search

yunuscadirci / CallStranger

Vulnerability checker for Callstranger (CVE-2020-12695)
MIT License
406 stars 64 forks source link

Verified vulnerable services, but manufacturer says not affected #21

Closed shtrom closed 4 years ago

shtrom commented 4 years ago

Hi,

Thanks for the work and this tool.

I just ran it in my home network, which has a FRITZ!Box as the gateway, and it came up as Verified vulnerable services.

The manufacturer however lists it as not affected here https://en.avm.de/service/current-security-notifications/, explaining that

There are currently reports of a security vulnerability involving the keyword "Callstranger." Security researchers have found a way to send an amplified amount of traffic using the UPnP protocol. FRITZ!Box is not affected as its UPnP service cannot be accessed or used from the Internet.

So I'm confused. How does this tool work: does it get a remote server to try to connect to the router's public IP address? Or tries to exploit the vulnerability locally using the remote server as a target.

Judging by the reported IP addresses, this seems to be a local test. So this might mean that my router IS indeed vulnerable, but only to attacks started from inside. Is this correct?

yunuscadirci commented 4 years ago

The vulnerability can be exploited by internal and external network. if our tool says it is vulnerable, it means vulnerable and verified from internal network and can be used for data exfiltration. can you share our tools output so I can update the list? Thanks.

dffvb commented 4 years ago

it means vulnerable and verified from internal network and can be used for data exfiltration.

The impact of internal vs external is disproportionately greater for the latter one.... The tool worked for me once, after this in the same session it always stopped with errors. I have a router/modem A, and a router B behind this. Whithin network B I have a zoo of multi room speakers. They are declared vulnerable. UPNP in both router deactivated. So technically I should be fine, however in realtity the speakers can access internet for firmware updates. Is this then an external threat?

shtrom commented 4 years ago

The vulnerability can be exploited by internal and external network. if our tool says it is vulnerable, it means vulnerable and verified from internal network and can be used for data exfiltration. can you share our tools output so I can update the list? Thanks.

Yeah, I thought the manufacturer was a bit cavalier there, declaring the devices safe... Though I guess this is in line with the “Am I vulnerable/Home Users” section:

Home users don't need to disable UPnP for this vulnerability. They just need to be sure UPnP endpoint is not exposed to Internet.

Anyway, here's the output:

_________        .__  .__    _________ __                                              
\_   ___ \_____  |  | |  |  /   _____//  |_____________    ____    ____   ___________  
/    \  \/\__  \ |  | |  |  \_____  \   __\_  __ \__  \  /    \  / ___\_/ __ \_  __ \ 
\     \____/ __ \|  |_|  |__/        \|  |  |  | \// __ \|   |  \/ /_/  >  ___/|  | \/ 
 \______  (____  /____/____/_______  /|__|  |__|  (____  /___|  /\___  / \___  >__|    
        \/     \/                  \/                  \/     \//_____/      \/        
This script created by Yunus Çadırcı (https://twitter.com/yunuscadirci) to check against CallStranger (CVE-2020-12695) vulnerability. An attacker can use this vulnerability for:
* Bypassing DLP for exfiltrating data
* Using millions of Internet-facing UPnP device as source of amplified reflected TCP DDoS / SYN Flood
* Scanning internal ports from Internet facing UPnP devices
You can find detailed information on https://www.callstranger.com  https://kb.cert.org/vuls/id/339275 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12695
Slightly modified version of https://github.com/5kyc0d3r/upnpy used for base UPnP communication
Stranger Host: http://20.42.105.45
Stranger Port: 80
8  devices found:

 FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/igddesc.xml )

  5 service(s) found for FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:Any:1  --> http://192.168.1.1:49000/igdupnp/control/any
     urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1    --> http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1
     urn:schemas-upnp-org:service:WANDSLLinkConfig:1    --> http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1
     urn:schemas-upnp-org:service:WANIPConnection:1     --> http://192.168.1.1:49000/igdupnp/control/WANIPConn1
     urn:schemas-upnp-org:service:WANIPv6FirewallControl:1  --> http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1

