How Attackers Can And Will Exploit UPnP Flaws

Yesterday, some pretty serious flaws in a widely-used networking standard were uncovered. Researchers from security firm Rapid7 dug up various failings in Universal Plug and Play (UPnP), affecting tens of millions of Internet-connected devices, from Cisco and Netgear networking kit, to printers and IP CCTV cameras.

Rapid7 found 80 million public IP addresses responded to UPnP requests, effectively opening the door for attackers trying to find vulnerable systems.

It only seems inevitable systems will be hacked exploiting these weaknesses, if they haven’t been already. But to know your enemy is to be better prepared against their attacks. IT teams would do well to understand where hackers are looking for holes in UPnP.

We caught up with chief security officer of Rapid 7, HD Moore, who also created the Metasploit penetration testing tool, and now serves as Metasploit’s chief architect.

Moore  told us how attacks would go down…

UPnP exploitation

“To exploit these vulnerabilities, the attacker would first need to identify systems running vulnerable UPnP services. UPnP makes this easy by providing a discovery service over UDP port 1900.

“The attacker can use a number of standard tools to scan the target network and identify the IP addresses and software version of any UPnP enabled system.

“At this point, they would have a few options available:

1. If the SOAP [Simple Object Access Protocol] service is not exposed, the attacker can attempt to exploit one of the vulnerabilities found in the discovery service itself. This would require the attacker to build an exploit for that specific device and target software. This is time consuming and difficult, but once written, it could be used on any other device with the same software.
2. If the SOAP service is exposed, they can use standard UPnP tools such as Miranda or UMap to try to punch a hole in the firewall using the Internet Gateway Device (IGD) API. This would allow them to target internal machines such as desktops and file servers from the internet. A properly configured router should not accept SOAP requests from the external interface.
3. If the SOAP service is exposed, but the IGD profile is not available, they can investigate other device-specific functionality to steal data or access content. For example, some media servers will expose photo archives this way.
4. If the SOAP service is exposed, but no useful profiles are available, the SOAP implementation itself may be vulnerable to a buffer overflow or command injection flaw. The MiniUPnP software described in the Rapid7 whitepaper has a flaw in version 1.0. The attacker would need to write a working remote exploit for the specific device they are targeting. This is time consuming and difficult, but once written it could be used on any other device with the same software.

“To summarise, there are three paths an intruder could take:

• Attack the UPnP discovery service using one of the known vulnerabilities. At the moment this would require writing the exploit as part of the attack, but this will change once public exploits emerge.
• Attack the SOAP service using one of the known vulnerabilities. At the moment this would require writing the exploit as part of the attack, but this will change once public exploits emerge.
• Attack the SOAP service using intended functionality that was inadvertently exposed to the internet. This is the easiest option and can allow the attacker to go after other machines on the target network.

“If  the attacker is able to compromise the device using the UPnP discovery or SOAP services, they would be able to steal data, sniff traffic, and target other systems on the network. In the case of home routers, they would be able to force users accessing the internet to visit a page laden with malware instead of their real destination.”

Think you know security? Test yourself with our quiz!