[IGD hacking] Getting complete control of a device, remotely

Added: Thursday August 7, 2008

In front of me right now there is a device that I have had for quite a while, but only a few days ago I decided to give it another look. One of the first things I always do is a portscan on both LAN and WAN side. To my surprise UPnP was enabled on the WAN side on port 49152. This means that if this router would be directly attached to the Internet, everybody would be able to control its firewall and shoot holes in it. That's not good.

The second thing I always try is to see if I can abuse the portmapping feature to make the administrative web interface available on the WAN side. So far, I have never succeeded in doing this, until today. This means, that if the default password is still used it is trivial to control the router completely.

Combine the two attacks and what do you get: complete remote control over the router without anyone ever having access to your LAN.

To add injury to insult the device is also vulnerable to various other injections through the web interface.

I have contacted the company that sells this device a few days ago. I doubt that it is the only device that is vulnerable, since the company they bought it from is supplying a lot of other companies in the west.

Archive

© 2006-2011, Armijn Hemel/upnp-hacks.org