SlideShare a Scribd company logo

U Plug, We Play - #BSidesMcr 28/06/2014

•
•
D
DTM Security

Presentation given at #BSidesMcr on some of the research he has been carrying out on UPnP. This presentation introduces a new open source tool called 'UPnP Pentest Tookit' available at http://upnp.ninja/ or https://github.com/nccgroup/UPnP-Pentest-Toolkit

Technology
1 of 33
U Plug, We Play David Middlehurst BSides Manchester 28 June 2014
Who am I? David Middlehurst Twitter: @dtmsecurity • Security Consultant / Engineer • Specialisms: • Application Security • Develops Security Testing Tools • Previous Internal / Client Research • Near Field Communications (NFC) • Virtualisation
Agenda • Introduce UPnP • Brief overview of UPnP specification • Introduce a new UPnP assessment tool • Tool overview • Discover UPnP targets • Interact with UPnP targets • Learn and save UPnP targets • Spoof UPnP targets on the network • Demo • UPnP device authorisation • Common Flaws • Implications of these flaws • Places you should expect to find bugs • Conclusion • How to get the tool
UPnP Universal Plug and Play (UPnP) allows devices to discover each others presence on a network and identify services that are available
UPnP – Basic Discovery Two main methods • Devices can announce that they are there by sending a “NOTIFY” packet • Devices can send out an “M-SEARCH” request asking for devices to reveal themselves if they meet the specified requirements
UPnP – NOTIFY Packet Devices periodically send multicast UDP packets to indicate they are online. This includes headers for the type of service they are offering and the URL to the XML device description. NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.15:8080/01c18570-b4a4- 4356-8afa-5eeac61aa583/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:85e5f606-c406-4c89-8af3- 5fc4ef27ee18
UPnP – M-SEARCH A device can probe for other UPnP devices by sending an M-SEARCH request. This can include a header asking for devices that have a specific service. M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST: ssdp:all MAN: "ssdp:discover" MX:2
UPnP – M-SEARCH Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date: ST: urn:schemas-upnp-org:service:ContentDirectory:1 USN:uuid Location: http://192.168.0.15:8080/01c18570-b4a4-4356- 8afa-5eeac61aa583/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: Server: UPnP-Pentest-Toolkit Ext:
New Tool Is Born – “UPnP Pentest Toolkit” Motivation: Lack of a security focused tool which provides easy access to the required information and allowed easy interaction and a framework to add new ideas. Aim: The aim of this tool is to bring together a range of UPnP assessment features, enabling a quick security assessment with minimal configuration and set-up.
UPnP Pentest Toolkit Windows GUI tool Written in C# Uses the libraries: • Managed UPnP • PcapDotNet
Discovery
Interaction
Interaction
Learning
Spoofing
Spoofing
Spoofing – Learnt Device
Spoofing – Learnt Device
Demo
Authorisation - Good Vendor Practices
Authorisation - Bad Vendor Practices •Mostly it’s a case of: “What do you mean by authorisation?” •Security by obscurity •Looking for fixed User Agents •Deviating from the specification slightly
Flaws – M-SEARCH Spoofing “Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from.” 60% of devices* I looked at will respond to any routable destination * Devices that should respond to M-SEARCH requests i.e. Media Servers responding to Media Players Of these device mostly all devices did not care about what UDP port they send traffic to. Those that did disallowed low ports i.e. 1-1024
Flaws – External Device URL’s NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.6:9090/685f34e2-9a75- 49c8-b642-2b1586ad4433/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 What happens if we specify a URL outside of the local subnet i.e. the internet 40% of devices / apps* that I looked at will make requests to any routable destination * That actually have a need to go and get device URLs i.e. Media Players looking for Media Servers Of these device mostly all devices did not care about what TCP port they send traffic to. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date:Wed, 25 Jun 2014 22:19:27 GMT ST:upnp:rootdevice USN:uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 Location:http://192.168.0.6:9090/685f34e2-9a75-49c8- b642-2b1586ad4433/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS:2404a5f72618151d22759c04a8cad0b6 Server:UPnP-Pentest-Toolkit Ext:
Flaws – External Traffic Possible implications of UPnP services not taking note of where they are sending traffic • Sounds like Denial of Service (DoS)? • Attacker sends one packet  Multiple packets sent to a target • Attacker sends one packet  Multiple devices send packets to a target • Send a small packet  Bigger packets sent to a target • Influence over audit activity: • Malware Beacon Signatures • Dodgy Web Sites • Port scanning • Trust Boundaries…
Trust Boundaries Connect your work laptop to your home LAN (Untrusted) You have some UPnP service i.e. Running a media player Attacker on your home LAN can cause UDP/TCP traffic on your work LAN (Trusted)
Bugs to look for • Do devices and apps impose limits on the size of files they attempt to download? • Do they assume that all they have to process is a small XML file? • How do they handle traditional XML base attacks? i.e. XML Entity Injection (XXE) • When they have parsed the information do they safely handle it?
Memory Management Many UPnP implementations reviewed have problems i.e. Lots of iOS apps
Where are we heading? “UPnP+ will expand beyond the group's traditional work on devices using Internet Protocol on WiFi LANs to create bridges to wide-area networks and non-IP devices.” "Today there's not a good standard for accessing devices across any network, but UPnP [Forum] is working on it," said Alan Messer, a Samsung researcher in San Jose who is vice president of UPnP [Forum].“ From: http://www.eetindia.co.in/ART_8800698124_1800001_NT_8dd16112.HTM
Conclusion • I think UPnP can be a hidden gem on security assessments • The more a security professional experiences UPnP the more alarm bells start to ring • Vendor best practices vary to huge degree • I have introduced new common classes of bug. I am sure there are plenty of bugs to be identified. • Hopefully UPnP Pentest Toolkit will be a useful tool for people who want to assess UPnP targets or get started with carrying out research in this area • The future looks even more scary! Watch this space, hopefully I will present on some of this in the years to come
Get UPnP Pentest Toolkit NCC Group GitHub: https://github.com/nccgroup/UPnP-Pentest-Toolkit Goto: upnp.ninja
Keep updated Tool: Via GitHub page or the ‘About’ Dialog Research: Follow @dtmsecurity @nccgroupinfosec
Questions?
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

