![]() However, if the edge router runs UPnP, and if it is misconfigured, an attacker can send SSDP requests to the interface connected to the Internet, and in turn, send configuration commands to the interface. In scenarios like these, the internal network won’t be directly accessible from the Internet. Network devices, like routers, can isolate an organization’s internal network from the Internet. Private IP addresses are not routable or accessible across the Internet. In the case of this device, the “ctl/IPConn” URL can be used to add new NAT rules on the device.įigure 3: HTTP response to the query sent to the “LOCATION” URI ![]() The following figures show an excerpt of the HTTP Response to an HTTP GET query sent to the “LOCATOIN” URI. The “LOCATION” parameter in the response can be queried to gather device information, like the software type, software version, URL’s of the control interface, etc.Īn attacker can use the URI in the “LOCATION” parameter to send an HTTP GET request and gather information about a device, which can affect the security of a network. The response message, among other things, will inform the querying device of the URI on the UPnP device, which can be queried for further information. This is the SSDP M-SEARCH message which is sent to the multicast address 239.255.255.250 on UDP port 1900.įigure 1: SSDP M-SEARCH multicast messageĪ UPnP capable device will respond with a unicast SSDP message as shown in Figure 2. An attacker can utilize this functionality to control the behavior of devices, like routers that sit at the boundary of a network, and regulate the flow of traffic between the networks.Ī device locates other UPnP capable devices on the network by sending a Simple Service Discovery Protocol (SSDP) message as shown in Figure 1. The UPnP protocol allows management of aspects of a device’s operation to extend support by the protocol implementation on the device and its configuration. The actual configuration and management interface are implemented using a SOAP-based HTTP service running over a dynamically allocated TCP port. ![]() UPnP runs on UDP port 1900 and communicates using SOAP messages over HTTP. This allows a device to locate routers, printers and other resources on a network. Universal Plug-n-Play – (UPnP) is a suite of protocols that enables a device to discover other devices on a network, configure itself to operate in the network, and advertise its services.
0 Comments
Leave a Reply. |