[REVS] UPnP Flawed Application



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



UPnP Flawed Application
------------------------------------------------------------------------


SUMMARY

"The <http://www.upnp.org/> UPnP architecture offers pervasive
peer-to-peer network connectivity of PCs of all form factors, intelligent
appliances, and wireless devices. The UPnP architecture is a distributed,
open networking architecture that leverages TCP/IP and the Web to enable
seamless proximity networking in addition to control and data transfer
among networked devices in the home, office, and everywhere in between."

So you feel so safe with that shiny new Linksys, D-Link, or Net-gear Home
router of yours don't you? Its Firewall function is impenetrable isn't it?
No its not. In fact, any program that has network access can change that,
regardless of that unbreakable password you've set on the device. Why?
Because they are UPnP enabled devices, and UPnP allows for unauthenticated
access to viewing and modifying your settings.

DETAILS

In order to understand this article, you must first understand how UPnP
works and what practical applications it serves. As defined by
www.streamium.com,

"Universal Plug and Play is making home networking simple for users. UPnP
offers network connectivity of PCs, intelligent appliances, and wireless
devices. UPnP leverages TCP/IP and the Web to enable control and data
transfer among networked devices in the home and around the home. UPnP
technology can be supported on essentially any operating system and works
with almost any type of physical networking media - wired or wireless. The
Universal Plug and Play is an industry initiative designed to enable
simple and robust connectivity among stand-alone devices and PCs from many
different vendors. Currently there signed up over 500 members, including
them Microsoft, Intel, Philips, Sony, Samsung and other companies."

In other words, UPnP attempts to make networking between your PC and any
network device simple. In many instances, it does just that. UPnP can be
found on some home lighting and automation systems, as well as quite a few
TCP/IP enabled security cameras.

For the first two, no major security is really needed, but the third,
obviously has need for some security. What about your home router, the
gateway to the cyber playground? The only defense is that the UPnP
interface is on the LAN side. But what if you or a family member is fooled
into inadvertently clicking on a insidious hyperlink to a webpage that
exploits the latest Internet explorer flaw? The process is simple really,
a malicious user could write a program to send out commands to the UPnP
interface, which is usually on the same port as the web interface.

The compromised computer will probably have all that information already
stored in its registry, and so the program could easily access it and
start commanding your router to lower its defenses. For instance, most
backdoor software will listen for requests from another computer. The
router should by default block any traffic from the outside that is
inbound to your computer.

However, if a malicious user sends UPnP commands to the router, he or she
could allow that inbound traffic to easily go right past the firewall
function, and right to your computer. The result, a compromised router
will not defend your system, allowing for major vulnerability towards the
Internet.

Even worse, if an attacker wishes to attack a port that is blocked by your
ISP, such as 139 or 445, the attacker could use port forwarding to change
the WAN side port to something like 14934, thus providing you with even
less security than if you had not used the firewall/router device in the
first place.

You may be surprised, but this problem has been used by software like
LimeWire, in order to allow protected systems to share files on p2p
networks. Here s how it works. The program(LimeWire in this scenario)
makes a request to your router that looks something like this:

GET /upnp/service/descrip.xml HTTP/1.1
User-Agent: LimeWire/4.8.1 Java/1.5.0_01
Host: 192.168.1.1
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded

Your router will then return a rather large XML list of functions and
capabilities it has:
HTTP/1.0 200 OK
Server: UPnP/1.0 UPnP-Device-Host/1.0
Connection: close
Content-type: text/xml

