Pastebin

50 Million Potentially Vulnerable to UPnP Flaws - January 2013 Articles and Downloads

###

Multi-Article Document:

Part 1 - Article: 50 Million Potentially Vulnerable to UPnP Flaws -----------------------[Source: threatpost.com]
Part 2 - Article: Security Flaws in Universal Plug and Play: Unplug, Don't Play ---------[Source: community.rapid7.com]
Part 3 - Router Scan: Universal Plug and Play - Router Security Check -------------------[Source: upnp-check.rapid7.com]
Part 4 - Download: ScanNow for Universal Plug and Play (UPnP) | For Windows -------------[Source: www.rapid7.com]
Part 5 - PDF: Whitepaper: Security Flaws in Universal Plug and Play: Unplug, Don't Play.-[Source: community.rapid7.com]
Part 6 - Article: Millions of devices vulnerable via UPnP -------------------------------[Source: www.h-online.com]
Part 7 - Article and Discussion: 50 Million Potentially Vulnerable To UPnP Flaws --------[Source: tech.slashdot.org]

Translate this collection (does not include software download(s) and PDF(s): http://translate.google.com/

###

COPYRIGHT: The New Zealand Copyright Act 1994 specifies certain circumstances where all or a substantial part of a copyright work may be used
without the copyright owner's permission. A "fair dealing" with copyright material does not infringe copyright if it is for the following
purposes: research or private study; criticism or review; or reporting current events.

###


(Part 1): 50 Million Potentially Vulnerable to UPnP Flaws

by Brian Donohue | January 29, 2013, 1:15PM

https://threatpost.com/en_us/blogs/50-million-potentially-vulnerable-upnp-flaws-012913

"In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks.

A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw.

Between June 1 and Nov. 17, 2012, Rapid7 conducted weekly scans that sent simple service discovery protocUPnPol (SSDP) requests to each routable IPv4 address. In all, 2.2 percent of all public IPv4 addresses responded to the standard UPnP discovery requests. So, 81 million unique IP addresses responded and, upon deeper probing, researchers determined some 17 million further systems exposed the UPnP simple object access protocol (SOAP). This level of exposure was far higher than researchers had expected, according to the report.

Rapid7 claims that the UPnP protocol has suffered from a number of security problems over the last decade or so. Despite rarely implemented authentication mechanisms, the presence of privileged capabilities on questionable networks, and common programming flaws, Rapid7 decided to focus its research on three classes of problems: programming flaws in common UPnP SSDP implementations that can be exploited to crash the service and execute arbitrary code; exposure of the UPnP control interface that exposes private networks to attacks from the Internet; and programming flaws in the UPnP HTTP and SOAP implementations that can be exploited to crash the service and execute arbitrary code.

"This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices," Rapid7' CSO HD Moore elaborated via email. "The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable."

According to Moore, the two most commonly implemented UPnP software libraries both contain remotely exploitable vulnerabilities. More than 73 percent of systems uncovered by SSDP were derived from just four development kits: Portable SDK for UPnP Devices; MiniUPnP; a commercial stack likely developed by Broadcom; and one other kit whose developer could not be determined. The most current version of Portable UPnP SDK--at the time the research was conducted--accounted for the previously mentioned 23 million IPs that are vulnerable to remote code execution through a single user datagram protocol packet.

Most Portable UPnP SDK devices are not running on the latest version of the software. Researchers determined that the users running older versions of Portable UPnP SDK could be compromised by no fewer than eight remotely exploitable flaws.

The latest version MiniUPnP (1.1) fixed a remotely exploitable stack overflow in the SOAP handler from its earlier version (1.0), but the SSDP determined that more than 14 percent of MiniUPnP users have yet to update and that 330 separate products remain vulnerable. The MiniUPnP library was also vulnerable to a parsing flaw in the SSDP handler that has since been patched.

UPnP is, according to Rapid 7, a protocol standard, often enabled by default, that allows computers and various other network connected devices to communicate with one another and simplifies the discovery and control of network devices. Devices with UPnP enabled by default include smart TVs, IP cameras, printers, media servers and routers to name a few. It is enabled by default on Mac OS X, Microsoft Windows, and a number of Linux distros. Different devices have different capabilities but some common functions include incoming port mapping on home routers, identification of network printers, and managing media services.

