Given Daniel’s previous success in executing Lua code via RunLua, I figured I’d give it a try too. Looking back at the upnp_info.py output, the RunLua action is available for our use. The paper includes details about using VeraLite’s HomeAutomationGateway RunLua action to gain root access on the device ( TWSL2013-019 - CVE-2013-4863)! This is exactly the type of thing you should be worried about. For example, is the Reload action a denial of service vector?īackground research into the VeraLite revealed that, in 2013, Daniel Crowley Jennifer Savage ( and David Bryan ( wrote and presented a paper called Home Invasion 2.0. So, I need to look at the API closely to determine if any of the available actions present a security risk. The server’s developers, MiCasaVerde, can implement any actions they’d like. What does this mean? It simply means that this UPnP interface is not burdened by a specification released by a governing body. This is a custom schema defined by MiCasaVerde (the maker of VeraLite). The standard profiles start with urn:schemas-upnp-org, but this HomeAutomationGateway profile starts with urn:schemas-micasaverde-com. => Service Type: urn:schemas-micasaverde-org:service:HomeAutomationGateway:1Īs you can see from the device type, this interface is not one of the standard profiles defined by the Open Interconnect Consortium (formerly the UPnP Forum). > Model Description: MiOS Z-Wave home gateway > Device Type: urn:schemas-micasaverde-com:device:HomeAutomationGateway:1
Asset upnp remove streams tunein portable#
> Server String: Linux/2.6.37.1, UPnP/1.0, Portable SDK for UPnP devices/1.6.6 The device implements multiple UPnP services, but I’ll focus on the HomeAutomationGateway interface. On my network, I have a smart home controller called VeraLite. Now take a look at a different UPnP server on my home network and consider the security threats it might represent. Yet, UPnP has so much more to offer! It can be used to create file shares, stream media, control the volume on your television, unlock your front door, and just about anything that a developer can imagine! Examining a different type of UPnP server IGD has been written and talked about so much that it has almost become interchangeable with UPnP. Nessus® users can use plugin 35707 to check for IGD manipulation. A tool called Filet O Firewall has proven that a motivated remote attacker can reach it from the WAN too. And don’t think IGD is only a liability on the LAN.
Everyone should disable IGD since it is easily abused by both insider threats and malware. IGD allows anyone on the LAN to open holes in the router’s firewall. This UPnP server implements the infamous Internet Gateway Device (IGD) Protocol. Above, you can see that the device type is urn:schemas-upnp-org:device:InternetGatewayDevice:1. You can generally figure out what type of service a UPnP server offers by looking at the “Device Type” attribute. => Service Type: urn:schemas-upnp-org:service:WANIPConnection:1 > Device Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1 > Server String: Linux/BHR4 UPnP/1.1 MiniUPnPd/1.8
Since this output is verbose, here’s a look at just the services provided by the new UPnP server on port 39468: Loading. What does the UPnP Enabled checkbox on the router’s UI do? I enabled it to find out what the difference is: Discovering UPnP locationsĪnother UPnP service! But what are all these for? upnp_info.py provides a long description of each UPnP location it encounters. Looks like there are still a couple of UPnP services available on my router even after apparently disabling that functionality. Looks like I disabled UPnP, right? Here’s what upnp_info.py says about my network: Discovering UPnP locations I know I disabled UPnP.” But did you? Consider this screenshot of my home router’s web interface: Some of you may be thinking, “ I don’t need that script. The script finds all UPnP services and enumerates their functionality. To answer some of these questions, Tenable wrote a simple Python script called upnp_info.py. But how do you know if UPnP servers are on your network? Are there specific services we should worry about? Do we really need to be concerned about UPnP? Finding UPnP services There have been FBI warnings, security researchers have published papers, and even Forbes has told us to disable UPnP. Much has been said about the security of Universal Plugin and Play (UPnP) over the years.
0 kommentar(er)
