UPnP Mapping
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 122 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/40531 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON 19112 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
Gateway (telecommunications)InformationIn-System-ProgrammierungSoftwareBitPoint (geometry)Universe (mathematics)MereologyOpen setTurbo-CodeCodeDifferential operatorDifferent (Kate Ryan album)Information securityMappingTraverse (surveying)Personal area networkInternet forumHypermediaMoment (mathematics)InternetworkingComputer animation
03:41
MappingUnicastingverfahrenServer (computing)Process (computing)Uniform resource locatorDescriptive statisticsMereologyRemote procedure callDifferent (Kate Ryan album)Computer fileParameter (computer programming)BitHacker (term)Client (computing)
05:02
InformationAuthenticationStack (abstract data type)Wide area networkCommunications protocolRevision controlBitStack (abstract data type)Client (computing)CASE <Informatik>InformationWebsiteType theoryMapping.NET FrameworkDemo (music)Goodness of fitWindowMultiplication signModemWordServer (computing)Information securityLoginChannel capacityGroup actionAuthenticationSystem administratorPoint (geometry)Web 2.0SoftwareSpherical capBuffer overflowHacker (term)Denial-of-service attackComputer animation
11:02
Proxy serverControl flowLipschitz-StetigkeitGroup actionStack (abstract data type)Band matrixCommunications protocolFunction (mathematics)Texture mappingSpline (mathematics)Data flow diagramCommunications protocolBand matrixStack (abstract data type)Server (computing)Game controllerGroup actionWeb 2.0Proxy serverMappingMereologyLimit (category theory).NET FrameworkElectronic mailing listComputer programmingOpen setIP addressBlock (periodic table)Client (computing)Asynchronous Transfer ModeTouch typingRevision controlDemo (music)WebsiteThumbnailBitInfinityDifferent (Kate Ryan album)Descriptive statisticsStandard deviationCodeNP-hardMultiplication signUniform resource locatorComputer filePresentation of a groupProgram flowchart
17:02
Denial-of-service attackProxy serverInformationBlock (periodic table)AuthenticationPasswordRight angleGreatest elementSystem administratorÄquivalenzprinzip <Physik>1 (number)NumberCASE <Informatik>Band matrixGroup actionIP addressInternet service providerHacker (term)Revision controlMereologyForcing (mathematics)Standard deviationRadical (chemistry)Endliche ModelltheorieAddress spaceInterface (computing)Musical ensembleMappingMoving averageComputer configurationServer (computing)Product (business)Online helpPoint (geometry)Design by contractComputer animation
21:48
Convex hullSelectivity (electronic)MappingWeb pagePoint (geometry)Medical imagingComputer animation
22:36
Ring (mathematics)Hill differential equationProxy serverDemo (music)GoogolFunctional (mathematics)MappingComputer animation
23:30
Operator (mathematics)Group actionWide area networkPersonal digital assistantGroup actionCASE <Informatik>Router (computing)Communications protocolWireless LANMereologyIP addressOpen setPosition operatorBitFirewall (computing)Axiom of choiceWindowIn-System-ProgrammierungDefault (computer science)Game theoryMappingPolar coordinate systemGateway (telecommunications)Configuration spaceNumberBlock (periodic table)
Transcript: English(auto-generated)
00:00
Thank you for being here. As you probably suspect by now, I'm gonna be talking about UPnP and UPnP mapping. This is a turbo talk, so obviously this is gonna be a little fast. I'm gonna try to go into as much details as I can, but any other questions or whatever,
00:21
you can just go to the Q&A and I'll answer any questions. So let's do a brief introduction. Who am I? Not very important, but I'm a security researcher. I started working with security at the tender age of 14. I used to hang out on the internet
00:42
and work with ISPs back in the Dominican Republic, which is where I'm from, cable companies and all that. So that's that. What is UPnP? UPnP is Universal Plug and Play. Universal Plug and Play is a technology made
01:02
by the UPnP Forum, which is a code name for Microsoft. They made it back in 1999 and the name probably gave it away that it was something made by Microsoft. The point of UPnP is to make devices work seamlessly,
01:23
be it connectivity devices or networking devices or media devices. There are also other devices that can be used, but mostly that's what UPnP is used for. So as you probably suspect, making devices work seamlessly
01:41
is not a very good idea or it's a good idea, but it's not very possible. So we're gonna talk about specifically IGDs or the part of UPnP that works with networking devices. As you probably suspect, to make the network devices
02:04
work seamlessly, you need NAT traversal. How many of you were, raise your hands if you were in the Dan Kaminsky talk? All right. So you probably get the idea or the basic idea.
02:21
Basically a device on the LAN uses UPnP to automatically add port mappings on the device so that extra one devices can access the LAN, which is a great idea, but as you will see, it's not that great if you make it like UPnP does.
