SSDP Attacks are Suddenly Huge

Like most of you, I love nothing more than kicking up my feet, donning my smoking jacket, and whiling away my work hours by reading security industry reports, such as Akamai's State of the Internet [Security]. They're dozens of pages long, and tend to reinforce my own personal biases, so it's a great way to pretend to work.

That said, the most surprising takeaway I got from the Akamai report is the huge criminal buy-in of SSDP, the Simple Service Discovery Protocol, as a spoofable, reflective protocol. At Rapid7, we've been paying attention to SSDP for a couple years now, and researchers Jon Hart and HD Moore have been warning people for a while now that that particular sky is falling.

It looks like 2015 is shaping up to be the year that the SSDP sky actually fell: according to Akami, 20% of all reflective DDoS attacks in Q1 of this year used SSDP as the attack vector, where SSDP did not show up significantly at all in Q1 of 2014. I'm no statistician, but that looks to be about a gazillion percent growth, year over year.

Given its effectiveness on bringing down targets and that there are literally millions of unsecured devices in the form of home routers that are susceptible to being unwitting participants in this attack, the Internet needs to come up with some dramatic protective measures to deal with this newly-popular threat.

Along Came A Moose

A couple weeks later, the Linux/Moose report was released by Olivier Bilodeau and Thomas Dupuy of ESET Canada Research, which details a worm that's currently romping around this huge sub-infrastructure of home routers which have predictable, default, or otherwise easily guessed external administration credentials. No exploits at all are used in Linux/Moose, but it seems pretty successful at infecting and replicating across many avenues with a goal of finding new homes in these embedded systems. It's a really fascinating read, and underlines this whole Internet of Junk that we're (we being the human species) building around us.

Incidentally, the name given by ESET, "Moose," has absolutely nothing to do with Rapid7's internal mascot. Just a coincidence.

So, what does this have to do with Metasploit?

If you've been reading this blog for more than a few weeks, you'll know that I, too, tend to pay special attention to modules that come in which abuse SOHO routers, and when I see new pull requests come in from long-time contributor Michael m-1-k-3 Messner, I know I'm about to get a face full of hot home router mess. This week is one of those weeks, and we now have a new module, the Netgear Unauthenticated SOAP Password Extractor, which does pretty much exactly what it says on the tin, based on the work by Peter darkarnium Adkins and Robert MŸller. Thanks, Michael, for the work on that!

Peter's initial reports didn't seem to get a whole lot of pickup when he reported them back in February, and the BID and OSVDB references are pretty sparse. But, never fear, you can read all the gory details over on his GitHub repo, and see that this is Kind Of A Big Deal(tm). The short story is, if a device has remote management enabled, there are trivial authentication bypasses thanks to some insecure SOAP services, and this is present on several versions of Netgear routers. Of course, these routers also live in your local coffee shop, so attackers can also perform this attack in the default configuration of LAN-side only. Oops.

Hopefully, this module publication will raise the visibility of this and other kinds of SOHO router bugs that appear to becoming epidemic in my favorite place, the Internet.

New Modules

This week, we have the aforementioned Netgear module, along with a new Flash exploit and a rather terrifying Lenovo privilege escalation. You can always check the full compare against last week for more on what's been going on in Metasploit.

Exploit modules

Auxiliary and post modules