Rapid7 is encouraging that users disable UPnP on all Internet facing systems and replace any systems that do not offer the ability to disable the protocol. Some of these vulnerabilities, such as the Portable UPnP SDK and MiniUPnP, have been patched, but as Moore notes, it takes time for the various device makers and application developers to implement the patch into their products. In the meantime, users will remain vulnerable. He also explains that a number of products are “no longer shipping,” meaning that users of that equipment will not receive patches and will remain vulnerable until they remove or replace the products in question.

Rapid7’s ScanNow tool tocan be used check whether systems are vulnerable.

In the white paper, Rapid7 goes on to make a number of recommendations to Internet service providers, businesses, and home and mobile users that may be vulnerable as well providing in depth analysis of the specific vulnerabilities themselves."

https://threatpost.com/sites/default/files/upnp.jpg
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp
https://community.rapid7.com/docs/DOC-2150

###

(Part 2): Security Flaws in Universal Plug and Play: Unplug, Don't Play

by HD Moore in Information Security | Jan 29, 2013 1:05:19 AM

https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

"This morning we released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.

The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.

For the reasons outlined above, we strongly suggest that end users, companies, and ISPs take immediate action to identify and disable any internet-exposed UPnP endpoints in their environments. UPnP is pervasive - it is enabled by default on many home gateways, nearly all network printers, and devices ranging from IP cameras to network storage servers.

To this end, we have provided ScanNow UPnP, a free tool that can identify exposed UPnP endpoints in your network and flag which of those may remotely exploitable through recently discovered vulnerabilities. A screenshot of this tool in action in the lower right.

If you are accessing the internet from your home network, we now offer an alternative to ScanNow and Metasploit. The Rapid7 UPnP Check is a one-click security scan for broadband and mobile users. If you are concerned about the security of your non-technical friends and family, this is a quick way for them to check their home router for UPnP vulnerabilities. The main difference between this service and ScanNow is that the UPnP Check will run a scan from the internet and can only check the external interface of your router.

Although ScanNow only supports Microsoft Windows, users of Mac OS X and Linux can accomplish the same task using Metasploit. To use the latest module,which includes vulnerability reporting for the recently disclosed vulnerabilities, make sure you have the most current update applied.

Using this module within Metasploit's web interface is simple. Create a new project and access the Modules tab. In the search bar, enter "ssdp_msearch", then select the module named UPnP SSDP M-SEARCH Information Discovery. Enter the network range you want to scan and Metasploit will take care of the rest. The module will run in the background and the Analysis tab will be updated with hosts and vulnerabilities as they are found.

Image: https://community.rapid7.com/servlet/JiveServlet/showImage/38-6031-2749/scannow.png

To accomplish the same task using the command-line, first open the Metasploit console.

$ msfconsole
msf>

From the msf prompt, enter the following commands, substituting your own network for RHOSTS

msf > use auxiliary/scanner/upnp/ssdp_msearch
msf  auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24
msf  auxiliary(ssdp_msearch) > run

Any devices supporting UPnP should appear, with specific CVEs listed for those that have at least one exploitable vulnerability.

[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | http://192.168.0.9:3278/etc/linuxigd/gatedesc.xml

[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)

If you are interested in hearing more about these issues, I will be hosting a one-hour webcast on February 4th at 3:00pm EST.  You can also leave comments on this post.

-HD"

https://community.rapid7.com/docs/DOC-2150
http://pupnp.sourceforge.net/
http://miniupnp.free.fr/
http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp
http://upnp-check.rapid7.com/
http://information.rapid7.com/Webcast-UPnP-Registration.html?LS=1677495%20&CS=blog

Tags: metasploit, device, vulnerability, webcast, upnp

###

(Part 3): Router Scan: Universal Plug and Play - Router Security Check

http://upnp-check.rapid7.com/

"Universal Plug and Play (UPnP) is a protocol standard that allows easy communication between computers and network-enabled devices. This protocol is enabled by default on millions of systems, including routers, printers, media servers, IP cameras, smart TVs, home automation systems, and network storage servers.

