Jump to content

CallStranger - Exploitable UPnP vulnerability in millions of devices

Go to solution Solved by Questargon,
8 hours ago, BlueScope819 said:

Could someone possibly make an "idiots guide to scanning your local network"? This is my first time using Python, I just tried and windows CLI told me python3 was not a command that existed. Thanks.

HA! I got it working natively under Windows 10.

 

It all starts with:

 

1) Download the python script from https://github.com/yunuscadirci/CallStranger/archive/master.zip
2) Unpack it into a directory of your choice.

 

WINDOWS 10 natively:

 

Use these steps:

 

3) Install Python 3.8 from the Microsoft Store.

4) Open a PowerShell or cmd (I used an Administrator PowerShell for this, but I am not sure whether you really need it).

5) Install PIP using the Script provided here:https://www.liquidweb.com/kb/install-pip-windows/

6) Execute the following commands on the shell:

cd [to the directory called "CallStranger-master"]
pip install --upgrade pip
pip install -r requirements.txt
python3 setup.py install --local
python3 CallStranger.py

see COMMON NOTES... below when the script does not detect anything on the first run.

 

WINDOWS 10 using Cygwin:

 

(Alternatively) It IS possible to run that script on a Windows machine, but ... well ... it uses a Linux subsystem ^_^; You can use Cygwin for that, see https://www.cygwin.com/.

 

3) Download the Cygwin setup program: https://www.cygwin.com/setup-x86_64.exe
4) Follow instructions and when selecting packages to install, select the following additional packages:

   * cygwin-gcc-core

   * python36-devel
   * python36-pip

   * python36-cffi

   * python36-openssl

   * mingw64-x86_64-openssl

   * libffi-devel

(I hope I didn't miss anything here.)

 

Setup your Python stuff:

 

5) Open the freshly installed Cygwin Shell (Called Cygwin64 Terminal in the Start Menu).

6) enter the following:
 

cd [into the directory "CallStranger-master" you unpacked from the zip above. That might start with /cygdrive/c/ under cygwin!]
pip3 install --upgrade pip
pip3 install -r requirements.txt
python3 setup.py install
python3 CallStranger.py

see COMMON NOTES... below when the script does not detect anything on the first run.

 

Windows 10 using WSL / WSL 2:

 

The WSL for Windows will NOT work because it is usually configured as a virtual machine with a NAT so the Linux there will run on another encapsuled network. If you know how to run WSL in the same network of the windows machine, you're good to go.

 

Windows 10 using VMWare Player (or similar):

 

 Another possibility would be to run a Linux in a VM that a free tool like VMWare Player provides. The only thing to remember here is to connect this VM directly to your network via "bridge" and avoid using NAT.

 

grafik.png.b8cdd4856d7041e5fd1e53f5bca5cd96.png

 

When Linux is installed, temporarily stop your firewall with

sudo systemctl stop firewalld

or it might block all UPnP access from within your Linux VM.

 

COMMON NOTES FOR ALL OF THE ABOVE:

 

The first run of the CallStranger.py will likely NOT provide you with any results. Try to connect with your windows machine to at least one UPnP enabled device and then run CallStranger.py again. (The UPnP device that did the trick for me was my minidlna service on my Linux server. I connected my VLC Player to it and played some music while CallStranger.py was running).

 

Hth,

questargon

Hi everybody.

 

A new UPnP vulnerability has been discovered recently that might be a hackers dream. It is listed as CVE-2020-12695 and got nicknamed "CallStranger". This security issue is serious, because the vulnerability is using an intentional UPnP protocol feature (Service subscription with callback) that is also implemented in many IoT devices which will NOT be patched.

Quote

 An attacker can use this vulnerability for:
* Bypassing DLP for exfiltrating data
* Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
* Scanning internal ports from Internet facing UPnP devices

Additional information and links can be found in the article about the CVE above. Some more here:

https://www.callstranger.com

https://www.tenable.com/blog/cve-2020-12695-callstranger-vulnerability-in-universal-plug-and-play-upnp-puts-billions-of

https://www.zdnet.com/article/callstranger-vulnerability-lets-attacks-bypass-security-systems-and-scan-lans/

 

If you want to know whether your local network has any vulnerable devices, download the python 3 script from this repository: https://github.com/yunuscadirci/CallStranger and let it scan your local network. It looks for all UPnP devices and checks them for "CallStranger". If such devices have been found, make sure that they can not be reached from the internet (i.e. check port-forwarding on your internet router) or turn their UPnP feature off! If the router itself is vulnerable, disable its UPnP functionality as well! You might even have to contact your ISP when you do not have full control over your router to check whether they can mitigate this somehow.

