Upload File

why upnp is awesome and terrifying

35
© 2012 Presented by: Why UPnP is Awesome …and Terrifying Daniel Crowley

Upload: baronzor

Post on 17-May-2015

6.012 views

Category:

Technology


0 download

Report

DESCRIPTION

An explanation of how UPnP works, and why it is an inherently dangerous protocol.

TRANSCRIPT

Page 1: Why UPnP is awesome and terrifying

© 2012

Presented by:

Why UPnP is Awesome…and Terrifying

Daniel Crowley

Page 2: Why UPnP is awesome and terrifying

© 2012

Who am I?

• Daniel Crowley• Managing Consultant• Trustwave – SpiderLabs - AppSec• [email protected]• @dan_crowley

mailto:[email protected]
Page 3: Why UPnP is awesome and terrifying

© 2012© 2012

How UPnP works

Page 4: Why UPnP is awesome and terrifying

© 2012

Phases of UPnP Protocol

• Addressing• Discovery• Description• Control• Eventing• Presentation

Page 5: Why UPnP is awesome and terrifying

© 2012© 2012

Addressing

Page 6: Why UPnP is awesome and terrifying

© 2012

Addressing

• Acquire network address–DHCP

• Associate with multicast group

Page 7: Why UPnP is awesome and terrifying

© 2012© 2012

Discovery

Page 8: Why UPnP is awesome and terrifying

© 2012

Discovery

• M-SEARCH (request)–HTTPMU•Multicast•UDP

–Port 1900

Page 9: Why UPnP is awesome and terrifying

© 2012

Discovery – M-SEARCH

Page 10: Why UPnP is awesome and terrifying

© 2012

Discovery – M-SEARCH

Page 11: Why UPnP is awesome and terrifying

© 2012

Discovery

• NOTIFY–HTTPMU•Multicast•UDP

–Port 1900

Page 12: Why UPnP is awesome and terrifying

© 2012

Discovery - NOTIFY

Page 13: Why UPnP is awesome and terrifying

© 2012© 2012

Description

Page 14: Why UPnP is awesome and terrifying

© 2012

Description

• Unicast HTTP• Grab/parse UPnP description xml files

Page 15: Why UPnP is awesome and terrifying

© 2012© 2012

Control

Page 16: Why UPnP is awesome and terrifying

© 2012

Control

• Unicast HTTP• SOAP

Page 17: Why UPnP is awesome and terrifying

© 2012© 2012

Eventing

Page 18: Why UPnP is awesome and terrifying

© 2012

Eventing

• GENA– HTTP based

• SUBSCRIBE, POLL and NOTIFY• May be implemented by UPnP device

Page 19: Why UPnP is awesome and terrifying

© 2012© 2012

Presentation

Page 20: Why UPnP is awesome and terrifying

© 2012

Presentation

• Description phase provides root XML file• Root XML file can contain presentation URI• URI is HTTP resource for alternate control or

view

Page 21: Why UPnP is awesome and terrifying

© 2012© 2012

Awesome

Page 22: Why UPnP is awesome and terrifying

© 2012

Awesome

• Kittens• Missiles

Page 23: Why UPnP is awesome and terrifying

© 2012

Why it’s awesome

• Universal control protocol–Traditional network devices–Network-attached devices–AV Gear

• Ease of device deployment–Self-configuring devices

Page 24: Why UPnP is awesome and terrifying

© 2012© 2012

Terrifying

Page 25: Why UPnP is awesome and terrifying

© 2012

Terrifying

• No authentication built in– DeviceProtection– UPnP security

• Some actions exposed are awful– RunLua– SetDNSServer– UpdateFirmware

Page 26: Why UPnP is awesome and terrifying

© 2012

Remote Keystrokes?

Page 27: Why UPnP is awesome and terrifying

© 2012

Arm/Disarm Alarm System?

Page 28: Why UPnP is awesome and terrifying

© 2012

Add entry PINs to door lock?

Page 29: Why UPnP is awesome and terrifying

© 2012

Terrifying

• Being used for:– Door Locks– Security Cameras– Motion Sensors– Alarm Systems– Electrical Outlets

