prev
next
out of 42

Let's Talk About SOAP, Baby. Let's Talk About UPnP

  • View
    238

  • Download
    9

Tags:

Embed Size (px)

Text of Let's Talk About SOAP, Baby. Let's Talk About UPnP

  • Lets talk about SOAP, baby. Lets talk about UPnP.Ricky HeadlessZeke Lawshae InfosecSouthwest 2015

  • Do you have any idea who I am?Security Researcher for HP TippingPoints DVLabs teamAt Rapid7 before that, and BreakingPoint before thatSpeaker at Defcon, Recon, Insomnihack, and RuxconVoider of warrantiesReader of comic booksDrinker of beersTRIVIA: I once got a job at a police department while I had 4 active warrants out for my arrest.

  • What are we talking about?The Internet of Things (ugh)Its here, whether you like it or notJust put a network interface on it. Well worry about why later.Smart devices arent very smartNeed simple way to talk to each otherEase-of-use: Get the tech out of the way of UXOften accomplished with SOAP/UPnP servicesSuper talkativeHappily tell you all their capabilities in a well-structured formatAlso, dont bother themselves with pesky issues like security

  • What are we talking about?UPnPUniversal Plug and PlaySSDPSimple Service Discovery ProtocolSCPDService Control Protocol DefinitionSOAPSimple Object Access Protocol

  • Lets talk about all the good things

  • UPnP1900/UDPHTTP over UDP allowing devices to discover each otherMulticast 239.255.255.250UPnP Stack[1]DiscoveryAdvertising and SearchingDescriptionAn XML file describing the deviceControlCall an action or query for a valueEventingUsed for announcing state changesPresentationUIweb page or management portal I guess?[1] http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0-20080424.pdf

  • UPnP DiscoveryAll you need to know about discovery. Also, this is the really noisy part.

  • UPnP DiscoveryAll you need to know about discovery. Also, this is the really noisy part.

  • UPnP DescriptionXML file usually hosted on a high number TCP portVersion infoupnp.org spec Usually just 1.0Device definitionsDevice typeMake/model/UUIDService listService typeSCPD URL Control URLEvent URL

  • UPnP Description 1 0 http://10.0.0.1:5000/ VEN_01f2&&REV_01 NetworkInfrastructure.Router Network.Router.Wireless urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:device:InternetGatewayDevice:1 WNDR3400v2 (Gateway) NETGEAR, Inc. http://www.NETGEAR.com NETGEAR WNDR3400v2 N600 Wireless Router WNDR3400v2 WNDR3400v2 http://www.netgear.com uuid:bc567461-ee40-a9c2-39d3-5338c402cc8d urn:schemas-upnp-org:service:Layer3Forwarding:1 urn:upnp-org:serviceId:L3Forwarding1 /Public_UPNP_Layer3F.xml /Public_UPNP_C1 /Public_UPNP_Event_1

  • UPnP Description 1 0 http://10.0.0.1:5000/ VEN_01f2&&REV_01 NetworkInfrastructure.Router Network.Router.Wireless urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:device:InternetGatewayDevice:1 WNDR3400v2 (Gateway) NETGEAR, Inc. http://www.NETGEAR.com NETGEAR WNDR3400v2 N600 Wireless Router WNDR3400v2 WNDR3400v2 http://www.netgear.com uuid:bc567461-ee40-a9c2-39d3-5338c402cc8d urn:schemas-upnp-org:service:Layer3Forwarding:1 urn:upnp-org:serviceId:L3Forwarding1 /Public_UPNP_Layer3F.xml /Public_UPNP_C1 /Public_UPNP_Event_1

  • UPnP SCPDXML file defining the service actions and argumentsVersion infoSame deal as descriptionAction listAction nameArgumentsArgument nameDirection (input/output)Variable nameVariable listVariable nameData type

  • UPnP SCPD

    SetDefaultConnectionService NewDefaultConnectionService in DefaultConnectionService GetDefaultConnectionService NewDefaultConnectionService out DefaultConnectionService DefaultConnectionService string

  • UPnP SCPD

    SetDefaultConnectionService NewDefaultConnectionService in DefaultConnectionService GetDefaultConnectionService NewDefaultConnectionService out DefaultConnectionService DefaultConnectionService string

  • UPnP ControlThis is where SOAP comes in (finally!)Mostly just frontends for an RPC service or CGI scriptSOAP envelopesXML-formatted API callsService type from description XMLAction name and arguments from SCPD XMLPOST envelope to control URL

  • UPnP ControlPOST /Public_UPNP_C1 HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "urn:schemas-upnp-org:service:Layer3Forwarding:1#SetDefaultConnectionService"Content-Length: 568Host: x.x.x.x:12345

    blah

  • TL;DR

  • But what can you do with it?

  • But what can you do with it?Control AV equipmentHome automationNetwork administrationPhysical security systems (ok, easy there buddy)Industrial monitoring and control (uhwhat?)And this is just the official specs

  • Neat, soAll our devices can talk to each other!Brave new worlds of remote control and automation!Have your toaster turn on the lights, set the TV to the news channel, and send you a text message when breakfast is ready!The future is now!Nothing could possibly go wrong!