Recent research from Rapid7 revealed that at least 40-50 million of these devices are at risk due to security flaws in the UPnP protocol. These issues potentially expose millions of users to remote attacks that could result in the theft of sensitive information or further assaults on connected machines such as personal computers.

This service can test your router and determine whether it is vulnerable to attack. Clicking the Scan My Router button below will start the test. To learn more about UPnP vulnerabilities, please see this blog post.

This service is only suitable for identifying whether your UPnP is exposed to the internet. To check for internal exposure, we recommend downloading the free ScanNow for UPnP tool. We particularly recommend this for business users."

https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play#comment-3596
http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp

Scan My Router: http://upnp-check.rapid7.com/scan
Download ScanNow: http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp
FAQ: http://upnp-check.rapid7.com/faq

###

(Part 4): ScanNow for Universal Plug and Play (UPnP) | For Windows | Download

https://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp

"The free scanner checks whether your network-enabled devices might be vulnerable to attack through the UPnP protocol.

Recent research from Rapid7 revealed that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. Three groups of security flaws in the protocol are exposing millions of users to remote attacks that could result in the theft of sensitive information or other criminal activity such as spying.

Use our free ScanNow tool today to find out if you might be one of the millions of users at risk through these vulnerabilities and what steps you can take to reduce risk."

https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

[Download For Windows] http://downloads.metasploit.com/data/releases/ScanNowUPnP.exe

###

(Part 5): PDF: Whitepaper: Security Flaws in Universal Plug and Play: Unplug, Don't Play.

by HD Moore | Jan 29, 2013 1:41 AM
last modified by HD Moore on Jan 29, 2013 1:42 AM 

https://community.rapid7.com/docs/DOC-2150

"This whitepaper details research conducted by Rapid7, which reveals that around 40-50 million network-enabled devices are at risk due to vulnerabilities found in the Universal Plug and Play (UPnP) protocol. UPnP enables devices such as routers, printers, network-attached storage (NAS), media players and smart TVs to communicate with each other. The paper investigates how three groups of security flaws relating to the UPnP protocol are exposing millions of users to attacks that could lead to a remote compromise of the vulnerable device.

We strongly recommend people to check whether they may be vulnerable, and if so, disable the UPnP protocol in any affected devices. Further details on mitigation strategies are included in the executive summary section at the front of the attached whitepaper. The document also includes details on the methodology of the research, breakdown and analysis of the findings and insights into the implications.

If you have any feedback or questions on this topic, please do share them 
either below or on HD Moore's blog post on it."

[PDF] https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

[View PDF Online]: http://view.samurajdata.se/

Tags: vulnerability, upnp, routers, isps, universal-plug-and-play, internet-service-providers, libupnp, miniupnpd 

###

(Part 6): Millions of devices vulnerable via UPnP

djwm@h-online.com (djwm) | 30 January 2013, 11:28

http://h-online.com/-1794032
http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-1794032.html

"UPnP security During an IP scan of all possible IPv4 addresses, Rapid7, the security firm that is known for the Metasploit attack framework, has discovered 40 to 50 million network devices that can potentially be compromised remotely with a single data packet. The company says that remote attackers can potentially inject code into these devices, and that this may, for example, enable them to gain unauthorised access to a user's local network.

All kinds of network-enabled devices including routers, IP cameras, NAS devices, printers, TV sets and media servers are affected. They all have several things in common: they support the Universal Plug and Play network protocol, respond to UPnP requests from the internet, and use a vulnerable UPnP library to do so.

Rapid7's Chief Security Officer HD Moore said that, when scanning the IPv4 addresses, 81 million IPs had responded to UPnP discovery requests. This is already most peculiar in itself, as UPnP is only supposed to play a role within local networks. The protocol enables network devices to find each other and, for example, exchange instructions. Discovery requests are usually broadcast, and UPnP-enabled devices in a network then respond to them. It appears that manufacturers didn't allow for the possibility that such packets could arrive as unicasts from the internet.

