Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Exposed UPNP Devices SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exposed UPNP Devices

Rapid7 conducted a widely quoted study, scanning the Internet on port 1900/udp to find devices that expose UPnP [1]. Universal Plug and Play (UPnP) is a protocol frequently supported by home gateways to automate firewall configurations. For example, an IP based security camera may use the protocol to instruct a firewall to open a port and redirect incoming traffic to it, allowing the user to monitor the camera from outside the own network. Online games use it in similar fashion to allow game servers to reach the host participating in the game. While UPnP itself is not exactly a "secure" protocol, in addition, implementations suffer from various flaws as the paper by Rapid 7 points out.

Rapid7 does offer a free Windows tool to scan your network. In addition, you could use nmap to find hosts supporting UPNP, but you will need a NSE script that sends an "M-SEARCH" request to trigger a response [2]. A UPnP listener will not respond to a typical "empty" nmap UDP scan.

Here is a sample nmap scan using this NSE script:

sudo nmap --script upnp-info.nse -p 1900 -sU 192.0.2.1

Nmap scan report for somehost.mynet (192.0.2.1)
Host is up (0.067s latency).
PORT     STATE SERVICE
1900/udp open  upnp
| upnp-info: 
| 72.92.145.199
|     Server: Custom/1.0 UPnP/1.0 Proc/Ver
|     Location: http://192.168.1.1:5431/dyndev/uuid:3872c05b-c117-17c1-5bc0-12345
|       Webserver: LINUX/2.4 UPnP/1.0 BRCM400/1.0
|       Name: Broadcom ADSL Router
|       Manufacturer: Comtrend
|       Model Descr: (null)
|       Model Name: AR-5381u
|       Model Version: 1.0
|       Name: WANDevice.1
|       Manufacturer: Comtrend
|       Model Descr: (null)
|       Model Name: AR-5381u
|       Model Version: 1.0
|       Name: WanConnectionDevice.1
|       Manufacturer: Comtrend
|       Model Descr: (null)
|       Model Name: AR-5381u
|_      Model Version: 1.0

Or you could try to scan on port 5431/tcp if you don't want to install the NSE script, or don't have root permission:

 

nmap  -sV -p 5431 192.0.2.1

Starting Nmap 6.01 ( http://nmap.org ) at 2013-01-30 07:37 EST
Nmap scan report for myhost.mynet (192.0.2.1)
Host is up (0.008s latency).
PORT     STATE SERVICE VERSION
5431/tcp open  upnp    Belkin/Linksys wireless router UPnP (Linux 2.4; UPnP 1.0; BRCM400 1.0)
Service Info: OS: Linux; Device: router; CPE: cpe:/o:linux:kernel

 

The difficult part is that the most vulnerable devices are the once with UPnP exposed on the external interface. In many cases these are ISP supplied routers and the end user may not be able to turn off UPnP.

[1] https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
[2] https://svn.nmap.org/nmap/scripts/upnp-info.nse

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler
The "shields-up" scanner at http://www.grc.com can be useful to scan from the outside. Your mileage may vary due to any ISP filters on the inbound.
Doc

3 Posts
Shields Up doesn't do any UDP scanning yet. He is currently modifying it to scan for upnp. Should be up in the next couple days.
Doc
1 Posts
It is amazing, how people forget.

Everything old is new again.
No Love.

37 Posts
UPnP Router Security Check:
- http://upnp-check.rapid7.com/

.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!