Getting access to DNS with UPnP

One of the goals of taking over the router is to get control of the Domain Name System on the router, so an attacker can reroute traffic of certain sites to his own site (a so called "man in the middle" attack). There are a few possible ways how this could be done, where UPnP can be used as part of the hack. Please note that the methods described here are possible ways to get access to DNS, but I have not actually got them to work, or have not found the time to work on it, like in the case of making a customized firmware.

Accessing DNS from the outside

Many routers allow port 53 (UDP and TCP) on the WAN port the router to be portmapped to port 53 (UDP and TCP) on the inside of the router itself, exposing the DNS on the router to the outside world. The DNS servers on most routers seem to be pure forwarders though, with no caching.

Uploading new firmware

While not directly because of UPnP, but if you can get the adminstrative interface access on the outside with a UPnP port forward and the default password is still on, you could upload a new firmware, that is nearly exactly the same, except for DNS.

To properly recreate a firmware you need to have good knowledge about how the firmware on the device is constructed, compile a few new executables, use the right offsets in the firmware and hope that the device will accept it and it will not be bricked and no one detects that the device has been tampered with. For crackers this is currently too expensive to do, but it is certainly the most effective way.

© 2006-2011, Armijn Hemel/upnp-hacks.org