UPnP vulnerabilities

From Embedded Lab Vienna for IoT & Security
Revision as of 17:30, 8 January 2023 by LPuehringer (talk | contribs)
Jump to navigation Jump to search

Summary

This article is about how UPnP works and what vulnerabilities it has, especially higlightening callstranger and flash attack.

UPnP

Universal Plug and Play is a protocol stack of known protocols, which is managed since 2016 by the Open Connectivity Forum, in order to automatically offer services in the network without configuration by the user. These services can range from editing port mappings on a router to switching a heater on/off. In order for a device to be a complete UPnP device it must go through a number of steps.

UPnP Protocol Stack.png[1]

  1. Addressing
    As soon as a device is connected to the network, it searches for a DHCP server for an IP address; if none is found, it assigns itself one by means of Auto-IP.

  2. Discovery
    After an address has been obtained, the device must announce its presence to the network. This is done via a advertisement, which uses HTTPMU on the address 239.255.255.250:1900, with the method NOTIFY, setting the NTS header field to ssdp:alive. In addition, devices can also search specifically for devices or services by means of a discovery request, using the method M-SEARCH. A device responds to a discovery request with an HTTP 200 message.

  3. Description
    In the Discovery Response is a Location header field that contains the URL of the UPnP Device Description, which contains merchant-specific information and a list of all services and their service description URLs. The Service Description describes the actions offered by the device, its arguments, status variables and event characteristics. Documents must conform to the UPnP template language, an XML syntax defined by the UPnP Forum.

  4. Control
    A control point can use the services of a UPnP device by invoking the actions with their arguments via a action invocation. This is done using SOAP, which transmits an XML SOAP envelope via a HTTP POST, which contains the action and its arguments.

  5. Eventing
    UPnP uses an asynchronous publisher/subscriber model to communicate changes of status variables to control points. For this purpose GENA is used, which, like SOAP, uses HTTP and XML as underlying technologies.

  6. Presentation
    This is an optional step that a vendor can implement so that the device can be controlled and managed via a web interface.

Security in UPnP

There are many known vulnerabilities and security risks when talking about the UPnP Standard. On the Common Vulnerability and Exposure (CVE) website 130 different known vulnerabilities with the keyword ̈UPnPcan be found. Also, some known state institutions, like the FBI have publicly recommended to disable UPnP in general. The reason, according to the FBI Webpage, is that there are UPnP exploits which allow access to different IoT devices. Not only these known vulnerabilities make security such an important issue when talking about UPnP. The standard has also some general vulnerabilities by design. In some steps in UPnP networking there is no verification, integrity check or access control. There are also some UPnP SDKs which can be exploited. In genereal security and authentication is not provided by default under UPnP. For this reason UPnP devices should not be publicly connected to the Internet or otherwise be outside the local network. However, as an add-on service, there is also a certain level of security and authentication under UPnP, namely with the Device Protection Profile and with the security mechanism of the two profiles: Device Security and Security Console. These offer Security through role management and authentication.

CallStranger Attack

CVE-2020-12695 is a vulnerability in the UPnP 1.1 architecture, specifically affecting the callback header in the SUBSCRIBE function. This header is used to send event messages to a specific location. According to the UPnP definition, several URLs can be specified. which are systematically tried until one is accepted. Thanks to this security overview, an attacker can:

  • exfiltrate data
  • launch denial of service attacks
  • scan internal ports

However, only devices whose UPnP subscriber function is externally accessible and not those that are only reachable in a local network. This vulnerability no longer exists in UPnP 2.0, since the callback header only accepts private IP addresses.

Upnp callstranger.jpg[2]

UPnP Flash Attack

Adobe Flash can load external data using the URLRequest method. This attack makes use of this method by using it to perform UPnP discovery requests or action invocations on the local network of the victim who has executed this Flash program. In principle, an attacker could use this vector for all UPnP operations. An example would be adding a port mapping to an external IP to an Internet gateway device to give a malicious actor access to the local network.

Mirai Botnet

A real-world example of a large-scale UPnP attack is the Mirai Botnet which was discovered in 2018. In this attack hundreds of thousands of routers over the internet where scanned and the attack software was searching for exposed Telnet ports which were added by UPnP. The Attackers BruteForced the default passwords of the devices and added these to the botnet. The botnet was then used to start large-scale DDoS attacks which shut down some target servers. A depiction of a simplified DDoS Attack with the Mirai Botnet can be seen in the picture below.

Mirai-botnet-diagram.png[3]

Courses

References

  1. 1.0 1.1 https://de.wikipedia.org/wiki/Universal_Plug_and_Play/
  2. 2.0 2.1 https://www.helpnetsecurity.com/2020/06/09/cve-2020-12695/
  3. 3.0 3.1 https://www.imperva.com/blog/how-to-identify-a-mirai-style-ddos-attack/
Retrieved from "https://wiki.elvis.science/index.php?title=UPnP_vulnerabilities&oldid=10953"