UPnP Mapping

Video thumbnail (Frame 0) Video thumbnail (Frame 5436) Video thumbnail (Frame 6862) Video thumbnail (Frame 7551) Video thumbnail (Frame 10317) Video thumbnail (Frame 16547) Video thumbnail (Frame 17403) Video thumbnail (Frame 18375) Video thumbnail (Frame 19590) Video thumbnail (Frame 25554) Video thumbnail (Frame 32665) Video thumbnail (Frame 33219) Video thumbnail (Frame 33901) Video thumbnail (Frame 35084) Video thumbnail (Frame 38789) Video thumbnail (Frame 42534)
Video in TIB AV-Portal: UPnP Mapping

Formal Metadata

UPnP Mapping
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Universal Plug and Play(UPnP) is a technology developed by Microsoft in 1999, as a solution for NAT traversal(among other things). This talk explores the exploiting of port mapping services in UPnP/IGD devices from the WAN. It also talks about a tool called Umap to help process the UPnP requests. Attacking UPnP allows attackers to use devices as a proxy that can establish connections to internal and external IP addresses. The software allows scanning internal hosts behind the device NAT, manual port-mapping(WAN to LAN, WAN to WAN) and a SOCKSv4 proxy service that automatically maps requests to UPnP devices. Most UPnP attacks have focused on the exploiting of UPnP from the LAN side of the device, this talk focuses on attacking from the WAN side. Attackers can use these techniques to hide IP addresses and attack internal hosts behind common household gateway devices. Daniel Garcia (FormateZ on Undernet) is a security researcher/consultant with 15+ years of experience in security. He also founded Toor, a security consultant group that focuses on penetration testing, secure architectures and application assesments.Aside from security, he has also worked with numerous projects and platforms like DOCSIS, Wimax, Wi-Fi(city-wide), PLC and DHE.

Related Material

Video is accompanying material for the following resource
Point (geometry) Turbo-Code Gateway (telecommunications) Mapping Code Open set Mereology Traverse (surveying) In-System-Programmierung Software Internet forum Different (Kate Ryan album) Hypermedia Universe (mathematics) Differential operator Information security Personal area network
Server (computing) Uniform resource locator Process (computing) Computer file Different (Kate Ryan album) Bit Unicastingverfahren Information Mereology
Mapping Bit Parameter (computer programming) Remote procedure call Client (computing) Descriptive statistics
Point (geometry) Group action Server (computing) System administrator Multiplication sign Authentication .NET Framework Client (computing) Stack (abstract data type) Login Web 2.0 Revision control Goodness of fit Spherical cap Information Information security Modem Authentication Information Demo (music) Mapping Channel capacity Bit Stack (abstract data type) Type theory Word Software Personal digital assistant Website Communications protocol Window Buffer overflow Wide area network
Server (computing) Proxy server Touch typing .NET Framework Bit Proxy server Thumbnail
NP-hard Game controller Group action Presentation of a group Server (computing) Computer file Spline (mathematics) Code Texture mapping Multiplication sign Open set Client (computing) Mereology Stack (abstract data type) IP address Computer programming Revision control Web 2.0 Different (Kate Ryan album) Band matrix Lipschitz-Stetigkeit Communications protocol Proxy server Descriptive statistics Position operator Standard deviation Demo (music) Mapping Electronic mailing list Infinity Stack (abstract data type) Control flow Group action Limit (category theory) Band matrix Uniform resource locator Data flow diagram Function (mathematics) Website Communications protocol Asynchronous Transfer Mode
Point (geometry) Greatest element Group action Server (computing) System administrator 1 (number) Design by contract Online help Mereology Number Product (business) Revision control Hacker (term) Computer configuration Proxy server √Ąquivalenzprinzip <Physik> Address space Authentication Standard deviation Mapping Information Block (periodic table) Interface (computing) Forcing (mathematics) Band matrix Radical (chemistry) Personal digital assistant Password Internet service provider Convex hull Moving average Musical ensemble
Web page Point (geometry) Medical imaging
Functional (mathematics) Proxy server Googol Ring (mathematics) Demo (music) Hill differential equation
Gateway (telecommunications) Polar coordinate system Mapping Bit Open set Mereology IP address Personal digital assistant Game theory Router (computing) Wireless LAN Communications protocol Window Position operator
Axiom of choice Default (computer science) Group action In-System-Programmierung Personal digital assistant Firewall (computing) Personal digital assistant Operator (mathematics) Configuration space Group action IP address Wide area network
thank you for being here as you probably suspect by now I'm gonna be talking about UPnP and UPnP mapping there's a turbo talk so obviously this is gonna be a little fast I'm gonna try to go into as much details as I can but any other questions or whatever you can just go to the Q&A and I'll answer any questions so let's do a brief introduction Who I am I not very important but I'm a security researcher I started working with security at the tender age of 14 I used to hang out and under it and work with the ISPs back in the Dominican Republic which is where I'm from cable companies and all that so that's that what is UPnP UPnP is universal plug and play universal plug and play is technology made by the UPnP forum which is code name for Microsoft they made it back in 1999 and the name probably gave it away there was something made by Microsoft the point of UPnP is to make devices work seamlessly be it connectivity devices or networking devices or media devices there are also other devices that can be used but mostly that's what UPnP is used for so as you probably suspect