• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Why UPnP is awesome and terrifying
 

Why UPnP is awesome and terrifying

on

  • 4,903 views

An explanation of how UPnP works, and why it is an inherently dangerous protocol.

An explanation of how UPnP works, and why it is an inherently dangerous protocol.

Statistics

Views

Total Views
4,903
Views on SlideShare
4,902
Embed Views
1

Actions

Likes
2
Downloads
11
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Why UPnP is awesome and terrifying Why UPnP is awesome and terrifying Presentation Transcript

    • © 2012 Presented by: Why UPnP is Awesome …and Terrifying Daniel Crowley
    • © 2012 Who am I? • Daniel Crowley • Managing Consultant • Trustwave – SpiderLabs - AppSec • dcrowley@trustwave.com • @dan_crowley
    • © 2012© 2012 How UPnP works
    • © 2012 Phases of UPnP Protocol • Addressing • Discovery • Description • Control • Eventing • Presentation
    • © 2012© 2012 Addressing
    • © 2012 Addressing • Acquire network address –DHCP • Associate with multicast group
    • © 2012© 2012 Discovery
    • © 2012 Discovery • M-SEARCH (request) –HTTPMU •Multicast •UDP –Port 1900
    • © 2012 Discovery – M-SEARCH
    • © 2012 Discovery – M-SEARCH
    • © 2012 Discovery • NOTIFY –HTTPMU •Multicast •UDP –Port 1900
    • © 2012 Discovery - NOTIFY
    • © 2012© 2012 Description
    • © 2012 Description • Unicast HTTP • Grab/parse UPnP description xml files
    • © 2012© 2012 Control
    • © 2012 Control • Unicast HTTP • SOAP
    • © 2012© 2012 Eventing
    • © 2012 Eventing • GENA – HTTP based • SUBSCRIBE, POLL and NOTIFY • May be implemented by UPnP device
    • © 2012© 2012 Presentation
    • © 2012 Presentation • Description phase provides root XML file • Root XML file can contain presentation URI • URI is HTTP resource for alternate control or view
    • © 2012© 2012 Awesome
    • © 2012 Awesome • Kittens • Missiles
    • © 2012 Why it’s awesome • Universal control protocol –Traditional network devices –Network-attached devices –AV Gear • Ease of device deployment –Self-configuring devices
    • © 2012© 2012 Terrifying
    • © 2012 Terrifying • No authentication built in – DeviceProtection – UPnP security • Some actions exposed are awful – RunLua – SetDNSServer – UpdateFirmware
    • © 2012 Remote Keystrokes?
    • © 2012 Arm/Disarm Alarm System?
    • © 2012 Add entry PINs to door lock?
    • © 2012 Terrifying • Being used for: – Door Locks – Security Cameras – Motion Sensors – Alarm Systems – Electrical Outlets
    • © 2012 Terrifying • Control is built on Unicast HTTP –CSRF • Javascript • Flash • Silverlight
    • © 2012 UPnP Daemons • Full • Of •Holes
    • © 2012 Flaws in UPnP actions • Traditional application security flaws –Shell injection –Memory corruption
    • © 2012© 2012 Demo Belkin WeMo
    • © 2012© 2012 Demo BubbleUPnP
    • © 2012 Bibliography • http://technet.microsoft.com/en- us/library/bb727027.aspx • http://tools.ietf.org/html/draft-cohen-gena-p- base-01 • http://tools.ietf.org/html/draft-cohen-gena-client- 00 • http://www.upnp-hacks.org