The well-known for the attack Metasploit Framework security firm Rapid7, [1] with an IP scan of all possible IPv4 addresses discovered 40 to 50 million network devices [2], which could be compromised by a single data packet from a distance. The devices can be remotely inject code and they just about abuse potential as a springboard to their local network.
Affected network devices from all areas - routers, IP cameras, NAS, printers, televisions, media server. You have several things in common: They support the network protocol Universal Plug and Play, respond to UPnP requests from the Internet and use a vulnerable UPnP library.
According to HD Moore, Rapid7 chief during scanning of IPv4 addresses 81 million IPs have responded to so-called UPnP Discovery Requests. And that alone is very surprising, because UPnP is usually only on the local network plays a role. The protocol helps network users to find each other and talk about commands. Normally this discovery requests are sent as a broadcast, whereupon the UPnP-enabled devices on the network then reply. Apparently, the producers did not expect that such packets as unicast can come from the Internet.
It was found that the manufacturer of the responding units had implemented the UPnP features to 73 percent with one of four development kits, primarily based on Intel's libupnp [3] and MiniUPnP [4]. The security firm buttoned before the source code of the two tools, and discovered only in the most common version of libupnp eight vulnerabilities - including seven buffer overflows. Three of the holes are also in version 1.6.17 contain that was still relevant. All vulnerabilities are in the function unique_service_name()
to find the SSDP parser. To inject their own code into the vulnerable devices, an attacker must only send a UDP packet with the following pattern:
M-SEARCH * HTTP/1.1
Host: 239.255.255.250:1900
ST: uuid: schemas: device: AAAA [...] AAAA: anything
Man: "ssdp: discover"
MX: 3
The network packet must not be larger than 2500 bytes, which for introducing a lean malicious program but should be sufficient. In the outdated (and simultaneously most common) MiniUPnP version 1.0, the experts discovered two vulnerabilities, which can be put on the affected devices lame. (Denial of Service)
Rapid7 could identify vulnerable devices in over 6900 versions of more than 1500 manufacturers, including D-Link, Fujistu, Huawei, Logitech, Netgear, Siemens, Sony, TP-Link, Zyxel, and many more. Although the vulnerabilities in the current versions of the UPnP libraries have been fixed - a patched MiniUPnP version 1.2 is even two years old, you can not expect that the bulk of the vulnerable devices is secured too soon. Many of the vulnerable devices are probably long since no longer produced and no longer supported by the manufacturer.
US-CERT warns also [5] of the danger. It has tried to write more than 200 of the companies involved. The CERT recommends, among other things, to update the affected libraries - what you as a customer can not usually personally. Alternatively, should you have firewall rules to block UDP port 1900 or disable the UPnP function, if possible. The latter option would come for most users most of the question. Prerequisite course, is that the device does offer an option - and then actually will not start on the requests over the WAN interface.
Rapid7 offers a tool called the SCANNOW UPnP, which one can cover itself ranges of IP addresses for vulnerable devices. To activate the tool, you have to enter their personal information. There is also a Metasploit module named ssdp_msearch, the stumbling over the Metasplot console as follows:
msf> use auxiliary / scanner / upnp / ssdp_msearch
msf auxiliary (ssdp_msearch)> set rhosts 192.168.0.0/24
msf auxiliary (ssdp_msearch)> run
Who discovered in his inventory a vulnerable device, which starts on UDP packets from the Internet should seriously consider turning off the UPnP function of the device or, if necessary, to send to retire. Vulnerable devices can potentially abuse attacker as a springboard into the local network - and the Rapid7 report should inspire many a hacker to try exactly that.