making devices work seamlessly it's not a very good idea or it's a good idea but it's not very possible we're gonna talk about specifically IG D's or the part of UPnP that works with networking devices as we probably suspect to make the network devices work seamlessly you need NAT traversal how many of you were really having raised your hands if you were in the den come ski talk alright so you probably get the idea or the basic idea basically basically a device on the land uses UPnP to automatically add port mappings on the device so that next one devices can access the the land which is a great idea but as you will see it's not that great if you make it like European Pete does so IG these are basically found mostly on DSL and some other devices killman's not that much because scale models usually are breached but if something is routing and doing PPP it's probably doing IgD so a big question and I've been working with Dan Kaminsky on this one on how many IgD devices are online and a shitload I mean it's amazing we we have we thought we would have minority of the devices on the net but I have personally saw seen half a million devices across different countries open and accepting UPnP requests so let me
first of all explain a little bit of how
you PNP works briefly basically you start with a discovery process which is relies on multicast UDP it sends multicast UDP and any device listening replies back with a unicast UDP this unique ask you dpi probably you can't really very well but it's in the white paper it describes or points out location which is just an XML file describing the different services and devices available to execute on that UPnP device after you get that unicast which is the blue part the yellow part you get to the green part with this which is unique as TCP basic it's soap request and after that after
you get the soap request the description of the device to XML you get send a soap request which map support I probably can
see it either but over here you have different arguments that you can use like least duration of the port mapping internal client external port and remote host basically your basic port mapping arguments so let's do a bit of the UPnP
hacking timeline starting in 2001 came from NTU security he found a cup of denial service attacks for the windows XP stack obviously upnp was implemented in Windows XP first Microsoft wanted to promote the technology then in 2001 again a I published buffer overflows for the same stack you probably remember that one it was pretty popular then in 2003 beyond stickler talked about UPnP information disclosure now there's not a lot of information that's being thrown out by UPnP but it's enough it's it's it's not that good you'll see with the demo how much information we can get and then in 2006 army colonel that type over the are missing he started publishing UPnP facts on the site UPnP hacks org and he's basically said like one of the fathers of UPnP hacking he has examined all the UPnP stacks and described which stacks allow some actions and whatnot and then in 2008 we had an attack by new citizen which was pre smartly basically relied on the clients internal clients of a network sending soap through JavaScript and basically the purpose of that was opening the web administration port of clients that access sites and such so
one of the main problems of UPnP well first of all Jesus is the word plug-and-play I don't I don't know if you guys remember windows 98 and plug and play and the whole idea it didn't work I mean it's not rocket science and every time I see plug and play anywhere I just had to look it up because I don't want to go through the same nightmare say that we went through in the early or late 90s so the other thing with plug and play it's a pretty nice idea we would love to have things plug and play but it doesn't work good with the security I mean you can't have secure devices plug and play being plug and play I mean you need to authenticate something you need to ask questions and already well that's one of the main problems of UPnP to you PMP has no authentication whatsoever at all in fact the only way they consider an entity that could actually execute commands it's just if they have an IP assigned for which is ridiculous I mean it's like that Kahn sitting down and saying oh we're gonna let people in how would we know who would let in and then someone said if they exist they can't come in which is ridiculous I mean don't even go through it after that the other problems are that most stacks do not validate data and what we mean by this is that first of all UPnP was made or designed for land use only and that's not true unfortunately but not only that port mappings were designed to work for internal hosts that wanted to traverse the net and add port mappings so in this case most tax or a lot of tax do not check if the internal IP is actually in on the land or internal so what that actually allows us is to stick any IP that we want in that port mapping so if I wanna say at a port mapping at the device pointing to Amazon IP port 80 it's doable in most devices which is also a little bit weird the other problem is as I was saying UPnP was designed for land use and most or a lot of devices use or allow indiscriminate one request I mean requests of UPnP actions coming from the one which is doesn't make any sense in fact the UPnP protocol says not to do that but to be here it's that the IgD version 1 protocol says specifically it's not recommended to that to get them credit though on the IGT version 2 paper they made that sentence on CAPS so i guess they're making a better point now and on the other hand we have devices that don't even log UPnP request i mean we can play with it do whatever we want with it and no one will ever see it because the device doesn't have the capacity of login which is also a bit weird there's also a ton of other problems we have command execution on some stacks and as you saw beam on service and buffer overflows in fact the now service is so bad that when I was programming you map or - I'm gonna showcase I accidentally crashed my modem like a thousand times and I didn't even do anything I'm just sending bad request and the device will go dead so the
