>
 < argument>
 < name>NewRemoteHost< /name>
 < direction>in< /direction>
 < relatedStateVariable>RemoteHost< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewExternalPort< /name>
 < direction>in< /direction>
 < relatedStateVariable>ExternalPort< /relatedStateVariable>
 < /argument>
 < argument>
 < name>NewProtocol< /name>
 < direction>in< /direction>
 < relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
 < /argument>
 < /argumentList>
 < /action>

The above highlighted commands allow the attacker to create an XML file and perform an HTTP POST of that file to the device, thereby adding/deleting a specific port mapping.

This is clearly a dangerous flaw. What makes it worse is that this is an industry standard, meaning that this flaw is universally widespread, because devices of this nature must comply with this. In other words, they must have this flaw or the product cannot officially be a UPnP product.

Solution:
The solution is simple, add some form of authentication to the UPnP protocol, to any request to alter the list of ports mapped to the systems protected by the firewall/router. The authentication could be as simple as adding an Negotiate: field in the standard request.’

Categories: Reviews