UPnP flaw exposes millions of network devices to attacks over the Internet

EnlargeUS GAO / Flickr

Millions of routers, printers, and other devices can be remotely commandeered by a new attack that exploits a security flaw in the Universal Plug and Play network protocol, a researcher said.

CallStranger, as the exploit has been named, is most useful for forcing large numbers of devices to participate in distributed denial of service—or DDoS—attacks that overwhelm third-party targets with junk traffic. CallStranger can also be used to exfiltrate data inside networks even when theyre protected by data loss prevention tools that are designed to prevent such attacks. The exploit also allows attackers to scan internal ports which would otherwise be invisible because theyre not exposed to the Internet.

Billions of routers and other so-called Internet-of-things devices are susceptible to CallStranger, Yunus Çadırcı, a Turkish researcher who discovered the vulnerability and the wrote the proof-of-concept attack code that exploits it, wrote over the weekend. For the exploit to actually work, however, a vulnerable device must have UPnP, as the protocol is known, exposed on the Internet. That constraint means only a fraction of vulnerable devices are actually exploitable.

Still unsafe after all these years

The 12-year-old UPnP protocol simplifies the task of connecting devices by allowing them to automatically find each other over a network. It does this by using the HTTP, SOAP, and XML protocols to advertise themselves and discover other devices over networks that use the Internet Protocol.

While the automation can remove the hassle of manually opening specific network ports that different devices use to communicate, UPnP over the years has opened users to a variety of attacks. In 2013, an Internet-wide scan found that UPnP was making more than 81 million devices visible to people outside the local networks. The finding was a surprise because the protocol isn't supposed to communicate with outside devices. The exposure was largely the result of several common code libraries that monitored all interfaces for User Datagram Protocol packets even if configured to listen only on internal ones.

In November 2018, researchers detected two in-the-wild attacks that targeted devices using UPnP. One used a buggy UPnP implementation in Broadcom chips to wrangle 100,000 routers into a botnet. The other, used against 45,000 routers, exploited flaws in a different UPnP implementation to open ports that were instrumental in spreading EternalRed and EternalBlue, the potent Windows attack that was developed by and later stolen from the NSA.

Subscribe now

CallStranger allows a remote and unauthenticated user to interact with devices that are supposed to be accessible only inside local networks. One use for the exploit is directing large amounts of junk traffic to destinations of the attackers choice. Because the output sent to attacker-designated destinations is much bigger than the request the attacker initiates, CallStranger provides a particularly powerful way to amplify the attackers resources. Other capabilities include enumerating all other UPnP devices on the local network and exfiltrating data stored on the network, in some cases even if its protected by data loss prevention tools.

The vulnerability is tracked as CVE-2020-12695, and advisories are here and here. Çadırcı posted a PoC script that demonstrates the capabilities of CallStranger here.

The exploit works by abusing the UPnP SUBSCRIBE capability, which devices use to receive notifications from other devices when certain events—such as the playing of a video or music track—happen. Specifically, CallStranger sends subscription requests that forge the URL thats to receive the resulting “callback.”

To perform DDoSes, CallStranger sends a flurry of subscription requests that spoof the address of a third-party site on the Internet. When the attack is performed in unison with other devices, the lengthy callbacks bombard the site with a torrent of junk traffic. In other cases the URL receiving the callback points to a device inside the internal network. The responses can create a condition similar to a Read More – Source