Guide: How to use Metasploit to scan for uPNP vulnerabilities

About the uPNP Flaw

This morning, Rapid 7 released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project identifying over 80 million unique IPs that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper.

According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.

Exploit Vector

The UPnP SOAP service provides access to device functions that should not be allowed from untrusted networks, including the ability to open holes through the firewall. Rapid7 estimates that approximately 17 million unique IPs expose the SOAP service to the public internet.

The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other’s presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.

Over 25% of all exposed SSDP services are using this software (approximately 23 million systems). These issues have been assigned the following CVEs: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965

Testing for the uPNP Vulnerabilities using Metasploit

To accomplish the same task using the command-line, first open the Metasploit console.

From the msf prompt, enter the following commands, substituting your own network for RHOSTS

Any devices supporting UPnP should appear, with specific CVEs listed for those that have at least one exploitable vulnerability.