Inception Framework organization
In March 2018, Symantec reported on the misuse of a vulnerable UPnP service by an Inception Framework organization to hide attacks. Inception Framework, an APT group of unknown origin, has been using this technique to launch stealth attacks since 2014. Because of the specificity of their attack methods, Symantec advised users in its report to protect against custom malware injected into routing devices. Let’s take a closer look.
What is the UPnP
UPnP stands for plug and play and can be regarded as a set of protocols. It allows devices to discover each other on a LAN and use network functions (such as data sharing) without doing any configuration (hence the name “plug and play”). This is an old protocol, designed in the late 1990s and completed in the early 2000s. The most used versions are the 1.1 released in 2008 and the latest version (UPnP Device Architecture 2.0) released in 2015.
According to the UPnP specification, it has 6 layers of protocols, among which the following three need special description in this paper:
- Discovery: Also called simple Service Discovery Protocol (SSDP), used to enable UPnP enabled devices to discover each other;
- Description: Describes the device in XML format through the remote URL.
- Control: Control messages use the SOAP protocol, also represented in XML, and look similar to RPC (but without any authentication);
The following diagram illustrates how these layers work together:
For details on UPnP, refer to the UPnP specifications 1.1 and 2.0.
Illegal abuse by UPnP
There are many ways to abuse UPnP, not to mention the many Cves associated with it. Over the past decade, several UPnP bugs have been exposed due to design flaws, most of which are the result of service configuration errors or poor implementation. This article describes one of them, the Open Forward attack. See the following for detailed analysis.
Normally UPnP should work within a local LAN, as shown below:
Typical use of UPnP in P2P services
SSDP uses UDP on port 1900, which sends m-search HTTPU packets (UDP-based HTTP) to 239.255.255.250(IPv4 multicast address address) or ff0X:: C (IPv6 address).
IGD finds m-search packets (1900 port/UDP)
Now, if you send an M-Search packet over the Internet to some vulnerable UPnP device, you can actually get a reply, even though it’s supposed to travel only within a LAN! This is the first step: use the router as a proxy.
Remote UPnP function
This is the first vulnerability here, the discovery service should not listen on the WAN interface. So what does an attacker get by sending an M-search packet?
The actual response of the incorrectly configured device is shown as follows:
SSDP spreads on the Internet
The m-Search server’s response contains Location, pointing to the HTTP header for the XML device description.
Here, you see the URL jump to the private IP address and can again (in most cases) access the Web server through the WAN on its public IP address. Get the SCPD (Service Control Protocol Document), which is an XML document that defines the set of action and state variables for a service implementation.
UPnP的SCPD XML
From this document you can see what services the device provides. XML also contains the ControlURL, which is the SOAP endpoint that communicates with that particular service (essentially, the GET/POST of that URL will trigger the operation).
WANIPConnection is an interesting service in our research that has been abused. On the surface it looks like UPnP service, but the attacker’s nefarious purpose is hidden inside.
WANIPConnection service
According to the UPnP standard:
This service type enables UPnP control points to configure and control IP connections on upnp-compliant InternetGatewayDeviceWAN interfaces. IP connection can be supported to any type of WAN interface, for example, DSL or cable can use this service.
Activate the WANIPConnection service for each Internet connection on WANConnectionDevice (see the state change table). The WANIPConnection service provides ip-level connections to ISPs for networked clients over a LAN.
More simply, this is the UPnP standard NAT traversal toolkit. In the documentation, you’ll find a function called AddPortMapping() that asks the router (IGD) to redirect TCP/IP traffic to a specific host/port in the LAN. This is often used on P2P services or gaming devices where the “NATing” device port needs to be opened.
The figure above is derived from the WANIPConnection specification
Here we demonstrate the abuse of UPnP.
Open the Forward attack
As expected, UPnP SOAP functionality on WAN interfaces can be enabled without any type of authentication. To send the AddPortMapping malicious request, you can:
- Access the local computer inside the NAT
- Access a remote computer through a router
The first attack, which Akamai calls UPnProxy: EternalSilence, has been used by threat groups to access Port 445 of Windows (SMB services) to exploit the notorious Eternblue vulnerability.
In my research (inspired by Symantec), I was more interested in the second option. Want to figure out how it works?
The attack is actually quite simple, you just ask, just like you would on a LAN, and the router adds port mappings with the appropriate parameters. Instead of redirecting traffic to local clients, traffic is specified to any public IP address. In most implementations, the UPnP daemon will simply generate the Iptables process with the specified parameters without any checks.
In this way, you can use the router as a dummy proxy and hide the IP address. This is how the Inception Framework organization uses layer 3 routing as a proxy for an attack.
Inception Framework attack activity
impact
According to Shodan, there are 2,200,000 (as of November 2018) UPNP-enabled devices responding to M-search requests… That number was huge and still exists today.
Through active scanning, we found that 13% of the exposed UPnP devices were vulnerable to the aforementioned Open Forward attack. This involves about 290,000 devices in 80 countries.
Open Forward Attack heat map
The four most affected carriers:
- Vietnam FTP Telecom
- South Korea’s telecoms
- China Taiwan Chunghwa Telecom
- ChinaNet, Shanghai
Open Forward Southeast Asian attack heat map
Europe is also affected
conclusion
This means that the attacker has a large number of potential targets and proxy nodes. In fact, there are 44 times more vulnerable nodes than Tor relays. Its attack trail is hard to catch: it doesn’t require malware implantation, and logs are often hard to get (mostly proprietary ISP boxes).
One advantage of using this attack is that the attacker is “anonymous”, as most IP addresses are residential and are neither blacklisted nor proxy servers (such as VPN or Tor relays). But there are drawbacks: the speed is very slow (due to a lot of SOAP overhead), and the traffic is not encrypted.
UPnP “Open Forward” is being used by many threat groups for attacks, and the service was still being abused as we published our research.