UPnP IGD Stacks

There are only a handful of UPnP stacks in use. The reason for this is that many hardware vendors actually buy their routers in bulk somewhere else and often share the same suppliers. Sometimes during the lifetime of a product the supplier is changed and even though the product number might still be the same (or nearly the same) the device is completely different. Often just the packaging, CDs and webinterface are changed, but the software on the devices is the same.

Below you will find a breakdown of many popular stacks, including their vulnerabilities.

Broadcom

For a full discussion of the Broadcom stack, please see the seperate Broadcom stack page.

AVM

AVM has a stack, which is used on the Fritz!Box machines. The stack does not check if the parameter NewInternalClient in the AddPortMapping request is actually a machine on the LAN. Just as with the Broadcom stack you can put external IP addresses in there.

The stack is AVM proprietary and not used outside AVM products. AVM will fix this problem for the stack (and all their devices).

Linux IGD and Pseudo ICS

For a full discussion of the Linux IGD and Pseudo ICS daemon stack, please see the seperate Linux IGD and Pseudo ICS daemon page.

Realtek

On several Realtek RTL86xx based boards Realtek's own implementation of UPnP is used. While it is not vulnerable to attacks, there is sometimes a problem with firewalling on these devices, which, when UPnP is actived, will have the UPnP daemon listening on both the inside network and the WAN interface. You can succesfully send UPnP SOAP commands to the router on the WAN port, which will be executed.

UPnPkits

A fairly new and obscure UPnP IGD implementation is 'upnpkits'. It uses a PHP like language, to dynamically create Bourne shell scripts, which are then executed by issuing a shell call. The PHP like scripts don't check anything at all, and the scripts work with full root privileges on the router. You can execute commands by issuing the command using shell backticks.

So far just a few routers are known to be using this software. The original manufacturer (believed to be Alpha Networks, but I'm not sure about this) has been made aware of these issues, and some new firmwares provide a fix.

Affected devices include:

'Router'

An even more obscure UPnP stack can be found on a range of very cheap devices. The operating system of these devices is not Linux, but some other embedded OS. The UPnP SOAP server only identifies itself as 'Router', with the device ID prepended and 'UPnP/1.0' appended, for example:

SERVER: NI-707513 Router, UPnP/1.0

None of the usual attacks (setting NewInternalClient to external IP addresses or the router's IP address) work, but this stack has another quirk: if a mapping already exists and another mapping using the same NewExternalPort is made, the old mapping is overwritten. Badly written programs could accidentily overwrite an existing portmapping or malicious programs could hijack an existing connection.

Affected devices:

AMIT

A stack that is fairly popular on several NETGEAR devices (AR7 based) is made by AMIT, a Taiwanese company.

Speedtouch

Thompson has written its own stack for its devices (Speedtouch, BT Home Hub). So far, nothing serious has popped up.

© 2006-2011, Armijn Hemel/upnp-hacks.org