Page 30: Why UPnP is awesome and terrifying

© 2012

Terrifying

• Control is built on Unicast HTTP–CSRF• Javascript• Flash• Silverlight

Page 31: Why UPnP is awesome and terrifying

© 2012

UPnP Daemons

• Full

•Of

•Holes

Page 32: Why UPnP is awesome and terrifying

© 2012

Flaws in UPnP actions

• Traditional application security flaws–Shell injection–Memory corruption

Page 33: Why UPnP is awesome and terrifying

© 2012© 2012

DemoBelkin WeMo

Page 34: Why UPnP is awesome and terrifying

© 2012© 2012

DemoBubbleUPnP

Page 35: Why UPnP is awesome and terrifying

© 2012

Bibliography

• http://technet.microsoft.com/en-us/library/bb727027.aspx

• http://tools.ietf.org/html/draft-cohen-gena-p-base-01

• http://tools.ietf.org/html/draft-cohen-gena-client-00

• http://www.upnp-hacks.org

http://technet.microsoft.com/en-us/library/bb727027.aspx
http://technet.microsoft.com/en-us/library/bb727027.aspx
http://technet.microsoft.com/en-us/library/bb727027.aspx
http://tools.ietf.org/html/draft-cohen-gena-p-base-01
http://tools.ietf.org/html/draft-cohen-gena-p-base-01
http://tools.ietf.org/html/draft-cohen-gena-p-base-01
http://tools.ietf.org/html/draft-cohen-gena-client-00
http://tools.ietf.org/html/draft-cohen-gena-client-00
http://tools.ietf.org/html/draft-cohen-gena-client-00
http://www.upnp-hacks.org/

Why You Upgrade to UPnP+ - OPEN CONNECTIVITY ...upnp.org/resources/documents/UPnP+_Webinar_Feb2015.pdfWhy You Should Upgrade to UPnP+ February 2015 UPnP Forum © 2015 UPnP Forum Page

UPnP AV Architecture:2

Most terrifying archaeological discoveries

TR-069 UPnP DM Proxy Management GuidelinesA UPnP Control Point that interacts with UPnP devices supporting at least one of the UPnP Device Management services. UPnP DM Device A UPnP

Terrifying Content, Unbearable Torture

UPnP TM Remote UI

UPnP DLNA White Paper

IPv6 for UPnP Forum

UPnP+ and the Internet of Thingsupnp.org/resources/documents/UPnP Forum_IoT Beijing Workshop.pdf · UPnP+ and the Internet of Things July 2015 UPnP Forum ... (Bluetooth, ZigBee, Z-Wave,

“Terrifying Majesty”: The French Absolutist Statefairbanksonline.net/Fairbanks_Online/ID_-_Notes_files/"Terrifying... · “Terrifying Majesty”: The French Absolutist State

Fractal Analysis analysis.pdf · perfect pattern is called a Fibonacci spiral. Lightning’s terrifying power is both awesome and beautiful. The fractals created by lightning are

UPnP Device Architecture 1

UPnP AV Architecture:1upnp.org/specs/av/UPnP-av-AVArchitecture-v1.pdf · In most (non-AV) UPnP scenarios, a Control Point controls the operation of one or more UPnP devices in order

UPnP Device Architecture 1upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0.pdf · UPnP Device Architecture 1.0 . Document Revision Date 15 October 2008 . Note: This document

UPnP Arch DeviceArchitecture v1.1

Terrifying Art

UPnP Gateway Working Committee - UPnP Forum

11 Terrifying Workplace Facts

Terrifying Technique

UPnP AV WC Status Update (UPnP Summit 2002) John Ritchie UPnP AV Co-Chair Intel Corporation

UPnP Forum Marketing Committee Update Andrew Liu Co-chair UPnP Forum MC Intel Corporation

UPnP AV Datastructure Template: 1 · UPnP AV Datastructure Template: 1 — Standardized DCP (SDCP) – March 31,2013 1 UPnP AV Datastructure Template: 1 For UPnP Version 1.0 . Status:

UPnP™ Device Architecture 1 - GitHub Pagestrinea.github.io/doc/upnp/UPnP-arch-DeviceArchitecture-v1.1.pdf · *Note: The UPnP Forum in no way guarantees the accuracy or completeness

UPnP™ Device Architecture 1 - CoverPagesxml.coverpages.org/UPnP-DA101-20030506.pdf1 Introduction What is UPnP™1 Technology? UPnP™ technology defines an architecture for pervasive

Terrifying presentations 10312016

Modernity: Terrifying or Sublime?

UPnP Printer Architecture

UPNP understanding

Abusing Universal Plug and Play - UPnP Hacks: s topics and goals I UPnP history I UPnP protocol stack I debunk common misconceptions about UPnP I show errors in UPnP design I show

UPnP AV Architecture:1

UPnP QosManager:3 Service Template Version 1upnp.org/specs/qos/UPnP-qos-QosManager-v3-Service.pdf · UPnP QosManager:3 Service Template Version 1.01 For UPnP Version 1.0 Status: Standardized

The Terrifying animal

UPnP AV Tutorial

terrifying TARANTULAS

UPnP Device Architecture 1 - OPEN CONNECTIVITY …upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.0-20081015.pdf · UPnP Device Architecture 1.0 . ... 5 0. Addressing ... UPnP™