  • And the bad things

  • What about security?Embedded devicesLimited memory and processing powerBoard dev and software dev are often completely different companiesCopy-and-paste developmentKeep costs lowNot exactly concerned/knowledgeableDeploymentMillions of internet-facing UPnP-enabled devicesToo many vendors to countFrontend is standardized, backend varies even within same vendorDifficult to patch/update firmwareJust because you can, doesnt mean you should

  • What about security?XML parsing is hardNeeds lots of system resourcesFree-form, user-supplied dataIn 2013, 2.5% of CVEs were XML-related[2]Of those, almost 36% had CVSS severity of 7 or aboveAs the use-case for XML grows, so do the classes of vulnsRecursion bugs, XXE, command injection, etc[2] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xml

  • Attack surfaceUPnP serviceHTTP header parsingSSDP parsingOS command injectionInformation disclosureSOAP serviceHTTP header parsingXML parsingInjection vulnsOS commandSQL injectionSOAP injectionInformation disclosureRidiculous levels of unauthenticated device control

  • Attack surface UPnPCVE-2012-5958Disclosed a couple years ago by HD Moore (one of many)https://community.rapid7.com/docs/DOC-2150Calls strncpy to copy a string from the ST header into TempBuf[COMMAND_LEN]Size argument for strncpy is based on number of characters between colons

  • Attack surface UPnPCVE-2012-5958Disclosed a couple years ago by HD Moore (one of many)https://community.rapid7.com/docs/DOC-2150Calls strncpy to copy a string from the ST header into TempBuf[COMMAND_LEN]Size argument for strncpy is based on number of characters between colonsM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:uuid:schemas:device:[string longer than COMMAND_LEN]:blahMan:"ssdp:discover"MX:3

  • Attack surface UPnPD-Link DIR-815 UPnP Command InjectionDisclosed Feb 2013 by Zach Cutliphttp://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.htmlContents of ST header get passed as arguments to M-SEARCH.shNo validation or sanitization

  • Attack surface UPnPD-Link DIR-815 UPnP Command InjectionDisclosed Feb 2013 by Zach Cutliphttp://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.htmlContents of ST header get passed as arguments to M-SEARCH.shNo validation or sanitizationM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:uuid:`[shell command]`Man:"ssdp:discover"MX:3

  • Attack surface SOAPXBMC soap_action_name Buffer OverflowDisclosed Oct 2010 by n00bhttp://www.exploit-db.com/exploits/15347/ProcessHttpPostRequest function allocates statically-sized bufferCalls sscanf to copy value of SOAPAction header into it with no bounds checking

  • Attack surface SOAPXBMC soap_action_name Buffer OverflowDisclosed Oct 2010 by n00bhttp://www.exploit-db.com/exploits/15347/ProcessHttpPostRequest function allocates statically-sized bufferCalls sscanf to copy value of SOAPAction header into it with no bounds checkingPOST /AVTransport/[UUID]/control.xml HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "urn:schemas-upnp-org:service:AVTransport:1#[more than 100 bytes]"Content-Length: [length of req]Host: x.x.x.x:50988

  • Attack surface SOAPBroadcom SetConnectionType Format String VulnerabilityDisclosed a couple years ago by Leon Juranic and Vedran Kajichttp://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txtSetConnectionType action feeds value of NewConnectionType argument to snprintfNo sanitization of user-controlled value

  • Attack surface SOAPBroadcom SetConnectionType Format String VulnerabilityDisclosed a couple years ago by Leon Juranic and Vedran Kajichttp://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txtSetConnectionType action feeds value of NewConnectionType argument to snprintfNo sanitization of user-controlled value

    [format string]

  • Attack surface SOAPCVE-2014-3242Disclosed last year by pnig0shttp://www.pnigos.com/?p=260SOAPpy allows declaration of user-defined XML External Entities in SOAP requestNo sanitization of user-controlled value

  • Attack surface SOAPCVE-2014-3242Disclosed last year by pnig0shttp://www.pnigos.com/?p=260SOAPpy allows declaration of user-defined XML External Entities in SOAP requestNo sanitization of user-controlled value

    &xxe;

  • Attack surface

Recommended

Let's Talk Magazine
Let's Talk Magazine
Documents
Let's talk money
Let's talk money
Economy & Finance
Let's talk CLOUD!
Let's talk CLOUD!
Technology
Let's talk tokenization
Let's talk tokenization
Documents
Let's Talk Teeth
Let's Talk Teeth
Documents
Let's Talk Hair
Let's Talk Hair
Documents
Let's Talk Success
Let's Talk Success
Business
Let's talk
Let's talk
Education
Let's Talk Pilot
Let's Talk Pilot
Documents
Let's Talk About Bell Let's Talk
Let's Talk About Bell Let's Talk
Documents
Let's Talk Sales
Let's Talk Sales
Documents
Let's Talk! DEVICE, ANY MAKE THEM SPEAK ENGLISH! PLACE ... LET'S TALK! Video - Let's talk about Jack!
Let's Talk! DEVICE, ANY MAKE THEM SPEAK ENGLISH! PLACE ... LET'S TALK! Video - Let's talk about Jack!
Documents
View more >