02:43
So IGDs are basically found mostly on DSLs and some other devices. Cable moments, not that much, because cable moments usually are bridged, but if something is routing and doing PPP,
03:01
it's probably doing IGD. So big question, and I've been working with Dan Kaminsky on this one, on how many IGD devices are on LAN and a shitload. I mean, it's amazing. We thought we would have a minority
03:23
of the devices on the net, but I have personally seen half a million devices across different countries open and accepting UPnP requests. So let me, first of all, explain a little bit
03:42
of how UPnP works briefly. Basically you start with a discovery process which relies on multicast UDP. It sends a multicast UDP and any device listening replies back with a unicast UDP. This unicast UDP, probably you can't read it very well,
04:03
but it's in the white paper. It describes or points out a location which is just an XML file describing the different services and devices available to execute on that UPnP device. After you get that unicast,
04:21
which is the blue part, the yellow part, you get to the green part with this, which is unicast TCP. Basically, it's SOAP requests and after that, after you get the SOAP request, the description of the device through XML, you get send a SOAP request which maps a port.
04:44
You probably can't see it either, but over here you have different arguments that you can use like least duration of the port mapping, internal client, external port, and remote host. Basically, your basic port mapping arguments.
05:01
So let's do a bit of the UPnP hacking timeline. It started in 2001. Cam from FDU Security, he found a couple of denial service attacks for the Windows XP stack. Obviously, UPnP was implemented in Windows XP first.
05:22
Microsoft wanted to promote the technology. Then in 2001, again, EI published buffer overflows for the same stack. You probably remember that one. It was pretty popular. Then in 2003, Bjorn Stikler talked about UPnP information disclosure.
05:43
Now, there's not a lot of information that's being thrown out by UPnP, but it's enough. It's not that good. You'll see with the demo how much information we can get. And then in 2006, Armin Hermel,
06:01
that's a typo over the R missing, he started publishing UPnP facts on the site upnphacks.org. And he's basically, let's say, like one of the fathers of UPnP hacking. He has examined all the UPnP stacks and described which stacks allow
06:24
some actions and whatnot. Then in 2008, we had an attack by New Citizen, which was pretty smart. They basically relied on the clients, internal clients of a network, sending soap through JavaScript.
06:43
And basically, the purpose of that was opening the web administration port of clients that access sites and such. So what are the main problems of UPnP? Well, first of all, it uses the word plug and play. I don't know if you guys remember
07:01
Windows and IDN and plug and play and the whole idea, it didn't work. I mean, it's not rocket science. And every time I see plug and play anywhere, I just have to look it up because I don't wanna go through the same nightmare site that we went through in the early or late 90s. So the other thing with plug and play,
07:21
it's a pretty nice idea. We would love to have things plug and play, but it doesn't work good with security. I mean, you can't have secure devices plug and play, being plug and play. I mean, you need to authenticate something, you need to ask questions and all that.
07:41
Well, that's one of the main problems of UPnP too. UPnP has no authentication whatsoever at all. In fact, the only way they consider an entity that could actually execute commands is just if they have an IP assigned, which is ridiculous.
08:02
I mean, it's like DEFCON sitting down and saying, oh, how are we gonna let people in? How would we know who we would let in? And then someone said, if they exist, they can't come in, which is ridiculous. I mean, don't even go through it.
08:22
After that, the other problems are that most stacks do not validate data. And what we mean by this is that first of all, UPnP was made or designed for land use only. And that's not true, unfortunately.
08:42
But not only that, port mappings were designed to work for internal hosts that wanted to traverse the net and add port mappings. So in this case, most stacks or a lot of stacks do not check if the internal IP is actually on the land or internal.
09:02
So what that actually allows us is to stick any IP that we want in that port mapping. So if I wanna say, add a port mapping at the device pointing to Amazon IP port 80,
09:21
it's doable in most devices, which is also a little bit weird. The other problem is, as I was saying, UPnP was designed for land use and most or a lot of devices use or allow indiscriminate one request.
09:41
I mean, requests of UPnP actions coming from the one, which doesn't make any sense. In fact, UPnP protocol says not to do that. But to be, it's that the IGD version one protocol says specifically it's not recommended to do that. And to give them credit though,
10:01
on the IGD version two paper, they made that sentence on caps. So I guess they're making a better point now. And on the other hand, we have devices that don't even log UPnP requests. I mean, we can play with it,
10:22
do whatever we want with it, and no one will ever see it because the device doesn't have the capacity of logging it, which is also a bit weird. There's also tons of other problems. We have command execution on some stacks.
10:41
And as you saw, denial of service and buffer overflows. In fact, denial of service is so bad that when I was programming UMAP or the tool I'm gonna showcase, I accidentally crashed my modem like a thousand times and I didn't even do anything. I'm just sending bad requests and the device will go dead.