devices affected so far we don't know yet many devices are affected but al sees some vendors that taking into account what's been going on and we have Linksys edimax sicom Broadcom which is not listed here but the most common stack on the net which is portable is the speak touch or thumbs on or now Technicolor stack we have devices roaming around the net on big amounts so you map the tool
what is it first of all it's a socks proxy server that forwards or pipes the request through UPnP devices I'm gonna explain it a little bit better and a little bit further down the road and it's also a TCP UDP scanning for holes behind the IgD net basically we can scan the services of the hosts inside the net from outside and also a manual port mapper for UPnP devices so how does it
work as I explained that the first part of the presentation UPnP relies on multicast so that it's not a very good scenario for a one request or search obviously we can't use multicast on on the one so basically what we do is we skip that part completely and we just go on to fetching the XML description files of the locations it's pretty simple it's like fetching HTTP files not that big of a deal and then it also uses a control part of the European people code which is actually what execute the actions or the commands that you PMP allow some devices so it's here's a flow diagram of
more or less how you might work works it basically takes a list of IPs and start scanning for open code control points or UPnP devices once it receive socks request it if it has positive UPnP device it attempts to add a port mapping then it opens the connection and pipes are coming as a connection through to the socks requests or the client that's making the socks request and after that it attempts to delete the port mapping and this is very needed on UPnP because you PMP does not allow an infinite amount of port mappings actually some devices allow as little as 10 port mappings at a time so if we actually did important mapping for every connection we wouldn't have a very accurate or a very good connection so we also have the part of scanning internal host and basically it also checks for open control points then it tries to guess the IP or the internal land plug that's being used at port mapping for each IP internal IP let's say if I want to scan port 21 of all the holes on on the inside of the land it starts adding port mappings for 10 0 0 1 and 21 and then tries to map it to an external port and then the program tries to check if that port is opening in the external port on the one IP if it's open obviously you can establish an established connection for the internal host and the internal services and also it does the deletion of the port mapping so what are the cons with a UPnP mapping a lot first of all the PNP stocks are buggy and unstable it was kind of hard or not that hard programming you map it's the one being distributed on the CSR very it's very buggy so I would suggest this Townley the new version when I release it tonight on the site but basically you can see P stacks even though they're supposed to be in a standard they don't behave on the standard and there they have minor differences the other thing is that obviously we have limited bandwidth because we're relying on the upload bandwidth of the devices and also we have problems with protocols that have a heavy amount of connections I mean we can use UPnP mapping for maybe mapping ports for SSH maybe some web requests but if you get something like torrent or whatever it obviously won't work that well I mean if we have only a limit of 150 or 200 mappings at a time it's just not gonna work and the other thing is that some devices even though they report that they open the port they don't they say everything's ok 200 ok and everything and they reply but when you go and try to connect to the port you have nothing so that's obviously not very good so let's do a little demo on you map and let's go for a proxy mode see if I can get this to work I had to
modify you map so that the I rely piece don't show because I don't want my ass thrown in jail and raped so when you get the real version though you you can have all the fun you want shouldn't matter in fact there's also an issue on the on if this is it's obviously maybe it could be illegal but not that much because it's the same idea of an open proxy it's just someone that has badly configured device on the net that's allowing people to forward traffic obviously they're you're not authorized for for doing port mappings but it's not actually breaking into the device so maybe I won't get my ass thrown in jail so here we go I'm just gonna scan a standard IP block and it should start running right away I don't know if you can see it back there can you all right so on the right hand here we have the positive IPs and as you can see here we have a lot of details that come out from the device first of all we can get the serial number from the device the model number who makes it and MAC address of the device this obviously wouldn't help also for those devices that come with WEP keys tied to the serial number and all that so that's not good either so not only that we also have a group of commands that we can execute on any device and let me remind you that we are scanning a random block somewhere and it's not I mean we're not doing any tricks so here are the commands that we can execute they're not a lot of interesting commands well maybe or maybe not so we have the first part that's not involved and those are the commands that are are actually advertised by the device now the ones that are on the bottom are the ones that are not already addressed by the