SSDP Scanning for UPnP Vulnerabilities

One day I was monitoring a system for network traffic and noticed that an SSDP service was communicating out from the machine to the IP4 and IPv6 broadcast ranges. Kind of odd, as the machine was firewalled and should not have been communicating with anything at that individual time.

So what was it?

SSDP (Simple Service Discovery Protocol) is a protocol that advertises and looks for network services. On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP).

Well uPnP has not been without it’s issues and earlier this year HD Moore of Rapid7 created a utility that would both scan for SSDP communication and notify you if the system was vulnerable to uPnP exploits.

What is interesting about the “UPnP SSDP M-SEARCH Information Discovery” tool is that it not only tells you if the machine is vulnerable to uPnP exploits, but also returns interesting information about  the machine.

So if the system isn’t vulnerable, chances are that you will at least be able to tell that:

  • It is up and running
  • The service that is running
  • And a valid user name!

The search tool is already included in Metasploit. So all you need to do is run it and feed it a network range:

SSDP search

Then type “run” or “exploit” and it will scan the network range looking systems advertising uPnP services:

SSDP search results 1

Okay, it found one. It doesn’t appear to be vulnerable, if it were the uPnP vulnerabilities would be listed with the return.

But if you notice there is an html link. In this case, if we click the link, we are presented with a bunch of information that includes the machine name and a valid user name!

User results

As you can see from the scan results above, the Media Server was running on this machine, and a valid PC name and username is listed (blocked out to protect the innocent).

For security departments, running this utility against your company will quickly show any services that are being openly broadcasted on your net. If these services are reachable from the internet (over 40 million are!) then you have some serious configuration issues that need to be addressed.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.