Edimax BR-6104K Bedienungsanleitung Seite 1

Universal Plug and Play - Dead simple or simplydeadly?Armijn HemelFebruary 24, 2008

UPnP protocol - discoveryFirst step: discover devices on the networkOn boot-up send a HTTP header to UDP port 1900 on239.255.255.250 (this is called H

UPnP protocol - discovery (continued)Periodically send notifications to 239.255.255.250 on port 1900 UDP:NOTIFY * HTTP/1.1HOST: 239.255.255.250:1900CAC

UPnP protocol - descriptionSecond step: find out what devices can doLOCATION points to XML:Location: http://192.168.1.1:5431/dyndev/uuid:0014-bf09This

UPnP protocol - controlThird step: controlling a deviceDevices can be controlled by sending SOAP requests to the “controlURL”.There is no authenticati

UPnP protocol - eventingFourth step: keeping devices informedChanges in “state variables” are sent over the network to subscribedclients.Clients can s

UPnP protocol - presentationFifth step: human interfacePresentation is the human controllable interface: the webinterface of thedevice.

UPnP profilesUPnP defines profiles: a set of actions, state variables, etcetera, thatimplement specific functionality.Standardized profiles:IInternet Gatew

Internet Gateway Device profileIWAN connection or ADSL modem (ADSL modems and (wireless)routers)Ifirewall + Network Address TranslationIDNS server, DHCP

Hacking the I nternet Gateway DeviceThe Internet Gateway Device (IGD) is an interesting target:IIt controls access to and from a LAN. Control the IGD

Port forwardingThe Internet Gateway Device profile allows port forwarding (viaWANIPConnection or WANPPPConnection subprofiles).Network Address Translati

About meProfessional:I1996-2006: computer science at Utrecht UniversityI2004-2006: MSc thesis: NixOSI2000-present: author Linux Magazine NL, Linux Mag

WANIPConnection and WANPPPConnection subprofilesWANIPConnection and WANPPPConnection subprofiles controlportmapping actions:Iadd a portmappingIdelete a

Port forwarding – SOAP actionAddPortMapping SOAP function takes a few arguments:INewRemoteHost - source of inbound packets, usually empty (i.e. allhos

Example code#! /usr/bin/pythonimport osfrom SOAPpy import *endpoint = "http://10.0.0.138/upnp/control/wanpppcpppoa"namespace = "urn:sch

Port forwarding – protocol dumbnessAccording to the specifications NewInternalClient can be set toanother internal machine.Open connections to other ma

Port forwarding – implementation errorsSome implementations accept non local machines asNewInternalClient. Connections to NewExternalPort (IGD externa

Vulnerable devicesImany Linux based devices with Broadcom chip and Broadcom UPnPstackILinux IGD based devices (primarily Edimax + clones)Inew devices

Code problemsThe problem is proper parameter checking.Input from SOAP request is often passed to an external com mandunchecked.Risk: possibly execute

linux-igd hackMany devices use old code from the Linux IGD project (code slightlyadapted for readability):int pmlist_AddPortMapping (char *protocol, c

linux-igd hack – continuedThe following Python code sends a SOAP packet which lets the router(Edimax BR-6104K, with old firmware) reboot remotely:serve

Risks and impactReaction from vendors/“security experts” after my research in 2006:The attacks are not remote, but originate from the LAN, whichmake i

A word from our sponsors: Loohuis ConsultingIspecialized hostingIweb development (AJAX and other buzzwords)IGPL license complianceIUPnP securityIroute

Risks and impactThe Human Factor:Ipeople want to use UPnPIpeople don’t know how to turn it off, or can’t turn it off(Speedtouch 510 has no option in web

Risks and impactResult of all this:Imillions of vulnerable UPnP capable routers have been sold and arein useIinfected computer is relatively easy to d

Risks and impactResearch was published on May 18 2006 (SANE 2006 conference inDelft, the Netherlands).Apart from some media attention things fizzled ou

How did this happen?To blame: the ODM development modelItime to marketIfeatures (security is not a feature)Ireally really really tight profit marginsCo

More UPnP hacks /Future workIembed this code into security/scanning toolsIhack UPnP A/V profileIattack the UPnP SOAP stackHelp is more than welcome.

Hacking the UPnP A/V profileUPnP A/V profile is getting used more and more:IPhilips Streamium (some models)IX-Box 360 (limited use)INoxon AudioINetgear

Hacking the UPnP A/V profileTwo basic types of devices:1. MediaServer2. MediaRendererMediaServer streams content, MediaRenderer plays content (audio or

Hacking the UPnP A/V profilePossible hacks:I“steal” content (DRM protected that was paid for?) from aMediaServer by sending it off the LAN.Iplay content

Attacking the UPnP SOAP stacksA few stacks are used:IIntel UPnP SDK/libupnpIcustom stacksSome do just string comparisons instead of implementing a pro

The end?Will all be OK when UPnP has be en fixed?Nah. Enough other attack vectors on routers:Iembedded web interfaceIDNS (some stacks barf when you ask

A word from our sponsors: NLUUGIMay 15, 2008: NLUUG spring conference about security.IFall 2008: conference about mobile devicesMore info: http://www.

Today’s topics and goalsIUPnP historyIUPnP protocol stackIdebunk common misconceptions about UPnPIshow errors in UPnP designIshow errors in UPnP imple

Universal Plug and Play - introductionBring the desktop “plug and play” concept (Windows 98/Windows ME)to the (local) network.Benefits:Ino configuration

History of UPnPIearly 1999 as reaction by Microsoft to Sun’s JINIIearly 2000: first products with UPnP (Windows ME, Intel’s OpenSource UPnP SDK)IWindow

UPnP protocol stack0. addressing1. discovery2. description3. control4. eventing5. presentation

UPnP protocol - addressingZeroth, optional, step. If no DHCP server is found use “auto-addressing”:1. randomly pick an IP address from 169.254/16 IP r