<ul><li><p>Lets talk about SOAP, baby. Lets talk about UPnP.Ricky HeadlessZeke Lawshae InfosecSouthwest 2015</p></li><li><p>Do you have any idea who I am?Security Researcher for HP TippingPoints DVLabs teamAt Rapid7 before that, and BreakingPoint before thatSpeaker at Defcon, Recon, Insomnihack, and RuxconVoider of warrantiesReader of comic booksDrinker of beersTRIVIA: I once got a job at a police department while I had 4 active warrants out for my arrest.</p></li><li><p>What are we talking about?The Internet of Things (ugh)Its here, whether you like it or notJust put a network interface on it. Well worry about why later.Smart devices arent very smartNeed simple way to talk to each otherEase-of-use: Get the tech out of the way of UXOften accomplished with SOAP/UPnP servicesSuper talkativeHappily tell you all their capabilities in a well-structured formatAlso, dont bother themselves with pesky issues like security</p></li><li><p>What are we talking about?UPnPUniversal Plug and PlaySSDPSimple Service Discovery ProtocolSCPDService Control Protocol DefinitionSOAPSimple Object Access Protocol</p></li><li><p>Lets talk about all the good things</p></li><li><p>UPnP1900/UDPHTTP over UDP allowing devices to discover each otherMulticast 239.255.255.250UPnP Stack[1]DiscoveryAdvertising and SearchingDescriptionAn XML file describing the deviceControlCall an action or query for a valueEventingUsed for announcing state changesPresentationUIweb page or management portal I guess?[1] http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0-20080424.pdf</p></li><li><p>UPnP DiscoveryAll you need to know about discovery. Also, this is the really noisy part.</p></li><li><p>UPnP DiscoveryAll you need to know about discovery. Also, this is the really noisy part.</p></li><li><p>UPnP DescriptionXML file usually hosted on a high number TCP portVersion infoupnp.org spec Usually just 1.0Device definitionsDevice typeMake/model/UUIDService listService typeSCPD URL Control URLEvent URL</p></li><li><p>UPnP Description 1 0 http://10.0.0.1:5000/ VEN_01f2&&REV_01 NetworkInfrastructure.Router Network.Router.Wireless urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:device:InternetGatewayDevice:1 WNDR3400v2 (Gateway) NETGEAR, Inc. http://www.NETGEAR.com NETGEAR WNDR3400v2 N600 Wireless Router WNDR3400v2 WNDR3400v2 http://www.netgear.com uuid:bc567461-ee40-a9c2-39d3-5338c402cc8d urn:schemas-upnp-org:service:Layer3Forwarding:1 urn:upnp-org:serviceId:L3Forwarding1 /Public_UPNP_Layer3F.xml /Public_UPNP_C1 /Public_UPNP_Event_1 </p></li><li><p>UPnP Description 1 0 http://10.0.0.1:5000/ VEN_01f2&&REV_01 NetworkInfrastructure.Router Network.Router.Wireless urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:device:InternetGatewayDevice:1 WNDR3400v2 (Gateway) NETGEAR, Inc. http://www.NETGEAR.com NETGEAR WNDR3400v2 N600 Wireless Router WNDR3400v2 WNDR3400v2 http://www.netgear.com uuid:bc567461-ee40-a9c2-39d3-5338c402cc8d urn:schemas-upnp-org:service:Layer3Forwarding:1 urn:upnp-org:serviceId:L3Forwarding1 /Public_UPNP_Layer3F.xml /Public_UPNP_C1 /Public_UPNP_Event_1 </p></li><li><p>UPnP SCPDXML file defining the service actions and argumentsVersion infoSame deal as descriptionAction listAction nameArgumentsArgument nameDirection (input/output)Variable nameVariable listVariable nameData type</p></li><li><p>UPnP SCPD</p><p> SetDefaultConnectionService NewDefaultConnectionService in DefaultConnectionService GetDefaultConnectionService NewDefaultConnectionService out DefaultConnectionService DefaultConnectionService string </p></li><li><p>UPnP SCPD</p><p> SetDefaultConnectionService NewDefaultConnectionService in DefaultConnectionService GetDefaultConnectionService NewDefaultConnectionService out DefaultConnectionService DefaultConnectionService string </p></li><li><p>UPnP ControlThis is where SOAP comes in (finally!)Mostly just frontends for an RPC service or CGI scriptSOAP envelopesXML-formatted API callsService type from description XMLAction name and arguments from SCPD XMLPOST envelope to control URL</p></li><li><p>UPnP ControlPOST /Public_UPNP_C1 HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "urn:schemas-upnp-org:service:Layer3Forwarding:1#SetDefaultConnectionService"Content-Length: 568Host: x.x.x.x:12345</p><p> blah </p></li><li><p>TL;DR</p></li><li><p>But what can you do with it?</p></li><li><p>But what can you do with it?Control AV equipmentHome automationNetwork administrationPhysical security systems (ok, easy there buddy)Industrial monitoring and control (uhwhat?)And this is just the official specs</p></li><li><p>Neat, soAll our devices can talk to each other!Brave new worlds of remote control and automation!Have your toaster turn on the lights, set the TV to the news channel, and send you a text message when breakfast is ready!The future is now!Nothing could possibly go wrong!</p></li><li><p>And the bad things</p></li><li><p>What about security?Embedded devicesLimited memory and processing powerBoard dev and software dev are often completely different companiesCopy-and-paste developmentKeep costs lowNot exactly concerned/knowledgeableDeploymentMillions of internet-facing UPnP-enabled devicesToo many vendors to countFrontend is standardized, backend varies even within same vendorDifficult to patch/update firmwareJust because you can, doesnt mean you should</p></li><li><p>What about security?XML parsing is hardNeeds lots of system resourcesFree-form, user-supplied dataIn 2013, 2.5% of CVEs were XML-related[2]Of those, almost 36% had CVSS severity of 7 or aboveAs the use-case for XML grows, so do the classes of vulnsRecursion bugs, XXE, command injection, etc[2] http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=xml</p></li><li><p>Attack surfaceUPnP serviceHTTP header parsingSSDP parsingOS command injectionInformation disclosureSOAP serviceHTTP header parsingXML parsingInjection vulnsOS commandSQL injectionSOAP injectionInformation disclosureRidiculous levels of unauthenticated device control</p></li><li><p>Attack surface UPnPCVE-2012-5958Disclosed a couple years ago by HD Moore (one of many)https://community.rapid7.com/docs/DOC-2150Calls strncpy to copy a string from the ST header into TempBuf[COMMAND_LEN]Size argument for strncpy is based on number of characters between colons</p></li><li><p>Attack surface UPnPCVE-2012-5958Disclosed a couple years ago by HD Moore (one of many)https://community.rapid7.com/docs/DOC-2150Calls strncpy to copy a string from the ST header into TempBuf[COMMAND_LEN]Size argument for strncpy is based on number of characters between colonsM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:uuid:schemas:device:[string longer than COMMAND_LEN]:blahMan:"ssdp:discover"MX:3</p></li><li><p>Attack surface UPnPD-Link DIR-815 UPnP Command InjectionDisclosed Feb 2013 by Zach Cutliphttp://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.htmlContents of ST header get passed as arguments to M-SEARCH.shNo validation or sanitization</p></li><li><p>Attack surface UPnPD-Link DIR-815 UPnP Command InjectionDisclosed Feb 2013 by Zach Cutliphttp://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.htmlContents of ST header get passed as arguments to M-SEARCH.shNo validation or sanitizationM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:uuid:`[shell command]`Man:"ssdp:discover"MX:3</p></li><li><p>Attack surface SOAPXBMC soap_action_name Buffer