SANS: Malware FAQ: Microsoft Windows UPnP vulnerabilities

SANS: Malware FAQ: Microsoft Windows UPnP vulnerabilities
UPnP provides a specification called the Simple Service Discovery Protocol (SSDP) that allows devices to dynamically discover the services offered by each other. SSDP works on top of IP networks and is implemented using UDP. Walking through a typical scenario, the first step after powering on a device will be (per specification) to obtain an IP address. This is done either through DHCP (Dynamic Host Configuration Protocol), where a central server in the network is assigning IP addresses from a pool, or via AutoIP, if no DHCP is available. Using AutoIP, there is good change that the device will end up in the same network as the other, unmanaged devices. [ UPNP 2] Once an IP address is obtained, the device can talk via IP to other devices in the same network.
The next step for the device is to advertise its presence to the network. This is accomplished through SSDP Advertisements. These are UDP packets multicast via the 239.255.255.250:1900 multicast address. In this case, the protocol is called HTTPMU (HTTP Multicast over UDP). The target can of course be a unicast address as well, in which case HTTPU (HTTP over UDP) is spoken. There is an Internet Draft available that explains these HTTP [HTTP] extensions in more detail [GOLAND]. The number 1900 specifies the port that other devices need to bind to in order to receive these multicasts. The multicast address is assigned to SSDP by the IANA (Internet Assigned Numbers Authority) and therefore essentially hardcoded. The UDP packet contains a simple HTTP header with the NOTIFY HTTP method and the type of the SSDP message, which in this case is the header field nts: with the value ssdp:alive . The header has more interesting fields, but within the scope of the discussion, only the Location: header is of interest. It specifies a location from which any interested party can download more information on the device sending the announcement.