ISSCloud - Information Systems Solutions


UPnP vulnerability allows attackers to scan internal networks and steal data

UPnP vulnerability allows attackers to scan internal networks and steal data

Latest research has revealed that the Universal Plug and Play (UPnP) network protocol has an integral security flaw that leaves printers, routers, and millions of other devices wide open to an attack which can remotely commandeer them.

The UPnP protocol has been in use since 2008 predominantly but not exclusively being installed on routers. It allows devices to automatically find each other and connect over a network. It does this by using the HTTP, SOAP, and XML protocols to flag themselves and look for other devices over the same network. It is a clever piece of automation that removes the need for the user to manually open different network ports that devices might want to communicate.

Since its launch, however, UPnP has unwittingly opened users to a variety of attacks. A 2013 Internet-wide analysis reported that UPnP was permitting more than 81 million devices to be visible to people outside their local network. The discovery was a major shock because UPnP was neither designed nor enabled to communicate with external devices. This vulnerability was the result of common code libraries monitoring all interfaces for User Datagram Protocol packets, even when they were only configured to listen to internal ones.

A few years later, in November 2018, researchers detected further attacks that targeted routers using UPnP. The first attack they identified used a buggy UPnP implementation in Broadcom chips to lure a staggering 100 000 routers into a botnet. The next exploited flaws in a different UPnP implementation allowing 45 000 routers to open ports that were instrumental in spreading EternalRed and EternalBlue, the powerful Windows attacker that was developed by the US National Security Agency and later stolen from them.

The exploit has been named CallStranger by the researcher Yunus Çadırcı, a well-respected cybersecurity leader from Ankara, Turkey. CallStranger has the capability to force large numbers of devices to participate in distributed denial of service — or DDoS — attacks that saturate third-party targets with junk traffic. The exploit can also surreptitiously extract data from inside networks even when they are protected by data loss prevention tools. CallStranger can also allow attackers to scan internal ports that should be invisible because they are not exposed to the Internet.

Billions of routers and devices are susceptible to CallStranger. For the exploit to actually work a targeted device must have UPnP exposed on the Internet. This constraint, thankfully, means only a fraction of vulnerable devices are actually exploitable.

CallStranger permits an unauthenticated remote user to interact with devices that are supposed to only be accessible inside the local network. A major use for the exploit is directing bulk junk traffic to destinations of the attacker’s choice. Because the output sent to the attacker’s selected destinations is vast in comparison to the request the attacker initiates, CallStranger provides a particularly powerful way to exaggerate those resources. Other capabilities include contacting all other devices on the local network to steal data, even if the network is protected by data loss prevention tools.

CallStranger works by abusing the UPnP SUBSCRIBE capability, that devices use to receive notifications from other devices when certain events happen, such as the playing of a video or music file. Specifically, the exploit sends subscription requests that force the URL to receive the callback. To perform DDoS, CallStranger sends multiple subscription requests which spoof the address of a third-party site on the Internet. When the attack is performed in unison with other devices, the lengthy callbacks swamp that site with an avalanche of junk traffic. Sometimes the URL receiving the callback will point to a device inside the internal network. The responses can create a condition like a server-side request forgery, which can allow attackers to hack internal devices behind network firewalls.

Devices that Çadırcı has confirmed to be vulnerable are:

  • Windows 10 (Probably all Windows versions including servers) – upnphost.dll 10.0.18362.719
  • Xbox One- OS Version 10.0.19041.2494
  • ADB TNR-5720SX Box (TNR-5720SX/v16.4-rc-371-gf5e2289 UPnP/1.0 BH-upnpdev/2.0)
  • Asus ASUS Media Streamer
  • Asus Rt-N11
  • BelkinWeMo
  • Broadcom ADSL Modems
  • Canon SELPHY CP1200 Printer
  • Cisco X1000 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • Cisco X3500 – (LINUX/2.4 UPnP/1.0 BRCM400/1.0)
  • D-Link DVG-N5412SP WPS Router (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • EPSON EP, EW, XP Series (EPSON_Linux UPnP/1.0 Epson UPnP SDK/1.0)
  • HP Deskjet, Photosmart, Officejet ENVY Series (POSIX, UPnP/1.0, Intel MicroStack/1.0.1347)
  • Huawei HG255s Router – Firmware HG255sC163B03 (ATP UPnP Core)
  • NEC AccessTechnica WR8165N Router ( OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Philips 2k14MTK TV- Firmware TPL161E_012.003.039.001
  • Samsung UE55MU7000 TV – FirmwareT-KTMDEUC-1280.5, BT – S
  • Samsung MU8000 TV
  • TP-Link TL-WA801ND (Linux/2.6.36, UPnP/1.0, Portable SDK for UPnP devices/1.6.19)
  • Trendnet TV-IP551W (OS 1.0 UPnP/1.0 Realtek/V1.3)
  • Zyxel VMG8324-B10A (LINUX/2.6 UPnP/1.0 BRCM400-UPnP/1.0)

Çadırcı submitted his findings to the Open Connectivity Foundation, which maintains the UPnP protocol. They have reportedly updated the underlying specification to fix the flaw. Users can check with developers or manufacturers to find out if patches are available for their devices. However, a significant percentage of devices never receive updates from manufacturers, which means the vulnerability could survive for many years yet. The best defense is to disable UPnP altogether. Most routers allow this by unchecking a box in the settings menu.

Picture of Ricardo Mendes

Ricardo Mendes

Ricardo is a Senior Systems Administrator and Consultant at ISSCloud, after +10 years working in Private Telecom. He enjoys writing about Technology, Security & Privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *