exterpts:
Step 1: Discovery
When a machine joins a network and wants to know what UPnP services are available on the network, it sends out a discovery message to 239.255.255.250 on port 1900 via UDP. This message contains a header, similar to a HTTP request:
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: ssdp:discover
MX: 10
ST: ssdp:all
All control points are required to respond to this message by sending back a similar message via UDP unicasting back to the device, announcing which UPnP profiles the control point implements. For every pro
le it implements one message is sent:
HTTP/1.1 200 OK
CACHE-CONTROL:max-age=1800
EXT:
LOCATION:http://10.0.0.138:80/IGD.xml
SERVER:SpeedTouch 510 4.0.0.9.0 UPnP/1.0 (DG233B00011961)
ST:urn:schemas-upnp-org:service:WANPPPConnection:1
USN:uuid:UPnP-SpeedTouch510::urn:schemas-upnp-org:service:WANPPPConnection:1
The above is a slightly edited response that is sent by an Alcatel/Thomson Speedtouch ADSL modem. Some implementations of the UPnP stack do not seem to send responses back at all.
----
It takes no special privileges to recon
gure a UPnP-enabled
rewall.
Changes to the
rewall done via UPnP are often persistent across reboots of the Internet Gateway Device and not always easy to remove.
A computer that has been taken over by a virus, spyware or cracker is relatively easy to detect, but a recon
gured router is a lot harder to
nd, especially when the router is complying with all standards it implements
--
This section describes a range of attacks which are possible with UPnP in general, or with special implementations of UPnP. These attacks all originate from within the LAN, where a user or malicious program possibly already has full access to some or all machines in the LAN. Tunnels to the outside are easily created in such a setup.
---
Using UPnP to create proxies and hijack ports
---
More serious hacks are possible with this bug. For example, this hole could be exploited to hijack port 25 to capture someone's mail if a mail server is running behind the Internet Gateway Device and port 25 on the external interface is forwarded to the internal mailserver. Hijacking can be done by first deleting the existing portmapping for port 25 from the Internet Gateway Device and then creating a new mapping to an external machine in the same way as is described...
---
A PDF document
Link will be in downloads soon, so use this for now:
ليست هناك تعليقات:
إرسال تعليق