 

The recommended patch for this is to only allow callback requests to the same network matching the URL of the subscription request. Routers and software running on common computers might get these patches soon™, but most of the cheap IoT devices will never. This means free DDoS carpet bombing for the internet villains. Or they can try to scan your local network using this reflection attack and get information that should not leave that network.

 

Stay safe,

questargon

Edited by Questargon
Added the bit about scanning your local network.

CPU Ryzen 7 5800X | MoBo MSI B550 Gaming Plus | RAM 32GB Teamgroup @3600/18 | GPU EVGA RTX 3070 Ti FTW | Case Enthoo Pro M SE
PSU bq! Straight Power 11 Plat. 750W CM | Cooling Scythe Fuma 2 & 5x Corsair ML140 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) Iiyama GB3461WQSU, Dell 24", LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

is there a way to block DDOS attacks with a raspberry pi or something? like if i configure my network as to run all thraffic through it first can it be detected and stopped?

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

Well that's very not good.

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, Ashley xD said:

is there a way to block DDOS attacks with a raspberry pi or something? like if i configure my network as to run all thraffic through it first can it be detected and stopped?

Do you want to prevent that your devices are used in a DDoS-attack-scheme or do you want to prevent being attacked by a DDoS? The first would need some kind of firewall that looks into the request payload to identify nefarious reflecting subscription requests. For the second there are some solutions that might be able to mitigate a DDoS attack, but I do not know whether they are any good. (-_-)

CPU Ryzen 7 5800X | MoBo MSI B550 Gaming Plus | RAM 32GB Teamgroup @3600/18 | GPU EVGA RTX 3070 Ti FTW | Case Enthoo Pro M SE
PSU bq! Straight Power 11 Plat. 750W CM | Cooling Scythe Fuma 2 & 5x Corsair ML140 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) Iiyama GB3461WQSU, Dell 24", LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

14 minutes ago, BlueScope819 said:

Could someone possibly make an "idiots guide to scanning your local network"? This is my first time using Python, I just tried and windows CLI told me python3 was not a command that existed. Thanks.

The script doesn't work on Windows, it relies on libraries only found on Linux. It may also work on MacOS, but I haven't taken much more than a cursory look through it.

 

It's not working on Windows, or at least not my installation, but that was an incorrect reason why.

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Questargon said:

Do you want to prevent that your devices are used in a DDoS-attack-scheme?

this. 

 

2 minutes ago, Questargon said:

would need some kind of firewall that looks into the request payload to identify nefarious reflecting subscription requests.

is there a good one around? that's free to use?

 

2 minutes ago, gabrielcarvfer said:

Like a firewall? You probably won't be able to recognize it as malicious or not if not really generating much traffic. That's reflection attacks main advantage. Cloudflare is way more effective since it traces the source back to attackers and coordinates major ISP networks to disconnect/block the sources.

it depends, if it's sending loads of packets to one address over and over and over it should be easy to block... but that could be my ignorance. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, gabrielcarvfer said:

Only script kiddies would do that. If you want to stay undetected, you can't be that aggressive. The amplification of the attack compensates that (I've seen up to 30x on DNS and SNMP). Also, there are other attacks, such as abuse of protocol (e.g. Slow Loris) that doesn't generate that much traffic but are very effective.

ah got it, then yeah it's almost impossible to block... shit. 

She/Her

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, BlueScope819 said:

That would do it. I don't dual boot Linux on my laptop so will have to do that tomorrow.

I got the reason wrong, but I still can't get it working on Windows. Suffice to say Linux would be your best bet. You do definitely have vulnerable devices however, as it appears Windows 10 itself is vulnerable at this time.

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

Looking at the Github issues it seems like the script is just straight up busted, and I haven't had any luck getting it to run on Windows, WSL, or Linux proper.

