Vulnerable UPnP IGD devices

This page lists the devices that implement the UPnP Internet Gateway Device profile that I found to be vulnerable. Because of the sheer volume of vulnerable devices I have given up on updating this list.

In the tables below I list three possible hacks:

  1. internal forwarding :: UPnP portmapping can be used to make a portmapping to another host on the local network than the machine sending the request (not clear if this is a bug or actually allowed by the specifications).
  2. external forwarding :: UPnP portmapping can be used to make a portmapping to another host on an external network (like the Internet). Packets will be rewritten by the NAT software on the router and all packets will appear to come from the router.
  3. code execution :: shell escapes can be used to execute commands on the router.
A few remarks need to be made regarding these bugs:
  1. The first bug might not be a bug after all (in fact, I did hear one good use of it from someone who suggested to use it for configuring a lot of devices at once from a central control point, for examle on a grid network), so I have not listed devices here that only do this (see the "safe devices" section).
  2. I have only tested the third bug with devices that are based on Linux. If a device is listed somewhere here and in the "remote code execution" column there is a "no" it does not mean the device is actually safe, since I have not tested anything else but Linux shell escapes.

Tested devices

Linksys

Linksys is an American company and one of the largest vendors of routers in the SOHO market. The Linksys brand is owned by Cisco. One of the most popular router families Linksys ships is the WRT54G family, which also includes the WRT54GS and WRT54GL.

DeviceVersionfirmware revisioninternal forwardingexternal forwardingcode execution
WRT54Gv2.23.03.9yesyesno
WRT54Gv2.24.20.7yesyesno
WRT54Gv2.24.20.8yesyesno
WRT54GSv1.02.09.1yesyesno
WRT54GSv1.04.70.6yesyesno


The WRT54G and WRT54GS are wireless gateways with built-in router and switch, which are based on Linux (up until and including v4) or VxWorks (v5 and later). The motherboard The WRT54G is based on a Broadcom chipset. On the devices the Broadcom UPnP stack is used.

The "external forwarding" bug was fixed in firmware revision 4.30.5 (WRT54G up until and including v4) and 4.71.1 (WRT54GS up until and including v3) and 1.06.1 (WRT54GS v4).

DeviceVersionfirmware revisioninternal forwardingexternal forwardingcode executionaccesible from WAN
WRT54GXv22.00.05yesnonoyes

The WRT54GX version 2 is based on the Realtek RTL865x chipset. The UPnP stack that is used on the device comes from Realtek. Due to an error if UPnP is enabled the UPnP SOAP server will also listen on the WAN port. An attacker can remotely send UPnP packets and control the firewall. Subsequent versions of the firmware switched to the Broadcom UPnP stack, where the error did not occur.

Edimax

Edimax is a Taiwanese hardware company. It seems to be mostly active in the home market, with rather cheap devices. Edimax also serves as an ODM company for other router companies. Their devices often run on an embedded Linux distribution, which is called "EdiLinux". Many devices are based on the Realtek RTL8186 chipset.

DeviceVersionfirmware revisioninternal forwardingexternal forwardingcode execution
BR-6104K 3.21yesyesyes
BR-6104K 3.25yesnono

The BR-6104K is a simple broadband router with a 4 port switch. It has an ADMtek ADM5120 chip and runs Linux. It is based on the EdiLinux distribution, which uses Linux IGD. Edimax fixed the bugs in version 3.25

Sitecom

Sitecom is a Dutch manufacturer of hardware.

DeviceVersionfirmware revisioninternal forwardingexternal forwardingcode execution
WL-153 1.31yesyesyes
WL-153 1.34yesyesyes
WL-153 1.39yesnono

The WL-153 is a recent MIMO router, with a built-in 4 ports switch. The WL-153 was plagued by the same bugs as the Edimax BR-6104K (it appears to use the exact same sources). Sitecom fixed this in firmware version 1.39.

© 2006-2011, Armijn Hemel/upnp-hacks.org