 InternetGatewayDeviceV2 - FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/igd2desc.xml )

  5 service(s) found for InternetGatewayDeviceV2 - FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:Any:1  --> http://192.168.1.1:49000/igd2upnp/control/any
     urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1    --> http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1
     urn:schemas-upnp-org:service:WANDSLLinkConfig:1    --> http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1
     urn:schemas-upnp-org:service:WANIPConnection:2     --> http://192.168.1.1:49000/igd2upnp/control/WANIPConn1
     urn:schemas-upnp-org:service:WANIPv6FirewallControl:1  --> http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1

 FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/fboxdesc.xml )

  1 service(s) found for FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:fritzbox:1     --> http://192.168.1.1:49000/upnp/control/fritzbox

 FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/l2tpv3.xml )

  1 service(s) found for FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:l2tpv3:1   --> http://192.168.1.1:49000/upnp/control/l2tpv3

 FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/igddesc.xml )

  5 service(s) found for FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:Any:1  --> http://192.168.1.1:49000/igdupnp/control/any
     urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1    --> http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1
     urn:schemas-upnp-org:service:WANDSLLinkConfig:1    --> http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1
     urn:schemas-upnp-org:service:WANIPConnection:1     --> http://192.168.1.1:49000/igdupnp/control/WANIPConn1
     urn:schemas-upnp-org:service:WANIPv6FirewallControl:1  --> http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1

 InternetGatewayDeviceV2 - FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/igd2desc.xml )

  5 service(s) found for InternetGatewayDeviceV2 - FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:Any:1  --> http://192.168.1.1:49000/igd2upnp/control/any
     urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1    --> http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1
     urn:schemas-upnp-org:service:WANDSLLinkConfig:1    --> http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1
     urn:schemas-upnp-org:service:WANIPConnection:2     --> http://192.168.1.1:49000/igd2upnp/control/WANIPConn1
     urn:schemas-upnp-org:service:WANIPv6FirewallControl:1  --> http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1

 FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/fboxdesc.xml )

  1 service(s) found for FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:fritzbox:1     --> http://192.168.1.1:49000/upnp/control/fritzbox

 FRITZ!Box Fon WLAN 7390 http://192.168.1.1:49000 ( http://192.168.103.1:49000/l2tpv3.xml )

  1 service(s) found for FRITZ!Box Fon WLAN 7390
     urn:schemas-any-com:service:l2tpv3:1   --> http://192.168.1.1:49000/upnp/control/l2tpv3