¯\_(ツ)_/¯

 

 

Desktop:

Intel Core i7-11700K | Noctua NH-D15S chromax.black | ASUS ROG Strix Z590-E Gaming WiFi  | 32 GB G.SKILL TridentZ 3200 MHz | ASUS TUF Gaming RTX 3080 | 1TB Samsung 980 Pro M.2 PCIe 4.0 SSD | 2TB WD Blue M.2 SATA SSD | Seasonic Focus GX-850 Fractal Design Meshify C Windows 10 Pro

 

Laptop:

HP Omen 15 | AMD Ryzen 7 5800H | 16 GB 3200 MHz | Nvidia RTX 3060 | 1 TB WD Black PCIe 3.0 SSD | 512 GB Micron PCIe 3.0 SSD | Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, BlueScope819 said:

Could someone possibly make an "idiots guide to scanning your local network"? This is my first time using Python, I just tried and windows CLI told me python3 was not a command that existed. Thanks.

HA! I got it working natively under Windows 10.

 

It all starts with:

 

1) Download the python script from https://github.com/yunuscadirci/CallStranger/archive/master.zip
2) Unpack it into a directory of your choice.

 

WINDOWS 10 natively:

 

Use these steps:

 

3) Install Python 3.8 from the Microsoft Store.

4) Open a PowerShell or cmd (I used an Administrator PowerShell for this, but I am not sure whether you really need it).

5) Install PIP using the Script provided here:https://www.liquidweb.com/kb/install-pip-windows/

6) Execute the following commands on the shell:

cd [to the directory called "CallStranger-master"]
pip install --upgrade pip
pip install -r requirements.txt
python3 setup.py install --local
python3 CallStranger.py

see COMMON NOTES... below when the script does not detect anything on the first run.

 

WINDOWS 10 using Cygwin:

 

(Alternatively) It IS possible to run that script on a Windows machine, but ... well ... it uses a Linux subsystem ^_^; You can use Cygwin for that, see https://www.cygwin.com/.

 

3) Download the Cygwin setup program: https://www.cygwin.com/setup-x86_64.exe
4) Follow instructions and when selecting packages to install, select the following additional packages:

   * cygwin-gcc-core

   * python36-devel
   * python36-pip

   * python36-cffi

   * python36-openssl

   * mingw64-x86_64-openssl

   * libffi-devel

(I hope I didn't miss anything here.)

 

Setup your Python stuff:

 

5) Open the freshly installed Cygwin Shell (Called Cygwin64 Terminal in the Start Menu).

6) enter the following:
 

cd [into the directory "CallStranger-master" you unpacked from the zip above. That might start with /cygdrive/c/ under cygwin!]
pip3 install --upgrade pip
pip3 install -r requirements.txt
python3 setup.py install
python3 CallStranger.py

see COMMON NOTES... below when the script does not detect anything on the first run.

 

Windows 10 using WSL / WSL 2:

 

The WSL for Windows will NOT work because it is usually configured as a virtual machine with a NAT so the Linux there will run on another encapsuled network. If you know how to run WSL in the same network of the windows machine, you're good to go.

 

Windows 10 using VMWare Player (or similar):

 

 Another possibility would be to run a Linux in a VM that a free tool like VMWare Player provides. The only thing to remember here is to connect this VM directly to your network via "bridge" and avoid using NAT.

 

grafik.png.b8cdd4856d7041e5fd1e53f5bca5cd96.png

 

When Linux is installed, temporarily stop your firewall with

sudo systemctl stop firewalld

or it might block all UPnP access from within your Linux VM.

 

COMMON NOTES FOR ALL OF THE ABOVE:

 

The first run of the CallStranger.py will likely NOT provide you with any results. Try to connect with your windows machine to at least one UPnP enabled device and then run CallStranger.py again. (The UPnP device that did the trick for me was my minidlna service on my Linux server. I connected my VLC Player to it and played some music while CallStranger.py was running).

 

Hth,

questargon

Edited by Questargon
Rewrote it with several methods of getting CallServer.py to run on Windows machines.