It became apparent that in 73 per cent of cases, the manufacturers of the responding devices had implemented the UPnP features using one of four development kits, with most of them using Intel's libupnp or MiniUPnP. The security company examined the source code of these two tools and found eight vulnerabilities – including seven buffer overflows – in the most widely used version of libupnp alone. Three of the holes still exist in version 1.6.17, which was current up until Tuesday. The vulnerabilities can be found in the SSDP parser's unique_service_name() function. To inject arbitrary code into the vulnerable devices, all a potential attacker needs to do is send a UDP packet in the following way:

M-SEARCH * HTTP/1.1 
Host:239.255.255.250:1900 
ST:uuid:schemas:device:AAAA[…]AAAA:anything 
Man:"ssdp:discover" 
MX:3 

The size of the network packet must not exceed 2,500 bytes, which should provide enough scope to inject a lean malicious program. In the obsolete (and still most widely-used) version 1.0 of MiniUPnP, the experts discovered two vulnerabilities that can be exploited to cripple affected devices (Denial of Service).

Rapid7 identified more than 6,900 vulnerable product versions by more than 1,500 vendors including D-Link, Fujitsu, Huawei, Logitech, Netgear, Siemens, Sony, TP-Link, Zyxel and many others. Although the vulnerabilities have been fixed in the current versions of the UPnP libraries – the updated version 1.2 of MiniUPnP is already two years old – most of the vulnerable devices are unlikely to be made safe any time soon. Many of them are probably long out of production and are no longer supported by their manufacturers.

The US-CERT has also released a vulnerability note concerning this threat and said that it has attempted to notify more than 200 affected vendors. The CERT recommends that the affected libraries should be updated – which most customers can't do themselves. Alternatively, the US-CERT said that users should implement firewall rules to block UDP port 1900 or, if possible, disable the UPnP feature. Disabling UPnP is likely the most viable option for the majority of users. Of course, the device must first offer an appropriate option and then actually cease to respond to requests via the WAN interface for this approach to be successful.

Rapid7 has provided a free tool called ScanNow UPnP that allows users to search IP address spaces for vulnerable devices. Users enter information about their personal network to activate the tool. Another option is the ssdp_msearch Metasploit module, which can be accessed via the Metasploit console as follows:

msf > use auxiliary/scanner/upnp/ssdp_msearch 
msf  auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 
msf  auxiliary(ssdp_msearch) > run 

Users who discover a vulnerable device that responds to UDP packets from the internet on their network should seriously consider disabling the UPnP feature or, if necessary, decommission the device. Attackers can potentially exploit vulnerable devices to gain access to local networks – and Rapid7's report will likely inspire many a hacker to attempt to do just that."

http://www.rapid7.com/
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
http://pupnp.sourceforge.net/
http://miniupnp.free.fr/
http://www.kb.cert.org/vuls/id/922681
http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp

Copyright © 2013 Heise Media UK Ltd.

###

(Part 7): 50 Million Potentially Vulnerable To UPnP Flaws

Wednesday January 30, @02:17AM

http://tech.slashdot.org/story/13/01/30/022224/50-million-potentially-vulnerable-to-upnp-flaws

"In a project that found more than 80 million unique IP addresses responding to Universal Plug and Play (UPnP) discovery requests, researchers at Rapid7 were shocked to find that somewhere between 40 and 50 million of those are vulnerable to at least one of three known attacks. A Rapid7 white paper enumerated UPnP-exposed systems connected to the Internet and identified the number of vulnerabilities present in common configurations. Researchers found that more than 6,900 product models produced by 1,500 different vendors contained at least one known vulnerability, with 23 million systems housing the same remote code execution flaw. 'This research was primarily focused on vulnerabilities in the SSDP processor across embedded devices,' Rapid7's CSO HD Moore said. 'The general process was to identify what was out there, make a list of the most commonly used software stacks, and then audit those stacks for vulnerabilities. The results were much worse than we anticipated, with the most commonly used software stack (libupnp) also being the most vulnerable.'"

http://threatpost.com/en_us/blogs/50-million-potentially-vulnerable-upnp-flaws-012913
https://community.rapid7.com/docs/DOC-2150
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

###
EOF