11:02
So the device is effective so far. We don't know yet how many devices are affected, but obviously some vendors have taken into account what's been going on. And we have Linksys, EdiMax, SiteCom, Broadcom, which is not listed here. But the most common stack on the net,
11:22
which is vulnerable, is the speed touch or thumbs on or now Technicolor stack. We have devices roaming around the net on big amounts. So UMAP, the tool, what is it?
11:41
First of all, it's a SOX proxy server that forwards or pipes the request through UPnP devices. I'm gonna explain it a little bit better and a little bit further down the road. It's also a TCP UDP scanner for hosts behind the IGD net.
12:01
Basically we can scan the services of the host inside the net from outside. And also a manual port mapper for UPnP devices. So how does it work? As I explained at the first part of the presentation,
12:21
UPnP relies on multicast. So that is not a very good scenario for one request or search. Obviously we can't use multicast on the one. So basically what we do is we skip that part completely and we just go on to fetching the XML description files, so the locations.
12:41
It's pretty simple. It's like fetching HTTP files, not that big of a deal. And then it also uses a control part of the UPnP protocol, which is actually what executes the actions or the commands that UPnP allows on devices.
13:05
So here's a flow diagram of more or less how UMART works. It basically takes a list of IPs and starts scanning for open control points or UPnP devices. Once it receives a SOX request,
13:22
if it has a positive UPnP device, it attempts to add the port mapping. Then it opens the connection and pipes the connection through to the SOX request or the client that's making the SOX request.
13:41
And after that, it attempts to delete the port mapping. And this is very needed on UPnP because UPnP does not allow an infinite amount of port mappings. Actually, some devices allow as little as 10 port mappings at a time.
14:00
So if we actually did a port mapping for every connection, we wouldn't have a very accurate or a very good connection. So we also have the part of scanning the internal host. And basically, it also checks for open control points.
14:24
Then it tries to guess the IP or the internal LAN block that's being used. It adds a port mapping for each IP, internal IP. Let's say if I want to scan port 21 of all the hosts on the inside of the LAN,
14:41
it starts adding port mappings for 10.0.0.1 and 21 and then tries to map it to an external port. And then the program tries to check if that port is open in the external port on the one IP. If it's open, obviously, you can establish the connection for the internal host
15:01
and the internal services. And also, it does the deletion of the port mapping. So what are the cons with UPnP mapping? A lot. First of all, the PNP stacks are buggy and unstable.
15:23
It was kind of hard, or not that hard, programming UMAP, the one being distributed on the CDs are very, it's very buggy. So I would suggest just downloading the new version when I release it tonight on the site. But basically, UPnP stacks,
15:42
even though they're supposed to be in a standard, they don't behave on the standard. And they have minor differences. The other thing is that obviously, we have limited bandwidth because we're relying on the upload bandwidth of the devices.
16:00
And also, we have problems with protocols that have heavy amount of connections. I mean, we can use UPnP mapping for, maybe mapping ports for SSH, maybe some web requests. But if you get something like torrent or whatever, obviously, it won't work that well. I mean, if we have only a limit of 150 or 200 mappings
16:24
at a time, it's just not gonna work. And the other thing is that some devices, even though they report that they open the port, they don't. They say everything's okay, 200 okay, and everything in the reply.
16:41
But when you go and try to connect to the port, you have nothing. So that's obviously not very good. So let's do a little demo on UMAP. And let's go for the proxy mode.
17:01
See if I can get this to work. I had to modify UMAP so that the real IPs don't show because I don't want my ass thrown in jail and raped. So when you get the real version though,
17:20
you can have all the fun you want. Shouldn't matter. In fact, there's also an issue on if this is, it's obviously maybe could be illegal, but not that much because it's the same idea of an open proxy. It's just someone that has badly configured device
17:40
on the net that's allowing people to forward traffic. Obviously, you're not authorized for doing port mappings, but it's not actually breaking into the device. So maybe I won't get my ass thrown in jail. So here we go. I'm just gonna scan a standard IP block
18:04
and it should start running right away. I don't know if you can see it back there. Can you? All right. So on the right hand here, we have the positive IPs. And as you can see here, we have a lot of details
18:22
that come out from the device. First of all, we can get the serial number from the device, the model number, who makes it and the MAC address of the device. This obviously would help also for those devices that come with WEP keys tied to the serial number
18:42
and all that, so that's not good either. So not only that, we also have a group of commands that we can execute on any device. And let me remind you that we are scanning a random block somewhere and it's not,
19:02
I mean, we're not doing any tricks. So here are the commands that we can execute. There are not a lot of interesting commands, well, maybe or maybe not. So we have the first part that's not on bold and those are the commands that are actually advertised by the device.
