MinimServer Forum
CallStranger - Printable Version

+- MinimServer Forum (https://forum.minimserver.com)
+-- Forum: MinimServer (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: CallStranger (/showthread.php?tid=5729)

Pages: 1 2


CallStranger - DrD - 28-06-2020 09:42

The CallStranger vulnerability in UPnP (CVE-2020-12695) has been much in the news lately. Every other service on my home network has now been patched. The remaining vulnerable ones are all associated to MinimServer:

Code:
Verified vulnerable services:
1:    http://192.168.0.29:9791/c4a1d972-3ae5-4d1c-8126-c7acd90541a8/jminim.org-Monitor-1/event
2:    http://192.168.0.29:9791/c4a1d972-3ae5-4d1c-8126-c7acd90541a8/jminim.org-Log-1/event
3:    http://192.168.0.29:9791/a323148f-7675-4fa0-a7ee-08d60d1b989b/upnp.org-ConnectionManager-1/event
4:    http://192.168.0.29:9791/a323148f-7675-4fa0-a7ee-08d60d1b989b/upnp.org-ContentDirectory-1/event

Any word on when this will be fixed in MinimServer?


RE: CallStranger - simoncn - 28-06-2020 16:27

I wasn't aware of this until your post. Thanks for letting me know. How did you produce the list of vulnerable services?


RE: CallStranger - DrD - 28-06-2020 19:00

(28-06-2020 16:27)simoncn Wrote:  I wasn't aware of this until your post. Thanks for letting me know. How did you produce the list of vulnerable services?

From the website I sent you to:

Quote:Billions of UPNP devices on the local network and millions of UPnP devices on the Internet are exposed . CallStranger is a protocol vulnerability thus almost all UPnP devices (and probably yours) must be updated, . You can check if your devices are vulnerable or not with our tool on GitHub.

That's the tool I used.

On my initial scan of my home network, there were 35 vulnerable services on 4 machines. After updating everything else, there are now 4 vulnerable services on one machine: all associated with MinimServer 0.8.5.2 update 134.


RE: CallStranger - simoncn - 28-06-2020 20:13

I have installed this package (not easy to get the right level of Python 3 that works with my Linux version). When I run the command:

Code:
python3 CallStranger.py

I get this error:

Code:
Traceback (most recent call last):
  File "CallStranger.py", line 3, in <module>
    import upnpy
  File "/sd1/callstranger/CallStranger-master/upnpy/__init__.py", line 29, in <module>
    from upnpy.upnp.UPnP import UPnP
  File "/sd1/callstranger/CallStranger-master/upnpy/upnp/UPnP.py", line 1, in <module>
    from upnpy.ssdp.SSDPRequest import SSDPRequest
  File "/sd1/callstranger/CallStranger-master/upnpy/ssdp/SSDPRequest.py", line 20
    self.set_header('HOST', f'{self.SSDP_MCAST_ADDR}:{self.SSDP_PORT}')
                                                                     ^
SyntaxError: invalid syntax

Is this perhaps because my version of Python (3.5.2) is too old? I tried newer versions of Python but they don't work with Ubuntu Xenial (I get SSL errors).


RE: CallStranger - simoncn - 28-06-2020 20:33

I have tried to run it on Windows and this was successful. I get results similar to yours.

I am testing a patch. When I run with this patch, it changes the services from "verified vulnerable" to "unverified". Does "unverified" mean that everything is fine?


RE: CallStranger - DrD - 28-06-2020 21:01

(28-06-2020 20:33)simoncn Wrote:  I have tried to run it on Windows and this was successful. I get results similar to yours.

I am testing a patch. When I run with this patch, it changes the services from "verified vulnerable" to "unverified". Does "unverified" mean that everything is fine?

As far as I can tell, "unverified" means fixed.

The other patched applications also went from "verified vulnerable" to "unverified".


RE: CallStranger - simoncn - 28-06-2020 21:26

Thanks, this is helpful.

The patch I am testing is in ohNet (the UPnP stack that MinimServer uses). The next step is for me to inform the ohNet developers about this issue and ask them to review my patch. If they confirm that the patch is OK, I need to build a patched version of ohNet for all platforms that MinimServer supports and test the patched ohNet with both MinimServer 0.8 and MinimServer 2. If everything seems fine, I will release the patched ohNet as a MinimServer update. All this will take a bit of time, probably a week or so.


RE: CallStranger - DrD - 28-06-2020 23:30

Surprising that no one has raised this on their Issue Tracker or, for that matter, that as developers of a UPnP stack, they'd appear to be unaware of it.


RE: CallStranger - Donuk - 30-06-2020 13:13

I presume that I am the only person reading this thread that does not understand what it really means.

Is it the digital equivalent of a bit of fluff on the needle?

What is likely to happen to little folk like me if the issue is not addressed? Does one need a VPN? (seems to be the universal panacea these days).

What will leak out if this is not properly patched?

Would one of you clever guys just summarise what is going on in little words? Thanks

Donuk beautiful downtown York


RE: CallStranger - simoncn - 30-06-2020 22:12

This issue is not related to whether or not you have a VPN.

It involves the possibilty of some malware exploiting a loophole in the original UPnP specification to cause a UPnP server on your intranet to send a message to establish (or attempt to establish) a UPnP subscription with a UPnP client on the internet.

This would not be prevented by a conventional firewall as this allows intranet devices to send messages to internet addresses and receive responses to these messages, while blocking unsolicited messages in the opposite direction.

To exploit this loophole, the malware would need to gain access to your intranet, which would generally be prevented by anti-virus software. Also, for a UPnP audio server such as MinimServer, any information that could be exposed in this way is very unlikely to be damaging to you or of any value to an attacker. It does not (for example) include any information about the contents of your music library.

Nevertheless, even the small possibility of such as exploit being used by an attacker was considered sufficiently important for the UPnP specification to be updated to block this loophole and for a number of manufacturers to patch their UPnP software to implement the new specification.