< ?xml version="1.0"?>
< root xmlns="urn:schemas-upnp-org:device-1-0">
< specVersion>
< major>1< /major>
< minor>0< /minor>
< /specVersion>
< URLBase>http://192.168.1.1:80< /URLBase>
< device>
< deviceType>urn:schemas-upnp-org:device:InternetGatewayDevice:1<
/deviceType>
< friendlyName>Residential Gateway< /friendlyName>
< manufacturer>< /manufacturer>
< manufacturerURL>< /manufacturerURL>
< modelDescription>Residential Gateway< /modelDescription>
< modelName>Residential Gateway< /modelName>
< UDN>uuid:upnp-InternetGatewayDevice-1_0-00e09851be7c< /UDN>
< UPC>00000-00001< /UPC>
< serviceList>
< service>
< serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1<
/serviceType>
< serviceId>urn:upnp-org:serviceId:L3Forwarding1< /serviceId>
< controlURL>/upnp/service/Layer3Forwarding< /controlURL>
< eventSubURL>/upnp/service/Layer3Forwarding< /eventSubURL>
< SCPDURL>/upnp/service/L3Frwd.xml< /SCPDURL>
< /service>
< /serviceList>
< deviceList>
< device>
< deviceType>urn:schemas-upnp-org:device:WANDevice:1< /deviceType>
< friendlyName>Residential Gateway< /friendlyName>
< manufacturer>< /manufacturer>
< manufacturerURL>< /manufacturerURL>
< modelDescription>Residential Gateway< /modelDescription>
< modelName>Residential Gateway< /modelName>
< modelNumber>1< /modelNumber>
< modelURL>< /modelURL>
< serialNumber>0000001< /serialNumber>
< UDN>uuid:upnp-WANDevice-1_0-00e09851be7c< /UDN>
< UPC>00000-00001< /UPC>
< serviceList>
< service>
<
serviceType>urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1<
/serviceType>
< serviceId>urn:upnp-org:serviceId:WANCommonInterfaceConfig<
/serviceId>
< controlURL>/upnp/service/WANCommonInterfaceConfig< /controlURL>
< eventSubURL>/upnp/service/WANCommonInterfaceConfig< /eventSubURL>
< SCPDURL>/upnp/service/WANCICfg.xml< /SCPDURL>
< /service>
< /serviceList>
< deviceList>
< device>
< deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1<
/deviceType>
< friendlyName>Residential Gateway< /friendlyName>
< manufacturer>< /manufacturer>
< manufacturerURL>< /manufacturerURL>
< modelDescription>Residential Gateway< /modelDescription>
< modelName>Residential Gateway< /modelName>
< modelNumber>1< /modelNumber>
< modelURL>< /modelURL>
< serialNumber>0000001< /serialNumber>
< UDN>uuid:upnp-WANConnectionDevice-1_0-00e09851be7c< /UDN>
< UPC>00000-00001< /UPC>
< serviceList>
< service>
< serviceType>urn:schemas-upnp-org:service:WANIPConnection:1<
/serviceType>
< serviceId>urn:upnp-org:serviceId:WANIPConnection< /serviceId>
< controlURL>/upnp/service/WANIPConnection< /controlURL>
< eventSubURL>/upnp/service/WANIPConnection< /eventSubURL>
< SCPDURL>/upnp/service/WANIPCn.xml< /SCPDURL>
< /service>
< /serviceList>
< /device>
< /deviceList>
< /device>
< /deviceList>
< presentationURL>/home.htm< /presentationURL>
< /device>
< /root>

All of the items highlighted provide the attacker with a location of
vulnerability. The location following <SCPDURL> is the XML file that
contains a complete collection of commands and variables. This document
acts like a textbook reference for your computer or the attacker, allowing
either one to look for the commands it needs, and use them accordingly.
Once this is obtained, the attacker will look through the documents,
looking for something like this:

< action>
< name>GetGenericPortMappingEntry< /name>
< argumentList>
< argument>
< name>NewPortMappingIndex< /name>
< direction>in< /direction>
< relatedStateVariable>PortMappingNumberOfEntries< /relatedStateVariable>
< /argument>
< argument>
< name>NewRemoteHost< /name>
< direction>out< /direction>
< relatedStateVariable>RemoteHost< /relatedStateVariable>
< /argument>
< argument>
< name>NewExternalPort< /name>
< direction>out< /direction>
< relatedStateVariable>ExternalPort< /relatedStateVariable>
< /argument>
< argument>
< name>NewProtocol< /name>
< direction>out< /direction>
< relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
< /argument>
< argument>
< name>NewInternalPort< /name>
< direction>out< /direction>
< relatedStateVariable>InternalPort< /relatedStateVariable>
< /argument>
< argument>
< name>NewInternalClient< /name>
< direction>out< /direction>
< relatedStateVariable>InternalClient< /relatedStateVariable>
< /argument>
< argument>
< name>NewEnabled< /name>
< direction>out< /direction>
< relatedStateVariable>PortMappingEnabled< /relatedStateVariable>
< /argument>
< argument>
< name>NewPortMappingDescription< /name>
< direction>out< /direction>
< relatedStateVariable>PortMappingDescription< /relatedStateVariable>
< /argument>
< argument>
< name>NewLeaseDuration< /name>
< direction>out< /direction>
< relatedStateVariable>PortMappingLeaseDuration< /relatedStateVariable>
< /argument>
< /argumentList>
< /action>

