Let's Talk About SOAP, Baby. Let's Talk About UPnP.

Lets talk about SOAP, baby. Lets talk about UPnP.Ricky HeadlessZeke Lawshae InfosecSouthwest 2015

Do you have any idea who I am?Security Researcher for HP TippingPoints DVLabs teamAt Rapid7 before that, and BreakingPoint before thatSpeaker at Defcon, Recon, Insomnihack, and RuxconVoider of warrantiesReader of comic booksDrinker of beersTRIVIA: I once got a job at a police department while I had 4 active warrants out for my arrest.

What are we talking about?The Internet of Things (ugh)Its here, whether you like it or notJust put a network interface on it. Well worry about why later.Smart devices arent very smartNeed simple way to talk to each otherEase-of-use: Get the tech out of the way of UXOften accomplished with SOAP/UPnP servicesSuper talkativeHappily tell you all their capabilities in a well-structured formatAlso, dont bother themselves with pesky issues like security

What are we talking about?UPnPUniversal Plug and PlaySSDPSimple Service Discovery ProtocolSCPDService Control Protocol DefinitionSOAPSimple Object Access Protocol

Lets talk about all the good things

UPnP1900/UDPHTTP over UDP allowing devices to discover each otherMulticast 239.255.255.250UPnP Stack[1]DiscoveryAdvertising and SearchingDescriptionAn XML file describing the deviceControlCall an action or query for a valueEventingUsed for announcing state changesPresentationUIweb page or management portal I guess?[1] http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0-20080424.pdf

UPnP DiscoveryAll you need to know about discovery. Also, this is the really noisy part.

UPnP DescriptionXML file usually hosted on a high number TCP portVersion infoupnp.org spec Usually just 1.0Device definitionsDevice typeMake/model/UUIDService listService typeSCPD URL Control URLEvent URL

UPnP Description 1 0 http://10.0.0.1:5000/ VEN_01f2&&REV_01 NetworkInfrastructure.Router Network.Router.Wireless urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:device:InternetGatewayDevice:1 WNDR3400v2 (Gateway) NETGEAR, Inc. http://www.NETGEAR.com NETGEAR WNDR3400v2 N600 Wireless Router WNDR3400v2 WNDR3400v2 http://www.netgear.com uuid:bc567461-ee40-a9c2-39d3-5338c402cc8d urn:schemas-upnp-org:service:Layer3Forwarding:1 urn:upnp-org:serviceId:L3Forwarding1 /Public_UPNP_Layer3F.xml /Public_UPNP_C1 /Public_UPNP_Event_1

UPnP SCPDXML file defining the service actions and argumentsVersion infoSame deal as descriptionAction listAction nameArgumentsArgument nameDirection (input/output)Variable nameVariable listVariable nameData type

UPnP SCPD
SetDefaultConnectionService NewDefaultConnectionService in DefaultConnectionService GetDefaultConnectionService NewDefaultConnectionService out DefaultConnectionService DefaultConnectionService string

UPnP ControlThis is where SOAP comes in (finally!)Mostly just frontends for an RPC service or CGI scriptSOAP envelopesXML-formatted API callsService type from description XMLAction name and arguments from SCPD XMLPOST envelope to control URL

UPnP ControlPOST /Public_UPNP_C1 HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "urn:schemas-upnp-org:service:Layer3Forwarding:1#SetDefaultConnectionService"Content-Length: 568Host: x.x.x.x:12345
blah

But what can you do with it?

But what can you do with it?Control AV equipmentHome automationNetwork administrationPhysical security systems (ok, easy there buddy)Industrial monitoring and control (uhwhat?)And this is just the official specs

Neat, soAll our devices can talk to each other!Brave new worlds of remote control and automation!Have your toaster turn on the lights, set the TV to the news channel, and send you a text message when breakfast is ready!The future is now!Nothing could possibly go wrong!

And the bad things

What about security?Embedded devicesLimited memory and processing powerBoard dev and software dev are often completely different companiesCopy-and-paste developmentKeep costs lowNot exactly concerned/knowledgeableDeploymentMillions of internet-facing UPnP-enabled devicesToo many vendors to countFrontend is standardized, backend varies even within same vendorDifficult to patch/update firmwareJust because you can, doesnt mean you should

What about security?XML parsing is hardNeeds lots of system resourcesFree-form, user-supplied dataIn 2013, 2.5% of CVEs were XML-related[2]Of those, almost 36% had CVSS severity of 7 or aboveAs the use-case for XML grows, so do the classes of vulnsRecursion bugs, XXE, command injection, etc[2] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xml

Attack surfaceUPnP serviceHTTP header parsingSSDP parsingOS command injectionInformation disclosureSOAP serviceHTTP header parsingXML parsingInjection vulnsOS commandSQL injectionSOAP injectionInformation disclosureRidiculous levels of unauthenticated device control