Recommended

Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
U Plug, We Play - NED Summit. Cork, Ireland
U Plug, We Play - NED Summit. Cork, IrelandU Plug, We Play - NED Summit. Cork, Ireland
U Plug, We Play - NED Summit. Cork, Ireland
DTM Security
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 

Recommended

Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
AlienVault
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
n|u - The Open Security Community
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
DTM Security
 
U Plug, We Play - NED Summit. Cork, Ireland
U Plug, We Play - NED Summit. Cork, IrelandU Plug, We Play - NED Summit. Cork, Ireland
U Plug, We Play - NED Summit. Cork, Ireland
DTM Security
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
apidays
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĂşjo
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Zilliz
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
The Digital Insurer
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 

More Related Content

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel AraĂşjo
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Featured

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
Alireza Esmikhani
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

U Plug, We Play - #BSidesMcr 28/06/2014

  • 1. U Plug, We Play David Middlehurst BSides Manchester 28 June 2014
  • 2. Who am I? David Middlehurst Twitter: @dtmsecurity • Security Consultant / Engineer • Specialisms: • Application Security • Develops Security Testing Tools • Previous Internal / Client Research • Near Field Communications (NFC) • Virtualisation
  • 3. Agenda • Introduce UPnP • Brief overview of UPnP specification • Introduce a new UPnP assessment tool • Tool overview • Discover UPnP targets • Interact with UPnP targets • Learn and save UPnP targets • Spoof UPnP targets on the network • Demo • UPnP device authorisation • Common Flaws • Implications of these flaws • Places you should expect to find bugs • Conclusion • How to get the tool
  • 4. UPnP Universal Plug and Play (UPnP) allows devices to discover each others presence on a network and identify services that are available
  • 5. UPnP – Basic Discovery Two main methods • Devices can announce that they are there by sending a “NOTIFY” packet • Devices can send out an “M-SEARCH” request asking for devices to reveal themselves if they meet the specified requirements
  • 6. UPnP – NOTIFY Packet Devices periodically send multicast UDP packets to indicate they are online. This includes headers for the type of service they are offering and the URL to the XML device description. NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.15:8080/01c18570-b4a4- 4356-8afa-5eeac61aa583/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:85e5f606-c406-4c89-8af3- 5fc4ef27ee18
  • 7. UPnP – M-SEARCH A device can probe for other UPnP devices by sending an M-SEARCH request. This can include a header asking for devices that have a specific service. M-SEARCH * HTTP/1.1 HOST:239.255.255.250:1900 ST: ssdp:all MAN: "ssdp:discover" MX:2
  • 8. UPnP – M-SEARCH Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date: ST: urn:schemas-upnp-org:service:ContentDirectory:1 USN:uuid Location: http://192.168.0.15:8080/01c18570-b4a4-4356- 8afa-5eeac61aa583/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS: Server: UPnP-Pentest-Toolkit Ext:
  • 9. New Tool Is Born – “UPnP Pentest Toolkit” Motivation: Lack of a security focused tool which provides easy access to the required information and allowed easy interaction and a framework to add new ideas. Aim: The aim of this tool is to bring together a range of UPnP assessment features, enabling a quick security assessment with minimal configuration and set-up.
  • 10. UPnP Pentest Toolkit Windows GUI tool Written in C# Uses the libraries: • Managed UPnP • PcapDotNet
  • 19. Demo
  • 20. Authorisation - Good Vendor Practices
  • 21. Authorisation - Bad Vendor Practices •Mostly it’s a case of: “What do you mean by authorisation?” •Security by obscurity •Looking for fixed User Agents •Deviating from the specification slightly