 Total 24 service(s) found. do you want to continue to VERIFY if service(s) are vulnerable?
Be careful: This operation needs Internet access and may transfer data about devices over network. Data encrypted on local and we can not see which services are vulnerable but ISPs and other elements may be able to inspect HTTP headers created by UPnP device. Because most of UPnPstack do not allow SSL connection we can not use it. 
Do you want to continue? y/N Successfully get session:ukob3ldh4cv8r4f3jo6j0iehje
Symmetric random key for encryption: b'pEeC6yZMTV9HN59cxHZlAn6TQVZMqlqPMKopHbK8XXI='  We do not send this value to server so we can not see which services are vulnerable. All confirmation process is done on client side
Calling stranger for  http://192.168.1.1:49000/igdupnp/control/any with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117CtNLEN5-Q9UT-KISg871v-jVsNaKJvb6Mi0bTJrQQ5kQ9GQpim_Mvkg7nRTnTSZsRPCsOU40IamL7qWP2vwAiEHBqa_iiZMA6C3jADCLlPlCVXtNDXBuSDxfUp08RkFO&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/any seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:994da540-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117TTVV5113C3jUKPDhX_OTVdOV808ce9ZIVTwSIr3vCvKYm0HS7lCTDOCAFqs0ATs8ebhPd4MwOc6JT2XkOjWZN0yAVWKz_EOxK7RVpgdbDvi36KnZ_QZwFXjPBCodt01qwlTM3fYDNNntv7fGt9tqLQ==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:994ed924-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117tTUxZHn5KtOhuLbHSFhNr74fAkorevnKbSL_B7KEuNN3WCEdM0RUBz-Frm0H5Pnb7yS6Cv124SEqIjCVPQ9fPKbFololqGnEU9VF3-A2GCHlGrJDKX37xNtNc90CDmUuIeCHNwRaWnLN3DvyZ7Et_A==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:99506640-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/WANIPConn1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117ftChjGIwM3GNAwwrDQH1WrGreY13UFMPEIFh_WTpmlizvzXUYt6lSHgqreo9gmQ4KMRqQi087DpGs9Zn5LejtkRF1ewyDfHYZddxr4N3ozjWJZ6hZoK1I4QLj9CcZc9DuSgIcdqpDPshHiiNnoPziQ==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/WANIPConn1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:9952eb86-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117Mhg7GiaP5ZXxt0Gk9xwmLLWy6tK2nKQdsOqqoTZmUPsGaKRbRWREu6ho6go-PeDMKovGUaPuqp4-rBJPqbRoZShRUPMI7CNM_PAT5Tv9CVfeAA_tyjU4u_VvCVxpv9rLYYDSwJSnjhGSV_hyIkAlTg==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995448d2-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/any with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117YdLbghV3-DYpBib-IHKV_RyntFrayGrfbhoPsBT54leI4Ao7KygUQ-Vln-CYhOv_IAQtZBGLaX98xCdyUS51bGoySHtV4AxGWyIgendqNs1nnHiz3Smao-oS8SPzQeol&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/any seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:99556474-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe51177OfAkxj9SbWZErTB3Bto-2pDxM26eMElJ77z7-0ZN4nJyosKfQiNCM7Ynd2YU7WZwkxAPP1tT5VIKdinCSQmdrOxeqycO6vz_XEOo56fl-PJF79G1FZbfcRoFYKBv-1xC4-sU1nB11lKhdqnS_iLFQ==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995674b8-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117n2i9pyaimaKZxy9O2ZX2Vs_U1YeexIiePoRreHgm3NCwia88MptiCUZFRjD3jl4TirmgjxNMCDKtmh0WF2Ws9aa_azFfzaBUqIm2eEvMftp8mOIW01T303Mxr7vOCST3nxaWozuDQxYVNkg-77z40g==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:99579f0a-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANIPConn1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117VGtqC7NoGjhWrJUM2uXmFkJpeSqf1nHh7OICDxRUT37p_UWqtQkntYAjh6fX6qWWajOddZHT-sfBV0BPrfx4pQMuZ_cxajW6vj47816kl2AFzzoA84JB253niHONWMAbHmVRN9gIB5gJYTe4cUMBVg==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANIPConn1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:9958d078-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117H2IIaQPNE211M8Ib1mTks_VZMUzurzZdp-w8a7cxHKUHDvcTCgJXdGuEZuMleFvUSzef_z8KFl76ghlUUHLGiyB3tX6Q0y9C0qzyhRSVrnD8blDNeyn9pcjIcQDVVKR1XeaXi55di1Ve2vXYD_cqKg==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995a614a-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/upnp/control/fritzbox with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117eT9GQWqGCKLiUy6Pji8CChCGwlov_J-hJKvz_B-4XgsECf8uydYU5rd1TNA5syfiqfFhhWmDgclLSIm2CY2bcLxlS6bbHk1_Gop0DfOEGjlCgP6pBTgouG8XaGU9dOwjNE9IwU57KIkYuQPmj2AisA==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/upnp/control/fritzbox seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995bb34c-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/upnp/control/l2tpv3 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117xROKP4UqxLKiaDhQDy1MTeQcENDn0jEfmFu6n50MNdK-YRcZrUh3eI6uRaXMQ5EgLhD5h1zNtpL3Moqk-yiLEtsdmO1IFToquQW_ZJcrssPtFzwDPtzJhw0o2Ta5pjcl&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/upnp/control/l2tpv3 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995d05a8-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/any with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe51176Rw2EtKLLEYh5neU96S4FxgtTp3ymNWxVuNNf2yFk694K86uMA7X4bMSVPfdRYqQX2hcBCNoekI_v6YsxOowtrsjVbn1CL5BCme5L4ChZ2XxR1296HJa_il-gzE5OKhQ&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/any seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995ec0e6-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe51177TviZFHkNeb6DDjfTHVSR1Qs7d23rD5RXEnyHsJbT9zfvCRaFUgFyPGLDPaiyrsPT7iM2xMhlmN9muXESGWNrVD494NhIGBff8V5lqSYSyzDJ3YlHKNJUza_Ab-xRH46fuUzqak-vwfZeJcysgBUgw==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:995fd4d6-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117LQ_WaDoTR8l_jX9tioyfZYO9-ob0E3m8Sa35YrFGCYCxWKSkGCn5COCCg2XvOCW8OLWzK8yKrZDMZz1IgyhXDmbuDRX9fAavBLVhwRbnqdvpkddj5twB1htT5J2_jaXPRIejgMaza7I0ff83wxWqIA==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:99612214-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igdupnp/control/WANIPConn1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117Dna_S_Y5qJkO1AXqXhciJfnDHgv-Wwn9oFvnyT2D3D_fXhFQQrNuNH6dkjfg5wpy0zH6ZHcmAY_xcJtkOUQmfVXuG2L0OVb9U9RihMQ8tGinSCrLTOwxzhmSX5bMK7fFqrGDJa2-7Iz5HuPVQc2qEQ==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igdupnp/control/WANIPConn1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:9962a814-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117sr8zGSInWocs7o6zeEBI-Xzl-h_Vgv7I6-XHGXDTJDUAcEbW_HFX4MW8zukk5JJ51cHhEkrWYzr8M4fCew7WytcLjyltVw5Eb-emDrpZ_-GCLLonclz7D7YDqj26cbfM_VmOj9FngU1c2uyS9lxHkg==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:9963f7aa-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/any with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117Ai-0pbP1wxwgsFHEr1IAOcbsMR2VTSm4D8RBgUAfN-QZKkRLcfYzp2fqXdARcR7vWgKStkRrnXzYZwY1CRDzpYFiXpPQXpn9wNlgEtI34KGRs_2wbMLCdtXvlGd0iDWV&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/any seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:996545ce-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117TncZM59M3P1vzo1v4dokYTmPS4_3bjEB0MJAHrWp7rFxOZdaLngjXFULSED_PjiaOVsO-alO8fegaiL7SJc_XzsuwXAL4cFD0DzoUALsiq_YQOP9liGBRchdIe72yqFmym8sIaRRJl-YgQX8OVEUHg==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:996680b0-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117I2zqNdMeqFkHrILwh0KkJ_IT3d5LoeuLkmdv-Z7x3pj7frIlMy53YnUK6QcLbMpPb4sOmh8YVQhCcZSFgdBUXj8mJLs3muVAT-0_Gs_d_r8lpqzukbbrE2PhFovT5z3MIffnM2BUu85gwgAAl7K5cw==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:9967cca4-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANIPConn1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117LG6fAkByJsDMf58eL91Cgk9wxIhRiN-yrZ0NNgdWneRIYC8zThJJnSmNhhc3GfHF2Pepg2XpkCR2cqICy-C1fPzOm9KDcs1BmVMU5MNJrf3uTVcXyFXLglr_4iBAUyniOo6IZUKce_mgOm-nR5CQvQ==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANIPConn1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:99694840-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117QO-VVzmSevJUqKPUL4Iigfp1XTDSRNFv11aCR8-Udk5f-yO6EWJ-KjVXzSeLED1Lwikc_AGrcSjMGpMsxyjAgyV3i9jGhBQpys6dMo2H6AvCrHuOFHiksZAVfV58pl7XheO6LOvbN0VhImz5u_aaRQ==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:996ab702-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/upnp/control/fritzbox with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe51170NwDUZuH3yuhMcHS4wbx_0AhBY-lbPHDWPtCscl1vW1LhGZDufv2_7Wj6sCQxLv543KZ_tib_YRijx739XNKuDWpwSI4RvDcpQkRggXI1Wz0ZlFJl3mo6stvNK2ygLFeve13jJgguJmq88h-gxQU3Q==&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/upnp/control/fritzbox seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:996bf414-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}