Attack surface UPnPCVE-2012-5958Disclosed a couple years ago by HD Moore (one of many)https://community.rapid7.com/docs/DOC-2150Calls strncpy to copy a string from the ST header into TempBuf[COMMAND_LEN]Size argument for strncpy is based on number of characters between colons

Attack surface UPnPCVE-2012-5958Disclosed a couple years ago by HD Moore (one of many)https://community.rapid7.com/docs/DOC-2150Calls strncpy to copy a string from the ST header into TempBuf[COMMAND_LEN]Size argument for strncpy is based on number of characters between colonsM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:uuid:schemas:device:[string longer than COMMAND_LEN]:blahMan:"ssdp:discover"MX:3

Attack surface UPnPD-Link DIR-815 UPnP Command InjectionDisclosed Feb 2013 by Zach Cutliphttp://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.htmlContents of ST header get passed as arguments to M-SEARCH.shNo validation or sanitization

Attack surface UPnPD-Link DIR-815 UPnP Command InjectionDisclosed Feb 2013 by Zach Cutliphttp://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.htmlContents of ST header get passed as arguments to M-SEARCH.shNo validation or sanitizationM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:uuid:`[shell command]`Man:"ssdp:discover"MX:3

Attack surface SOAPXBMC soap_action_name Buffer OverflowDisclosed Oct 2010 by n00bhttp://www.exploit-db.com/exploits/15347/ProcessHttpPostRequest function allocates statically-sized bufferCalls sscanf to copy value of SOAPAction header into it with no bounds checking

Attack surface SOAPXBMC soap_action_name Buffer OverflowDisclosed Oct 2010 by n00bhttp://www.exploit-db.com/exploits/15347/ProcessHttpPostRequest function allocates statically-sized bufferCalls sscanf to copy value of SOAPAction header into it with no bounds checkingPOST /AVTransport/[UUID]/control.xml HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "urn:schemas-upnp-org:service:AVTransport:1#[more than 100 bytes]"Content-Length: [length of req]Host: x.x.x.x:50988

Attack surface SOAPBroadcom SetConnectionType Format String VulnerabilityDisclosed a couple years ago by Leon Juranic and Vedran Kajichttp://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txtSetConnectionType action feeds value of NewConnectionType argument to snprintfNo sanitization of user-controlled value

Attack surface SOAPBroadcom SetConnectionType Format String VulnerabilityDisclosed a couple years ago by Leon Juranic and Vedran Kajichttp://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txtSetConnectionType action feeds value of NewConnectionType argument to snprintfNo sanitization of user-controlled value
[format string]

Attack surface SOAPCVE-2014-3242Disclosed last year by pnig0shttp://www.pnigos.com/?p=260SOAPpy allows declaration of user-defined XML External Entities in SOAP requestNo sanitization of user-controlled value

Attack surface SOAPCVE-2014-3242Disclosed last year by pnig0shttp://www.pnigos.com/?p=260SOAPpy allows declaration of user-defined XML External Entities in SOAP requestNo sanitization of user-controlled value
&xxe;

Attack surface SOAPCVE-2014-2928Disclosed last year by Brandon Perry (PBerry Crunch!)http://seclists.org/fulldisclosure/2014/May/32F5 iControl API set_hostname action passes value of hostname argument to shellOnce again, no sanitization of user-controlled value

Attack surface SOAPCVE-2014-2928Disclosed last year by Brandon Perry (PBerry Crunch!)http://seclists.org/fulldisclosure/2014/May/32F5 iControl API set_hostname action passes value of hostname argument to shellOnce again, no sanitization of user-controlled value
`[shell command]`.whatever.com

Attack surface SOAPCVE-2011-4499, CVE-2011-4500, CVE-2011-4501, CVE-2011-4503, CVE-2011-4504, CVE-2011-4505, CVE-2011-4506, more?Disclosed at Defcon 19 by Daniel Garciahttp://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdfUPnP IGD uses actions such as AddPortMapping and DeletePortMapping to allow for remote administration of routing rulesLacks authentication and is available on WAN interfaceGives attackers the ability to perform:NAT traversalExternal/internal host port mappingExternal network scanning of internal LAN

DEMO TIME

Conclusion

Playing along at homeKnow your networkM-SEARCH every network you connect toWatch for new NOTIFY messagesIf you dont need UPnP, disable itIf not on the device, then at the routerKeep on top of firmware updatesNot always automaticFuzz the crap out of itBurp http://portswigger.net/burp/WSFuzzer https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_ProjectMiranda http://code.google.com/p/miranda-upnp/My stuffif I ever release it, which I probably wont

Hit me up
@HeadlessZeke on twitter
Usually lurking on freenode as HeadlessZeke
headlesszeke@hp.com

Thank you!