OverflowDisclosed Oct 2010 by n00bhttp://www.exploit-db.com/exploits/15347/ProcessHttpPostRequest function allocates statically-sized bufferCalls sscanf to copy value of SOAPAction header into it with no bounds checking</p></li><li><p>Attack surface SOAPXBMC soap_action_name Buffer OverflowDisclosed Oct 2010 by n00bhttp://www.exploit-db.com/exploits/15347/ProcessHttpPostRequest function allocates statically-sized bufferCalls sscanf to copy value of SOAPAction header into it with no bounds checkingPOST /AVTransport/[UUID]/control.xml HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "urn:schemas-upnp-org:service:AVTransport:1#[more than 100 bytes]"Content-Length: [length of req]Host: x.x.x.x:50988</p></li><li><p>Attack surface SOAPBroadcom SetConnectionType Format String VulnerabilityDisclosed a couple years ago by Leon Juranic and Vedran Kajichttp://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txtSetConnectionType action feeds value of NewConnectionType argument to snprintfNo sanitization of user-controlled value</p></li><li><p>Attack surface SOAPBroadcom SetConnectionType Format String VulnerabilityDisclosed a couple years ago by Leon Juranic and Vedran Kajichttp://sebug.net/paper/Exploits-Archives/2013-exploits/1301-exploits/DC-2013-01-003.txtSetConnectionType action feeds value of NewConnectionType argument to snprintfNo sanitization of user-controlled value</p><p> [format string] </p></li><li><p>Attack surface SOAPCVE-2014-3242Disclosed last year by pnig0shttp://www.pnigos.com/?p=260SOAPpy allows declaration of user-defined XML External Entities in SOAP requestNo sanitization of user-controlled value</p></li><li><p>Attack surface SOAPCVE-2014-3242Disclosed last year by pnig0shttp://www.pnigos.com/?p=260SOAPpy allows declaration of user-defined XML External Entities in SOAP requestNo sanitization of user-controlled value</p><p> &xxe; </p></li><li><p>Attack surface SOAPCVE-2014-2928Disclosed last year by Brandon Perry (PBerry Crunch!)http://seclists.org/fulldisclosure/2014/May/32F5 iControl API set_hostname action passes value of hostname argument to shellOnce again, no sanitization of user-controlled value</p></li><li><p>Attack surface SOAPCVE-2014-2928Disclosed last year by Brandon Perry (PBerry Crunch!)http://seclists.org/fulldisclosure/2014/May/32F5 iControl API set_hostname action passes value of hostname argument to shellOnce again, no sanitization of user-controlled value</p><p> `[shell command]`.whatever.com </p></li><li><p>Attack surface SOAPCVE-2011-4499, CVE-2011-4500, CVE-2011-4501, CVE-2011-4503, CVE-2011-4504, CVE-2011-4505, CVE-2011-4506, more?Disclosed at Defcon 19 by Daniel Garciahttp://toor.do/DEFCON-19-Garcia-UPnP-Mapping-WP.pdfUPnP IGD uses actions such as AddPortMapping and DeletePortMapping to allow for remote administration of routing rulesLacks authentication and is available on WAN interfaceGives attackers the ability to perform:NAT traversalExternal/internal host port mappingExternal network scanning of internal LAN</p></li><li><p>DEMO TIME</p></li><li><p>Conclusion</p></li><li><p>Playing along at homeKnow your networkM-SEARCH every network you connect toWatch for new NOTIFY messagesIf you dont need UPnP, disable itIf not on the device, then at the routerKeep on top of firmware updatesNot always automaticFuzz the crap out of itBurp http://portswigger.net/burp/WSFuzzer https://www.owasp.org/index.php/Category:OWASP_WSFuzzer_ProjectMiranda http://code.google.com/p/miranda-upnp/My stuffif I ever release it, which I probably wont</p></li><li><p>Hit me up</p><p>@HeadlessZeke on twitter</p><p>Usually lurking on freenode as HeadlessZeke</p><p>headlesszeke@hp.com </p></li><li><p>Thank you!</p></li></ul>