Calling stranger for  http://192.168.1.1:49000/upnp/control/l2tpv3 with http://20.42.105.45:80/CallStranger.php?c=addservice&service=gAAAAABe5117QAUypxvn3EwvwDuaGS3W3hSi9fQ0Rs7BDdYHYRsiQsUuCYPDy1iGJuizLe4URAlqk12NLZwPWr3NGRAWw98mRCjnKiDackHmipw_tnyql8D3v91W6EKe_SAU1F1b1nVr&token=ukob3ldh4cv8r4f3jo6j0iehje
Subscribe to http://192.168.1.1:49000/upnp/control/l2tpv3 seems successfull
{'DATE': 'Mon, 15 Jun 2020 11:37:31 GMT', 'SERVER': 'FRITZ!Box Fon WLAN 7390 UPnP/1.0 AVM FRITZ!Box Fon WLAN 7390 84.06.86', 'CONTENT-LENGTH': '0', 'SID': 'uuid:996d38ba-1dd1-11b2-973b-8bce3bafb2a9', 'TIMEOUT': 'Second-1800'}


    Waiting 5 second for asynchronous requests
Successfully get services from server: http://20.42.105.45:80/CallStranger.php?c=getservices&token=ukob3ldh4cv8r4f3jo6j0iehje

Encrypted vulnerable services:
gAAAAABe5117TTVV5113C3jUKPDhX_OTVdOV808ce9ZIVTwSIr3vCvKYm0HS7lCTDOCAFqs0ATs8ebhPd4MwOc6JT2XkOjWZN0yAVWKz_EOxK7RVpgdbDvi36KnZ_QZwFXjPBCodt01qwlTM3fYDNNntv7fGt9tqLQ==
gAAAAABe5117tTUxZHn5KtOhuLbHSFhNr74fAkorevnKbSL_B7KEuNN3WCEdM0RUBz-Frm0H5Pnb7yS6Cv124SEqIjCVPQ9fPKbFololqGnEU9VF3-A2GCHlGrJDKX37xNtNc90CDmUuIeCHNwRaWnLN3DvyZ7Et_A==
gAAAAABe5117ftChjGIwM3GNAwwrDQH1WrGreY13UFMPEIFh_WTpmlizvzXUYt6lSHgqreo9gmQ4KMRqQi087DpGs9Zn5LejtkRF1ewyDfHYZddxr4N3ozjWJZ6hZoK1I4QLj9CcZc9DuSgIcdqpDPshHiiNnoPziQ==
gAAAAABe5117Mhg7GiaP5ZXxt0Gk9xwmLLWy6tK2nKQdsOqqoTZmUPsGaKRbRWREu6ho6go-PeDMKovGUaPuqp4-rBJPqbRoZShRUPMI7CNM_PAT5Tv9CVfeAA_tyjU4u_VvCVxpv9rLYYDSwJSnjhGSV_hyIkAlTg==
gAAAAABe5117n2i9pyaimaKZxy9O2ZX2Vs_U1YeexIiePoRreHgm3NCwia88MptiCUZFRjD3jl4TirmgjxNMCDKtmh0WF2Ws9aa_azFfzaBUqIm2eEvMftp8mOIW01T303Mxr7vOCST3nxaWozuDQxYVNkg-77z40g==
gAAAAABe51177OfAkxj9SbWZErTB3Bto-2pDxM26eMElJ77z7-0ZN4nJyosKfQiNCM7Ynd2YU7WZwkxAPP1tT5VIKdinCSQmdrOxeqycO6vz_XEOo56fl-PJF79G1FZbfcRoFYKBv-1xC4-sU1nB11lKhdqnS_iLFQ==
gAAAAABe5117H2IIaQPNE211M8Ib1mTks_VZMUzurzZdp-w8a7cxHKUHDvcTCgJXdGuEZuMleFvUSzef_z8KFl76ghlUUHLGiyB3tX6Q0y9C0qzyhRSVrnD8blDNeyn9pcjIcQDVVKR1XeaXi55di1Ve2vXYD_cqKg==
gAAAAABe5117eT9GQWqGCKLiUy6Pji8CChCGwlov_J-hJKvz_B-4XgsECf8uydYU5rd1TNA5syfiqfFhhWmDgclLSIm2CY2bcLxlS6bbHk1_Gop0DfOEGjlCgP6pBTgouG8XaGU9dOwjNE9IwU57KIkYuQPmj2AisA==
gAAAAABe5117xROKP4UqxLKiaDhQDy1MTeQcENDn0jEfmFu6n50MNdK-YRcZrUh3eI6uRaXMQ5EgLhD5h1zNtpL3Moqk-yiLEtsdmO1IFToquQW_ZJcrssPtFzwDPtzJhw0o2Ta5pjcl
gAAAAABe51177TviZFHkNeb6DDjfTHVSR1Qs7d23rD5RXEnyHsJbT9zfvCRaFUgFyPGLDPaiyrsPT7iM2xMhlmN9muXESGWNrVD494NhIGBff8V5lqSYSyzDJ3YlHKNJUza_Ab-xRH46fuUzqak-vwfZeJcysgBUgw==
gAAAAABe5117LQ_WaDoTR8l_jX9tioyfZYO9-ob0E3m8Sa35YrFGCYCxWKSkGCn5COCCg2XvOCW8OLWzK8yKrZDMZz1IgyhXDmbuDRX9fAavBLVhwRbnqdvpkddj5twB1htT5J2_jaXPRIejgMaza7I0ff83wxWqIA==
gAAAAABe5117Dna_S_Y5qJkO1AXqXhciJfnDHgv-Wwn9oFvnyT2D3D_fXhFQQrNuNH6dkjfg5wpy0zH6ZHcmAY_xcJtkOUQmfVXuG2L0OVb9U9RihMQ8tGinSCrLTOwxzhmSX5bMK7fFqrGDJa2-7Iz5HuPVQc2qEQ==
gAAAAABe5117sr8zGSInWocs7o6zeEBI-Xzl-h_Vgv7I6-XHGXDTJDUAcEbW_HFX4MW8zukk5JJ51cHhEkrWYzr8M4fCew7WytcLjyltVw5Eb-emDrpZ_-GCLLonclz7D7YDqj26cbfM_VmOj9FngU1c2uyS9lxHkg==
gAAAAABe5117TncZM59M3P1vzo1v4dokYTmPS4_3bjEB0MJAHrWp7rFxOZdaLngjXFULSED_PjiaOVsO-alO8fegaiL7SJc_XzsuwXAL4cFD0DzoUALsiq_YQOP9liGBRchdIe72yqFmym8sIaRRJl-YgQX8OVEUHg==
gAAAAABe5117I2zqNdMeqFkHrILwh0KkJ_IT3d5LoeuLkmdv-Z7x3pj7frIlMy53YnUK6QcLbMpPb4sOmh8YVQhCcZSFgdBUXj8mJLs3muVAT-0_Gs_d_r8lpqzukbbrE2PhFovT5z3MIffnM2BUu85gwgAAl7K5cw==
gAAAAABe5117QAUypxvn3EwvwDuaGS3W3hSi9fQ0Rs7BDdYHYRsiQsUuCYPDy1iGJuizLe4URAlqk12NLZwPWr3NGRAWw98mRCjnKiDackHmipw_tnyql8D3v91W6EKe_SAU1F1b1nVr
gAAAAABe51170NwDUZuH3yuhMcHS4wbx_0AhBY-lbPHDWPtCscl1vW1LhGZDufv2_7Wj6sCQxLv543KZ_tib_YRijx739XNKuDWpwSI4RvDcpQkRggXI1Wz0ZlFJl3mo6stvNK2ygLFeve13jJgguJmq88h-gxQU3Q==
gAAAAABe5117QO-VVzmSevJUqKPUL4Iigfp1XTDSRNFv11aCR8-Udk5f-yO6EWJ-KjVXzSeLED1Lwikc_AGrcSjMGpMsxyjAgyV3i9jGhBQpys6dMo2H6AvCrHuOFHiksZAVfV58pl7XheO6LOvbN0VhImz5u_aaRQ==
gAAAAABe5117VGtqC7NoGjhWrJUM2uXmFkJpeSqf1nHh7OICDxRUT37p_UWqtQkntYAjh6fX6qWWajOddZHT-sfBV0BPrfx4pQMuZ_cxajW6vj47816kl2AFzzoA84JB253niHONWMAbHmVRN9gIB5gJYTe4cUMBVg==
gAAAAABe5117LG6fAkByJsDMf58eL91Cgk9wxIhRiN-yrZ0NNgdWneRIYC8zThJJnSmNhhc3GfHF2Pepg2XpkCR2cqICy-C1fPzOm9KDcs1BmVMU5MNJrf3uTVcXyFXLglr_4iBAUyniOo6IZUKce_mgOm-nR5CQvQ==

Decyripting vulnerable services with key: b'pEeC6yZMTV9HN59cxHZlAn6TQVZMqlqPMKopHbK8XXI='

Verified vulnerable services: 
1: http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1
2: http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1
3: http://192.168.1.1:49000/igdupnp/control/WANIPConn1
4: http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1
5: http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1
6: http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1
7: http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1
8: http://192.168.1.1:49000/upnp/control/fritzbox
9: http://192.168.1.1:49000/upnp/control/l2tpv3
10:    http://192.168.1.1:49000/igdupnp/control/WANCommonIFC1
11:    http://192.168.1.1:49000/igdupnp/control/WANDSLLinkC1
12:    http://192.168.1.1:49000/igdupnp/control/WANIPConn1
13:    http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1
14:    http://192.168.1.1:49000/igd2upnp/control/WANCommonIFC1
15:    http://192.168.1.1:49000/igd2upnp/control/WANDSLLinkC1
16:    http://192.168.1.1:49000/upnp/control/l2tpv3
17:    http://192.168.1.1:49000/upnp/control/fritzbox
18:    http://192.168.1.1:49000/igd2upnp/control/WANIPv6Firewall1
19:    http://192.168.1.1:49000/igd2upnp/control/WANIPConn1
20:    http://192.168.1.1:49000/igd2upnp/control/WANIPConn1

Unverified  services: 
1: http://192.168.1.1:49000/igdupnp/control/any
2: http://192.168.1.1:49000/igd2upnp/control/any
3: http://192.168.1.1:49000/igdupnp/control/any
4: http://192.168.1.1:49000/igd2upnp/control/any

    Visit https://www.CallStranger.com for updates
yunuscadirci commented 4 years ago

Home users are not expected to do anything about this vulnerability. Vendors and ISPs are responsible for securing devices.

dffvb commented 4 years ago

Sorry but quite frankly this naive. Of course it is a theoretical problem of vendors, we all know in reality no to little updates will come, and I thought this tool was for people to check in their homes if devices are exposed, and take consequently action against?

yunuscadirci commented 4 years ago

this tool finds ports and documents so you can easily check if they can be accessible from internet with a simple online port scanner like https://www.ipfingerprints.com/portscan.php (I just found on google)