June 9, 2020 by Ryan Victory
On June 8, Yunus Çadırcı, a cybersecurity senior manager at EY Turkey released a whitepaper and proof of concept code repository for a newly discovered vulnerability in the Universal Plug and Play (UPnP) protocol. UPnP is widely used in intranets to facilitate service discovery for many types of devices (printers, televisions, etc.).
The vulnerability, which has been named “CallStranger” has been issued CVE-2020-12695. CallStranger focuses on the “SUBSCRIBE” feature of UPnP, wherein an interested party can request notification of certain events occurring on the UPnP enabled device. The SUBSCRIBE feature allows for the interested party to provide a callback URL which will be requested (using an HTTP “NOTIFY” method) when the event occurs. The problem with this technique is that most UPnP enabled devices do not check the URL in any way. This allows an attacker to insert any URL in this field and the UPnP device will connect to it without validation.
By allowing the attacker to essentially force a connection to an arbitrary URL, CallStranger can be used in three key ways:
After reading the whitepaper, we put together a quick Zeek plugin that can detect the first two – data exfiltration, DDoS amplification. The script really highlights the power of Zeek and its ability to process network-related events in Zeek scripts in real time. The script will monitor HTTP traffic and identify if there is any UPnP traffic that looks like CallStranger exploit attempts/successes. If it observes any, it adds a notice in the notice.log with one of the following notice types:
Generally speaking, this script shouldn’t cause false positives on most networks. False positives are more likely if your network regularly has UPnP traffic that is Internet-bound. If so, you may have to tune the script accordingly. There are two configuration options to help you with this:
The script also uses your Site::local_nets variable to ignore any internal UPnP traffic. It is recommended that you configure this in your site/local.zeek.
Overall, it’s incredible to see how quickly we can leverage the power of Zeek scripting to create detections for new vulnerabilities. We can also quickly modify our detection if there are any issues or if the vulnerability changes in any way.
Grab the plugin/script from https://github.com/corelight/callstranger-detector.
If you’d like to learn more about Corelight or this prototype detection script, please contact us.