The command highlighted above returns the current listing of port
mappings, which can be used to determine ports already available to the
internet. Below is what makes this even worse:

< action>
< name>AddPortMapping< /name>
< argumentList>
< argument>
< name>NewRemoteHost< /name>
< direction>in< /direction>
< relatedStateVariable>RemoteHost< /relatedStateVariable>
< /argument>
< argument>
< name>NewExternalPort< /name>
< direction>in< /direction>
< relatedStateVariable>ExternalPort< /relatedStateVariable>
< /argument>
< argument>
< name>NewProtocol< /name>
< direction>in< /direction>
< relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
< /argument>
< argument>
< name>NewInternalPort< /name>
< direction>in< /direction>
< relatedStateVariable>InternalPort< /relatedStateVariable>
< /argument>
< argument>
< name>NewInternalClient< /name>
< direction>in< /direction>
< relatedStateVariable>InternalClient< /relatedStateVariable>
< /argument>
< argument>
< name>NewEnabled< /name>
< direction>in< /direction>
< relatedStateVariable>PortMappingEnabled< /relatedStateVariable>
< /argument>
< argument>
< name>NewPortMappingDescription< /name>
< direction>in< /direction>
< relatedStateVariable>PortMappingDescription< /relatedStateVariable>
< /argument>
< argument>
< name>NewLeaseDuration< /name>
< direction>in< /direction>
< relatedStateVariable>PortMappingLeaseDuration< /relatedStateVariable>
< /argument>
< /argumentList>
< /action>
< action>
< name>DeletePortMapping< /name>
< argumentList>
< argument>
< name>NewRemoteHost< /name>
< direction>in< /direction>
< relatedStateVariable>RemoteHost< /relatedStateVariable>
< /argument>
< argument>
< name>NewExternalPort< /name>
< direction>in< /direction>
< relatedStateVariable>ExternalPort< /relatedStateVariable>
< /argument>
< argument>
< name>NewProtocol< /name>
< direction>in< /direction>
< relatedStateVariable>PortMappingProtocol< /relatedStateVariable>
< /argument>
< /argumentList>
< /action>

The above highlighted commands allow the attacker to create an XML file
and perform an HTTP POST of that file to the device, thereby
adding/deleting a specific port mapping.

This is clearly a dangerous flaw. What makes it worse is that this is an
industry standard, meaning that this flaw is universally widespread,
because devices of this nature must comply with this. In other words, they
must have this flaw or the product cannot officially be a UPnP product.

Solution:
The solution is simple, add some form of authentication to the UPnP
protocol, to any request to alter the list of ports mapped to the systems
protected by the firewall/router. The authentication could be as simple as
adding an Negotiate: field in the standard request.


ADDITIONAL INFORMATION

The information has been provided by <mailto:theirishfellow@xxxxxxxxx>
David Ferril.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Zone Alarm and LAN
    ... If this port is ... You need to disable UPnP. ... It is a substantial security ... > Click the Download Now button to download a small tool to check your ...
    (comp.security.firewalls)
  • [NT] Universal Plug and Play Remote Code Execution (MS07-019)
    ... Get your security news from a reliable source. ... An attacker who has successfully exploited this vulnerability could run ... * Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP ... By default the UPnP service is set to manual on affected systems. ...
    (Securiteam)
  • [NT] UPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Windows XP ships by default with a UPNP service ... Denial-of-Service attack, ...
    (Securiteam)
  • Re: Pen Tester Qualification
    ... What are the qualifications for the ideal "Penetration Tester"? ... with a thorough background in networking, ... in the security industry. ... No network, no pentest. ...
    (Pen-Test)
  • Re: Programming SKills for PT...?
    ... I also am fairly new to the security realm I have been working on ... the the technologies like Networking, Application/WebApplcn testing, OS ... Luckily I was into Networking, ... you cannot call urself as an hacker atleast an ethical hacker ...
    (Pen-Test)