SSDP Scanning for UPnP Vulnerabilities

One day I was monitoring a system for network traffic and noticed that an SSDP service was communicating out from the machine to the IP4 and IPv6 broadcast ranges. Kind of odd, as the machine was firewalled and should not have been communicating with anything at that individual time.

So what was it?

SSDP (Simple Service Discovery Protocol) is a protocol that advertises and looks for network services. On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP).

Well uPnP has not been without it’s issues and earlier this year HD Moore of Rapid7 created a utility that would both scan for SSDP communication and notify you if the system was vulnerable to uPnP exploits.

What is interesting about the “UPnP SSDP M-SEARCH Information Discovery” tool is that it not only tells you if the machine is vulnerable to uPnP exploits, but also returns interesting information about  the machine.

So if the system isn’t vulnerable, chances are that you will at least be able to tell that:

  • It is up and running
  • The service that is running
  • And a valid user name!

The search tool is already included in Metasploit. So all you need to do is run it and feed it a network range:

SSDP search

Then type “run” or “exploit” and it will scan the network range looking systems advertising uPnP services:

SSDP search results 1

Okay, it found one. It doesn’t appear to be vulnerable, if it were the uPnP vulnerabilities would be listed with the return.

But if you notice there is an html link. In this case, if we click the link, we are presented with a bunch of information that includes the machine name and a valid user name!

User results

As you can see from the scan results above, the Media Server was running on this machine, and a valid PC name and username is listed (blocked out to protect the innocent).

For security departments, running this utility against your company will quickly show any services that are being openly broadcasted on your net. If these services are reachable from the internet (over 40 million are!) then you have some serious configuration issues that need to be addressed.

Japan Building Automatic Cyber Defense Virus

Japan steps it up a notch in the cyber war arena. Apparently the Japanese government has hired IT product giant Fujitsu to create a cyberweapon virus that will automatically seek out and destroy enemy viruses:

“The three-year project was launched in fiscal 2008 to research and test network security analysis equipment production. The Defense Ministry’s Technical Research and Development Institute, which is in charge of weapons development, outsourced the project’s development to a private company. Fujitsu Ltd. won the contract to develop the virus, as well as a system to monitor and analyze cyber-attacks for 178.5 million yen.”

That’s a cool 2.3 million to create an offensive cyber defense system that will not only detect an attack, but will backtrack and seek out the attacker, even when attackers bounce through several proxy systems.  According to the article the “virus” will disable the incoming attack and record forensics data.

The defensive program almost acts like a human immune system tracking down and weeding out invading viruses. Systems like these are needed when facing the latest advanced threats.

Actually computer scientists and engineers are currently studying the human immune system to try to replicate it for computer defense.

Though automated cyber defense systems are classified, from what public data is available the US has had this capability for at least a couple of years now. US computer security company Rsignia comes to mind immediately. Rsignia creates cutting edge security devices used by the US government and in the US-CERT Einstein program.

We covered Rsignia’s Cyberscope automated offensive cyber weapon system back in 2010.

Cyberscope has the ability to detect and automatically counterattack incoming threats. It has several options that it can use in response. For example it can simply shut the attacking stream down or intercept the data that it being ex-filtrated, manipulate it, and feed it back to the attack. Or better yet, it can even infect the proxy machines used and turn them into bots to counter attack the infiltrator.

These were the capabilities openly discussed in mid-2010, who knows how far the US has advanced since.