About the uPNP Flaw
This morning, Rapid 7 released a whitepaper entitled Security Flaws in Universal Plug and Play. This paper is the result of a research project identifying over 80 million unique IPs that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper.
According to the security team at Rapid7, technology used worldwide in both routers and standard networking equipment is making it possible for hackers to potentially infiltrate approximately 40 million to 50 million devices worldwide.
The UPnP SOAP service provides access to device functions that should not be allowed from untrusted networks, including the ability to open holes through the firewall. Rapid7 estimates that approximately 17 million unique IPs expose the SOAP service to the public internet.
The vulnerability lies in the standard known as Universal Plug and Play (UPnP). This standard set of networking protocols allows devices, such as PCs, printers, and Wi-Fi access points, to communicate and discover each other’s presence. After discovery, devices can be connected through a network in order to share files, printing capability, and the Internet.
Over 25% of all exposed SSDP services are using this software (approximately 23 million systems). These issues have been assigned the following CVEs: CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965
Testing for the uPNP Vulnerabilities using Metasploit
To accomplish the same task using the command-line, first open the Metasploit console.
From the msf prompt, enter the following commands, substituting your own network for RHOSTS
set RHOSTS 192.168.0.0/24
Any devices supporting UPnP should appear, with specific CVEs listed for those that have at least one exploitable vulnerability.
[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | http://192.168.0.9:3278/etc/linuxigd/gatedesc.xml
[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)