UPnP hacking Tutorial

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:
Contact DNR

UPnP hacking Tutorial

Post by DNR »

exterpts:
Step 1: Discovery
When a machine joins a network and wants to know what UPnP services are available on the network, it sends out a discovery message to 239.255.255.250 on port 1900 via UDP. This message contains a header, similar to a HTTP request:

M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: ssdp:discover
MX: 10
ST: ssdp:all

All control points are required to respond to this message by sending back a similar message via UDP unicasting back to the device, announcing which UPnP profiles the control point implements. For every prole it implements one message is sent:

HTTP/1.1 200 OK
CACHE-CONTROL:max-age=1800
EXT:
LOCATION:http://10.0.0.138:80/IGD.xml
SERVER:SpeedTouch 510 4.0.0.9.0 UPnP/1.0 (DG233B00011961)
ST:urn:schemas-upnp-org:service:WANPPPConnection:1
USN:uuid:UPnP-SpeedTouch510::urn:schemas-upnp-org:service:WANPPPConnection:1

The above is a slightly edited response that is sent by an Alcatel/Thomson Speedtouch ADSL modem. Some implementations of the UPnP stack do not seem to send responses back at all.
----
It takes no special privileges to recongure a UPnP-enabled rewall.
Changes to the rewall done via UPnP are often persistent across reboots of the Internet Gateway Device and not always easy to remove.
A computer that has been taken over by a virus, spyware or cracker is relatively easy to detect, but a recongured router is a lot harder to nd, especially when the router is complying with all standards it implements
--
This section describes a range of attacks which are possible with UPnP in general, or with special implementations of UPnP. These attacks all originate from within the LAN, where a user or malicious program possibly already has full access to some or all machines in the LAN. Tunnels to the outside are easily created in such a setup.
---
Using UPnP to create proxies and hijack ports
---
More serious hacks are possible with this bug. For example, this hole could be exploited to hijack port 25 to capture someone's mail if a mail server is running behind the Internet Gateway Device and port 25 on the external interface is forwarded to the internal mailserver. Hijacking can be done by first deleting the existing portmapping for port 25 from the Internet Gateway Device and then creating a new mapping to an external machine in the same way as is described...
---
A PDF document
Link will be in downloads soon, so use this for now:
http://www.mediafire.com/?dhej2g01wpt

DNR
Last edited by DNR on 25 Nov 2008, 13:18, edited 1 time in total.
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Top
rob33n
On the way to fame!
On the way to fame!
Posts: 25
Joined: 09 May 2007, 16:00
16
Contact:
Contact rob33n

Post by rob33n »

nice tuts. thanks.
Top
Post Reply

Return to “Hacking/Wardriving”