2 min read
Last month we learned about a new vulnerability dubbed “CallStranger” which shows how UPnP can be used to exfiltrate data and perform DDoS amplification attacks. Billions of devices are vulnerable.
Essentially, an attacker can use the UPnP SUBSCRIBE mechanism to force a device to connect to an arbitrary URL.
We loaded up their plugin in CloudShark’s new Zeek Logs analysis tool and took it for a spin! In order to create some network traffic of an attempt at exploiting the vulnerability, Tom used the published Proof-of-Concept tool to poke at a Sonos speaker on his network and take this capture.
Using our new Zeek Logs analysis tool in CloudShark we can see the new Notice entry that the Corelight plugin is creating!
Take a moment to look around CloudShark at the other Zeek logs that are created.
In the log view, clicking on a row will open a dialog with all the details for that row. From there you can click on the “View Packets” button to expose the raw packets related to that Zeek notice! You can also jump straight to the Follow Stream here.
What did we learn? UPnP is bad, Zeek is good, and CloudShark brings you the tools to understand network traffic and communicate your findings.
Have an awesome day.
Want articles like this delivered right to your inbox?
No spam, just good networking