19:21
Now, the ones that are on the bottom are the ones that are not advertised by the device. Obviously, we wanted to try just in case as every hacker would do and it works. I mean, even if the device doesn't advertise this command, you can still execute the command. So for example, if I wanna check out what's the upload
19:45
and download bandwidth for this device, I could just execute and here we go. We get that this device is running an upstream of 350 something and a downstream of two max, which is pretty convenient if you wanna use for a SOCKS proxy and you wanna know
20:01
what kind of bandwidth or latency you wanna, you've been using. And we also have other commands like forced termination. I assure you, forced termination is not for a contract or anything. It will actually close down the device
20:21
and close down the connection. So I don't think denial of service is even a big deal because if you have a command that actually turns off the device, what's the point? I mean, we don't need denial of service. We just have to turn it off. So we also have other commands like add port mapping,
20:41
which is basically what UMAP uses for connections. And we also have these other commands like get username and get password and they actually work. Now, on the bright side, the username and the password they're talking about is not the administration interface,
21:01
but the PPP authentication username and password. Now, this is maybe not that bad for some guys because I mean, there's not much you can do with it. But unfortunately, some providers use the customer number as a username for the PPP device.
21:21
So that would also do something that you don't want to and get you some information that you shouldn't have. Let me hit another command. Let's see if the username works. There you go, that's a username for the PPP of that device, which is also very weird.
21:42
So onto the more important stuff, let's go for, what I've set up is this UMAP is actually scanning and it opens up SOX port and you can send the request and it will map it through to that IP that I've selected.
22:01
We can test it right here. I've set up a page to show this mapping and let's see if it works. Remember that UPnP usually is very buggy and unreliable. And there it goes, it works. Now we have a very disturbing image
22:20
of Bill Gates over there. But as you can see, we have the IP over there. You can test that URL out if you want to and you can see that it'll point out the IP you're working at. If you can see in UMAP, this is the IP we have selected. Now if I want to just use another device
22:42
like the one below 244.6, then it should work too. Let's see, there we go. In fact, we can go on Google and I'll show you you should go to the Google for the Dominican Republic as this is a device for the Dominican Republic.
23:02
Now, as you probably suspect, this is pretty bad. I mean, we have devices like this going on in the Dominican Republic, Colombia, Thailand, a lot of countries and a lot of devices are going on like that.
23:22
We also have another functionality of the UMAP which is scanning for internal hosts. Now, I don't want to do live scanning of the host because most hosts nowadays are using other gateway devices like Linksys wireless routers and all that
23:42
which block all the one request. But if there are devices that have direct connections to other devices or PCs, then we could actually map. Let me show you a couple of mappings I did earlier on.
24:04
Now, don't laugh at my lead smudging skills from game. So basically what I want to show you here is UMAP and this number up here on the total positives. This scan was running for a couple of days
24:21
and we got 88,000 devices with open UPnP ports which is ridiculous. And this is actually a port mapping as you can see, the smart part is the external IP address and the external port and we have the internal IP address
24:42
which the mapping has been made for. We also have another example of, in this case, for example, I just set it to run for that IP and we got a Windows IP 10.0.0.5 for 139 and 445.
25:01
Now, this is maybe a bigger problem because obviously you can traverse the NAT from the one which is something you don't want and we have all the possibilities. Now, we can't use this sometimes on some protocols let's say
25:23
because we have to map these ports for on some of the higher ports. We can't use the same 139 or the 445. So that could make things a little bit more difficult but it still works and obviously if you have an SSH port or an HTTP port, it won't matter that much.
25:55
Let's keep on working here.
26:06
So as the internal LAN scanning tool and how do we fix this? I don't know. There's no real solution or the best solution.
26:22
First of all, we need to get everyone to be aware of this and start configuring their devices for UPnP only accepting the action from the LAN side. Now, unfortunately, some devices, even if after you configure them to accept the action
26:41
from the LAN side, they just don't work. I mean, you can configure them and they will keep on working on the LAN side which is pretty bad too. We also could work with ISPs which could do some base configuration to disable by default the UPnP wiring request.
27:05
Now, this is a big problem because most ISPs just say that's not my problem, that's a customer's problem. You know, it's an industry problem which is, yeah, deplorable.
27:21
And on some cases, if you don't have any other choice, you could just disable UPnP all the way which is not good. I don't know if you guys have used UPnP that much but I'm a gamer and you can't play with PlayStation and Xbox without UPnP unless you have some kind of DMC
27:43
or an external IP address pointing directly at your device. So mitigation is gonna be a little difficult but most people can just configure their devices so that they can block the request from the WAN. As Stan Kaminsky was saying at the previous talk,
28:04
it's like having a firewall asking people if they wanna block or unblock which is kinda weird because, I mean, why should you ask? Obviously, if you configure it, you shouldn't be asking.
28:21
And that's about it. I have any questions or, I'm sorry?