1. What is UPNP ?
Universal Plug and Play (UPnP) is a protocol standard that allows easy communication between computers and network-enabled devices. This protocol is enabled by default on millions of systems, including routers, printers, media servers, smart TVs, and network storage servers. UPnP support is enabled by default on Microsoft Windows, Mac OS X, and many distributions of Linux.
The UPnP protocol suffers from a number of basic security problems, many of which have been highlighted over the last twelve years. Authentication is rarely implemented by device manufacturers, privileged capabilities are often exposed to untrusted networks, and common programming flaws plague common UPnP software implementations. These issues are endemic across UPnP-enabled applications and network devices.
2. UPnP architecture and how it’s work ?
Basic abstractions of the UPnP device architecture includes three major components.
- Control points
- A physical device may have more than one root device. A root device can have multiple embedded devices. Thus UPnP provides a very flexible logical arrangement.
A device will have a state table that maintains state variables. All operations on devices are based on the states of these state variables.
*UPnP stack layout *
The UPnP stack consists of 6 layers, one of which is optional:
- As soon as a UPnP device gets an address, it searches for presence of other UPnP services in the network. It also announces presence to other devices present in the network. This is done using Simple Service Discovery Protocol (SSDP) over HTTPMU
- Once a device identifies other devices available in the network, it obtains service details of required devices in the network. The device should also provide its capability details to other devices requesting it
- A Control point can invoke the functionality provided by a service via SOAP messages. Simple Object Access Protocol (SOAP) is a Microsoft technology used for cross platform RPCs. Once a device service receives a message, it has to act upon it
- UPnP follows a publisher-subscriber model to notify monitoring/interested control points about change in the state variable. General Event Notification Architecture (GENA) is used for event notifications.
- UPnP devices also provide a browser based, manual interface. It is HTML based and the presentation URL is part of device descriptor document (DDD) that is provided as part of the description process.
Now, let us visit each of the stages in detail
* The extra, optional, step is ‘addressing’.
* A UPnP device aquires an address using either DHCP or AutoIP as soon as it joins the network. This enables Adhoc , Zero Configuration networking.
3. UPnP vulnerabilities
Malware On Your Network Can Use UPnP
A virus, Trojan horse, worm, or other malicious program that manages to infect a computer on your local network can use UPnP, just like legitimate programs can. While a router normally blocks incoming connections, preventing some malicious access, UPnP could allow a malicious program to bypass the firewall entirely. For example, a Trojan horse could install a remote control program on your computer and open a hole for it in your router’s firewall, allowing 24/7 access to your computer from the Internet.
UPnP doesn’t require any sort of authentication from the user. Any application running on your computer can ask the router to forward a port over UPnP, which is why the malware above can abuse UPnP. You might assume that you’re secure as long as no malware is running on any local devices – but you’re probably wrong.
Bad UPnP Implementations on Routers
The UPnP Hacks website contains a detailed list of security issues in the ways different routers implement UPnP. These aren’t necessarily problems with UPnP itself; they’re often problems with UPnP implementations. For example, many routers’ UPnP implementations don’t check input properly. A malicious application might ask a router to redirect network to remote IP addresses on the Internet (instead of local IP addresses), and the router would comply. On some Linux-based routers, it’s possible to exploit UPnP to run commands on the router. (Source) The website lists many other such problems.
4. Exploit Vulnerabilities
- I’m use metasploit to test UPnP error , example below is commands to test to know the target’s vulnerability UPnP :
- The next step depend your skill, I’m not good at malware.
UPnP Device Architecture