  • 22. Flaws – M-SEARCH Spoofing “Devices respond by sending a 'HTTP 1/1 200" response via UDP to the source IP and source port that the M-SEARCH packet originated from.” 60% of devices* I looked at will respond to any routable destination * Devices that should respond to M-SEARCH requests i.e. Media Servers responding to Media Players Of these device mostly all devices did not care about what UDP port they send traffic to. Those that did disallowed low ports i.e. 1-1024
  • 23. Flaws – External Device URL’s NOTIFY * HTTP/1.1 Cache-Control: max-age = 300 Host: 239.255.255.250:1900 Location: http://192.168.0.6:9090/685f34e2-9a75- 49c8-b642-2b1586ad4433/ NT: urn:schemas-upnp- org:service:WANPPPConnection:1 NTS: ssdp:alive SERVER: UPnP-Pentest-Toolkit USN: uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 What happens if we specify a URL outside of the local subnet i.e. the internet 40% of devices / apps* that I looked at will make requests to any routable destination * That actually have a need to go and get device URLs i.e. Media Players looking for Media Servers Of these device mostly all devices did not care about what TCP port they send traffic to. HTTP/1.1 200 OK Cache-Control:max-age = 300 Date:Wed, 25 Jun 2014 22:19:27 GMT ST:upnp:rootdevice USN:uuid:685f34e2-9a75-49c8-b642-2b1586ad4433 Location:http://192.168.0.6:9090/685f34e2-9a75-49c8- b642-2b1586ad4433/ OPT:"http://schemas.upnp.org/upnp/1/0/"; ns=01 01-NLS:2404a5f72618151d22759c04a8cad0b6 Server:UPnP-Pentest-Toolkit Ext:
  • 24. Flaws – External Traffic Possible implications of UPnP services not taking note of where they are sending traffic • Sounds like Denial of Service (DoS)? • Attacker sends one packet  Multiple packets sent to a target • Attacker sends one packet  Multiple devices send packets to a target • Send a small packet  Bigger packets sent to a target • Influence over audit activity: • Malware Beacon Signatures • Dodgy Web Sites • Port scanning • Trust Boundaries…
  • 25. Trust Boundaries Connect your work laptop to your home LAN (Untrusted) You have some UPnP service i.e. Running a media player Attacker on your home LAN can cause UDP/TCP traffic on your work LAN (Trusted)
  • 26. Bugs to look for • Do devices and apps impose limits on the size of files they attempt to download? • Do they assume that all they have to process is a small XML file? • How do they handle traditional XML base attacks? i.e. XML Entity Injection (XXE) • When they have parsed the information do they safely handle it?
  • 27. Memory Management Many UPnP implementations reviewed have problems i.e. Lots of iOS apps
  • 28. Where are we heading? “UPnP+ will expand beyond the group's traditional work on devices using Internet Protocol on WiFi LANs to create bridges to wide-area networks and non-IP devices.” "Today there's not a good standard for accessing devices across any network, but UPnP [Forum] is working on it," said Alan Messer, a Samsung researcher in San Jose who is vice president of UPnP [Forum].“ From: http://www.eetindia.co.in/ART_8800698124_1800001_NT_8dd16112.HTM
  • 29. Conclusion • I think UPnP can be a hidden gem on security assessments • The more a security professional experiences UPnP the more alarm bells start to ring • Vendor best practices vary to huge degree • I have introduced new common classes of bug. I am sure there are plenty of bugs to be identified. • Hopefully UPnP Pentest Toolkit will be a useful tool for people who want to assess UPnP targets or get started with carrying out research in this area • The future looks even more scary! Watch this space, hopefully I will present on some of this in the years to come
  • 30. Get UPnP Pentest Toolkit NCC Group GitHub: https://github.com/nccgroup/UPnP-Pentest-Toolkit Goto: upnp.ninja
  • 31. Keep updated Tool: Via GitHub page or the ‘About’ Dialog Research: Follow @dtmsecurity @nccgroupinfosec
  • 33. UK Offices Manchester - Head Ofce Cheltenham Edinburgh Leatherhead London Milton Keynes North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland