Getting access to DNS with UPnP
One of the goals of taking over the router is to get control of the Domain Name
System on the router, so an attacker can reroute traffic of certain sites to his
own site (a so called "man in the middle" attack). There are a few possible ways
how this could be done, where UPnP can be used as part of the hack. Please note
that the methods described here are possible ways to get access to DNS, but I
have not actually got them to work, or have not found the time to work on it,
like in the case of making a customized firmware.
Accessing DNS from the outside
Many routers allow port 53 (UDP and TCP) on the WAN port the router to be
portmapped to port 53 (UDP and TCP) on the inside of the router itself,
exposing the DNS on the router to the outside world. The DNS servers on most
routers seem to be pure forwarders though, with no caching.
Uploading new firmware
While not directly because of UPnP, but if you can get the adminstrative
interface access on the outside with a UPnP port forward and the default
password is still on, you could upload a new firmware, that is nearly exactly
the same, except for DNS.
To properly recreate a firmware you need to have good knowledge about how the firmware on the device is constructed, compile a few new executables, use the right offsets in the firmware and hope that the device will accept it and it will not be bricked and no one detects that the device has been tampered with. For crackers this is currently too expensive to do, but it is certainly the most effective way.