UPnP IGD Stacks
There are only a handful of UPnP stacks in use. The reason for this is that many hardware vendors actually buy their routers in bulk somewhere else and often share the same suppliers. Sometimes during the lifetime of a product the supplier is changed and even though the product number might still be the same (or nearly the same) the device is completely different. Often just the packaging, CDs and webinterface are changed, but the software on the devices is the same.
Below you will find a breakdown of many popular stacks, including their vulnerabilities.
For a full discussion of the Broadcom stack, please see the seperate Broadcom stack page.
AVM has a stack, which is used on the Fritz!Box machines. The stack does not
check if the parameter NewInternalClient in the AddPortMapping request is actually a machine on the LAN. Just as
with the Broadcom stack you can put external IP addresses in there.
The stack is AVM proprietary and not used outside AVM products. AVM will fix this problem for the stack (and all their devices).
Linux IGD and Pseudo ICS
For a full discussion of the Linux IGD and Pseudo ICS daemon stack, please see the seperate Linux IGD and Pseudo ICS daemon page.
On several Realtek RTL86xx based boards Realtek's own implementation of UPnP is
used. While it is not vulnerable to attacks, there is sometimes a problem with
firewalling on these devices, which, when UPnP is actived, will have the UPnP
daemon listening on both the inside network and the WAN interface. You can
succesfully send UPnP SOAP commands to the router on the WAN port, which will
A fairly new and obscure UPnP IGD implementation is 'upnpkits'. It uses a PHP
like language, to dynamically create Bourne shell scripts, which are then
executed by issuing a shell call. The PHP like scripts don't check anything at
all, and the scripts work with full root privileges on the router. You can
execute commands by issuing the command using shell backticks.
So far just a few routers are known to be using this software. The original manufacturer (believed to be Alpha Networks, but I'm not sure about this) has been made aware of these issues, and some new firmwares provide a fix.
Affected devices include:
- Airlink AR680W
An even more obscure UPnP stack can be found on a range of very cheap devices.
The operating system of these devices is not Linux, but some other embedded OS.
The UPnP SOAP server only identifies itself as 'Router', with the device ID
prepended and 'UPnP/1.0' appended, for example:
SERVER: NI-707513 Router, UPnP/1.0
None of the usual attacks (setting NewInternalClient to external IP addresses or the router's IP address) work, but this stack has another quirk: if a mapping already exists and another mapping using the same NewExternalPort is made, the old mapping is overwritten. Badly written programs could accidentily overwrite an existing portmapping or malicious programs could hijack an existing connection.
- ICIDU NI-707513
A stack that is fairly popular on several NETGEAR devices (AR7 based) is made by AMIT, a Taiwanese company.
Thompson has written its own stack for its devices (Speedtouch, BT Home Hub). So
far, nothing serious has popped up.