device obviously we wanted to try just in case suddenly hacker will do and it works I mean if even if the device doesn't advertise this command you can still execute the command so for example if I want to check out what's the upload and download bandwidth for this advice I could just execute and here we go we get that this device is running a option of three hundred and fifty something and a downstream of two mats which is pretty convenient if you want to use for a socks proxy and you want to know what kind of band reverb or latency you wanna you've been using and we also have other commands like force termination I assure you force termination is not for a contract or anything it will actually close down the device and close out in connection so I don't think you deny services even a big deal because if you have a command that actually turns off the device what's the point I mean we don't need the amount of service we just have to turn it off so we also have other commands like add port mapping which is basically where what you map uses for connections and we also have these other commands like get user name and get password and they actually work now on the bright side those the username and the password they're talking about it's not the administration interface but the PPP authentication username and password now this is maybe not that bad for some guys because I mean there's not much you can do with it but unfortunately some providers use a customer number as a user name for the PPP device so that will also do something that you don't want to and get you some information that you shouldn't have hit on another command let's see if the user name works there you go that's a user name for the PPP of that device which is also very weird so onto the more important stuff let's go for
what I set up is this you map is actually scanning and it opens up a Sox port and you can send the request and we'll map it through to that IP that I have selected we can test it right here
I've set up a page to show this map in
let's see if it works remember that UPnP usually is very buggy and unreliable and there it goes
it works now we have a very disturbing image of Bill Gates over there but as you can see we have the IP over there you can test that URL out if you want to and you can see that they'll point out the IP you're working on you think if you can see in you map this is the IP we
have selected now if I want to just use another device like the one below 24 4.6 then it should work too let's see there
we go in fact we can go on Google
I'll show you should go to the Google for the Dominican Republic as this is a device for the Dominican Republic now as you probably suspect this is pretty bad I mean we have devices like this going on in the Dominican Republic Colombia Thailand a lot of countries and a lot of devices are going on like that we also have another functionality of the youb
map which is scanning for internal holes now I don't want to do live scanning of
the hosts because most holes nowadays are using other gateway devices like Linksys wireless routers and all that which block all of one request but if there are devices that have direct connections to other devices or pcs then we could actually map I let me show you a couple of mappings I did earlier now don't laugh at my lead smudging skills from game so basically what I want to show you here is you map and this number appear on the total positives this scan was running for a couple of days and we got 88,000 devices up with open Europe UPnP ports which is ridiculous and this is actually a port mapping as you can see the smart part is the external IP address in the external port and we have the internal IP address which the mapping has been made for we also have another example of in this case for example I just set it to run to for that IP and we got a Windows IP 1000 five four one three nine and four four five now this is maybe a bigger problem because obviously you can't reverse an ad from the one which is something you don't want and we have every all the possibilities now we can't use this sometimes on some protocols let's say because we have to map these ports for on some of the higher ports we can't use the same 139 or the four four five so that could make things a little bit more difficult but it still works and obviously you have an SSH border and HTTP port it won't matter that much
let's keep on working here
so I'll see the internal and scanning - and how do we fix this I don't know there's no real solution or or the best solution first of all we need to get everyone to be aware of this and start configuring their devices for UPnP only accepting the action from the land side now unfortunately some devices even if after you configure them to a set the action from the land side they just don't work I mean you can configure them and they will keep on working on the one side which is pretty bad too we also could work with ISPs which could do some base configuration to the disabled by default you PNP one request now this is a big problem because most ISPs just say that's not my problem that's a customer's problem I don't want to you know it's an industry problem which is yeah deplorable and on some cases if you don't have any other choice you could just disable you PMP all the way which is not good I don't know if you guys have used UPnP that much but I'm a gamer and you can't play with PlayStation and Xbox without you PMP unless you have some kind of a DMC or an external IP address pointing directly at your device so mitigation is it's gonna be a little difficult but most people can just configure their devices so that they can block the request from the one Stan Kaminski was saying at the previous talk it's like having a firewall asking people if they wanna block or unblock which is kind of weird because I mean what should you ask if obviously if you configured you shouldn't be asking and that's about it have any questions