Next from the printer coming out will be?-- The theory of the UPnP using the status quo and risk-vulnerability warning-the black bar safety net

Earlier this year, Chromecast streaming dongle, Google Home devices and smart TV users are forced to harvest a strip from the youtube PewDiePie channel promotion information. This hijacking is said by the tube top traffic UP the main are a fan of the battle for the thrown. Reported that hackers exploit the improperly configured router, these routers enable the universal plug and play(Universal Plug – and – Play, abbreviated UPnP)service, resulting in the router the public port to the private device and the public Internet open.
Many devices such as cameras, printers and routers, use the UPnP Protocol, so that it can automatically find and check local other devices on the network, and can communicate with each other to share data or stream media. But it brings convenience, but also brings security risks, such as from attacker-controlled devices to bypass the firewall protection, etc., to name a few.
In the above event, we investigated a home network with UPnP-related events, found that many users of the device still using the UPnP Protocol.

!
Table 1. Enabled UPnP for major equipment types
This year 1 month, we detected 76 per cent of the router to enable the UPnP Protocol, and 27% of media equipment such as DVD player and media streaming device is also enabled UPnP. Once the UPnP vulnerability be exploited by attackers, a router or other device easily becomes the agent, and then become confused botnets, distributed denial of service attacks(DDoS)or spam campaigns the source, and let people almost can’t track malicious activity implementation. Previously there have been such cases, the use of a router UPnP Protocol vulnerabilities so that it is forced to connect to Port, send spam or other malicious messages.
IoT botnet Satori was due to the use of the UPnP vulnerabilities and the infamous. The vulnerability, CVE-2014-8361 is a Realtek SDK miniigd UPnP SOAP interface command injection vulnerability. 2015 5 months, and this vulnerability is related to the announcement and provided the appropriate mitigation measures, but according to our collection of the latest data, many devices are still using older, possibly vulnerable UPnP version.

! [](/Article/UploadPic/2019-3/20193292295992. png)
Figure 1. Shodan for UPnP detection of the relevant results of the 2019 年 3 月 5 data
Online search engine Shodan can be presented worldwide using the UPnP Protocol, the device number and distribution. In the scan UPnP uses the standard port 1900, we retrieved the 1,649,719. The following table lists some of the well-known UPnP libraries, MiniUPnPd and Custom（Broadcom UPnP library is the most search equipment used.
!
Table 2. Shodan display the results in the first three UPnP library 2019 3 month 5 day data
UPnP related vulnerabilities and the home network device status
Through our own Scan tool, we studied the family and other small-scale network environment using UPnP library, and to determine the possible cause the device to the vulnerable factors. In short, we found that most devices still use the older version of the UPnP library, and these UPnP library in the presence of many vulnerabilities have been published for many years.
MiniUPnPd
Our IOT scan tool data display, enable UPnP devices 16% use a MiniUPnPd library. MiniUPnPd is a well-known UPnP daemon for NAT（Network Address Translation a router providing port mapping Protocol services. Interestingly, we detected installed older versions of MiniUPnPd device, with 24%in the use MiniUPnPd 1.0, 30% in the use MiniUPnPd 1.6, only 5%of the equipment used MiniUPnPd 2. x version(miniupnpd 2.1 is the latest version).
!
Table 3. MiniUPnPd each version using the ratio of
Having the older version of Daemon equipment must be updated, in order to put an end to some of the known high-risk vulnerabilities. For example, CVE-2013-0230 is the MiniUPnPd version 1.0 of the ExecuteSoapAction in a stack-based buffer overflow vulnerability that allows an attacker to execute arbitrary code; CVE-2013-0229 is MiniUPnPd 1.4 before a ProcessSSDPRequest a function of the vulnerability, which allows an attacker through a request to trigger a buffer over-read to cause a denial of Service(DoS); the CVE-2017-1000494 is MiniUPnPd version 2.0 prior to an uninitialized stack variable vulnerability, which allows attackers to initiate a DoS attack(segmentation fault and memory damage).
Windows UPnP server
We also found that 18% of the devices using a Windows-based UPnP. These devices, especially the Microsoft Windows XP computer, Windows NT 5.1, you should check whether you have applied MS07-019 patch. (But Windows XP in 2014 4 months have come to an end, which means that it is no longer under Microsoft support, security issues will also be resolved.) Windows XP comes with UPnP functionality is available out of the box, and the patch can solve the UPnP memory corruption vulnerability CVE-2007-1204, and this vulnerability allows a remote attacker on the local service account context to run arbitrary code.
Libupnp is used in UPnP device of the portable SDK
For the UPnP Device SDK portable software development kit libupnp is another well-known UPnP library, it can support a variety ofOS. According to our data, the detection device there is a 5% in the use of the libupnp library package, although not a large proportion, but we note that having the library’s equipment is mostly 1. 6. 18 / 1.6.19 version before the current version is 1. 8. 4 in. And in 1. 6. 18 a previous version, unique_service_name function in the presence of a stack-based buffer overflow vulnerability, CVE-2012-5958, which allows remote attack via the User Datagram Protocol（UDP data packet to execute arbitrary code.
Conclusions
For the user, to determine whether the device has the UPnP related vulnerabilities or whether they are infection is very tricky. Some devices may be hidden in the behind a NAT, so that even if the vulnerability exists, the user will not immediately see the risk. In order to prevent the use of UPnP related vulnerabilities, users should ensure that their device updates. If you suspect the device is infected, you should restart the device, reset it to original factory settings, or to prudence, which was all replaced. Unless network need the device enabled UPnP function, otherwise the best in the device allows the case of the disabled. However, it is noted that, turn off UPnP might also be associated disable some of the features, including the local device dependency, or the need to ignore a request from the device to.
Home users can also follow these measures to increase security:
1, use the trend of the home network HouseCal tool scans the home network, and check which devices UPnP port 1900 is open.
2, go to the device setup page for example the router’s settings page to disable UPnP.
3, according to the need to manually configure port forwarding settings.