CPU Ryzen 7 5800X | MoBo MSI B550 Gaming Plus | RAM 32GB Teamgroup @3600/18 | GPU EVGA RTX 3070 Ti FTW | Case Enthoo Pro M SE
PSU bq! Straight Power 11 Plat. 750W CM | Cooling Scythe Fuma 2 & 5x Corsair ML140 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) Iiyama GB3461WQSU, Dell 24", LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

Traceback (most recent call last):
  File "CallStranger.py", line 113, in <module>
    devices = upnp.discover()
  File "/home/heathcliff/Downloads/CallStranger-master/upnpy/upnp/UPnP.py", line 33, in discover
    for device in self.ssdp.m_search(discover_delay=delay, st='upnp:rootdevice', **headers):
  File "/home/heathcliff/Downloads/CallStranger-master/upnpy/ssdp/SSDPRequest.py", line 49, in m_search
    devices = self._send_request(self._get_raw_request())
  File "/home/heathcliff/Downloads/CallStranger-master/upnpy/ssdp/SSDPRequest.py", line 100, in _send_request
    device = SSDPDevice(addr, response.decode())
  File "/home/heathcliff/Downloads/CallStranger-master/upnpy/ssdp/SSDPDevice.py", line 81, in __init__
    self._get_description_request(utils.parse_http_header(response, 'Location'))
  File "/home/heathcliff/Downloads/CallStranger-master/upnpy/ssdp/SSDPDevice.py", line 114, in _get_description_request
    device_description = utils.make_http_request(url).read()
AttributeError: 'NoneType' object has no attribute 'read'

Guess i wont be using this tool..... (yes installed dependencies)

Link to comment
Share on other sites

Link to post
Share on other sites

28 minutes ago, jagdtigger said:

Guess i wont be using this tool..... (yes installed dependencies)

Take another look at my instructions. Maybe there is a method that works for you.

CPU Ryzen 7 5800X | MoBo MSI B550 Gaming Plus | RAM 32GB Teamgroup @3600/18 | GPU EVGA RTX 3070 Ti FTW | Case Enthoo Pro M SE
PSU bq! Straight Power 11 Plat. 750W CM | Cooling Scythe Fuma 2 & 5x Corsair ML140 | Sound SB Z Retail | Storage Samsung 970 EVO 500GB
Display(s) Iiyama GB3461WQSU, Dell 24", LG 34UM95 | Keyboard Kinesis Freestyle Edge | Mouse Logitech G900 Chaos Spectrum | OS Windows 11

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Questargon said:

Take another look at my instructions. Maybe there is a method that works for you.

Running it on linux....

Link to comment
Share on other sites

Link to post
Share on other sites

9 hours ago, gabrielcarvfer said:

Other than blocking all traffic except for whitelisted addresses/ports, or a good firewall that does that for you, nope.

Can anyone do a sanity check for me. So if I understand this right even having UPnP disabled at the router level does nothing? Does having a DSL modem/router combo in modem only mode and passed to pfsense system for the actual router part have any vulnerabilities on the modem side? How do we mitigate this attack vector thoroughly without waiting for patches?

Link to comment
Share on other sites

Link to post
Share on other sites

As far as I'm concerned UPnP is itself a vulnerability and should be kept disabled at the router level, so this doesn't concern me.  I'd recommend anyone interested follow a similar protocol, especially with this new news.  For everyone else who doesn't keep up with tech and runs everything with default settings, this will unfortunately only add to the long list of security issues with IoT devices.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, gabrielcarvfer said:

Never said that. He asked if there was anything else to do, like updating and I said blocking all traffic except for whitelisted stuff is the best way to protect against attacks.

Disabling UPnP at your gateway is enough to protect you against UPnP flaws on home networks, because stops it from opening ports for incoming connections.
If you're on a public network, disable UPnP on your devices.

 

Depends on the manufacturer implementation of the modem-only mode. I prefer using it as a router and configuring it manually instead of relying on ISP default settings (which usually are hot garbage). If your pfsense router is the gateway, then disable UPnP on it.

Ok thanks for the info I thought disabling it at router level would fix this and figured I had misread something. Which is perfectly fine I consider UPnP itself a security issue and should always be turned off. 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Ryan_Vickers said:

As far as I'm concerned UPnP is itself a vulnerability and should be kept disabled at the router level, so this doesn't concern me.  I'd recommend anyone interested follow a similar protocol, especially with this new news.  For everyone else who doesn't keep up with tech and runs everything with default settings, this will unfortunately only add to the long list of security issues with IoT devices.

Scanned my 20 some odd IoT devices locally, only found one set of issues and that was all with my Sonos speaker. I don't have any UPnP enabled and in fact I cannot even enable it since the ASA doesn't do that :P 

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×