Universal Plug'n'Play and NAT-PMP on OpenWrt

UPnP (Universal Plug'n'Play) is a protocol that enables programs running on a host to automatically configure port forwardings on their NAT-Router. UPnP basically allows a program to make the router to open necessary ports, without any intervention from the user, without making any check. For this reason, there is a security risk associated with enabling UPnP on your router: technically a worm or malware program could use this function to compromise security for the entire LAN.

Thus, it is recommended to set up port forwarding manually whenever possible, and leave UPnP disabled. However, in some cases dynamic port forwarding is required and manual port forwarding becomes impractical, leaving the user with no other option than to enable UPnP.

NAT-PMP is a protocol similar to UPnP, that is currently an IETF standard, and a number of Windows and Linux applications support it.

CAUTION: mixing up WAN and LAN interfaces may introduce security risks! See also Incorrect implementation of NAT-PMP in multiple devices.

miniupnpd in Backfire is vulnerable to remote code execution CVE-2013-0230. It is strongly recommended not to use UPnP on this OpenWRT version (what version?). You can check your device with Metasploit:

msfconsole
msf>
msf > use auxiliary/scanner/upnp/ssdp_msearch
msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24
msf auxiliary(ssdp_msearch) > run

See something like

[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml
[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)

The repositories for OpenWrt Backfire contain minidlna and miniupnpd to provide UPnP support. They are configured in /etc/config/minidlna or /etc/config/miniupnpd respectively. Note that the minidlna package is quite large, and may not fit on routers with a fresh install on Openwrt. If you are only looking for UPnP functionality, miniupnpd is all you need.

To enable/disable NAT-PMP edit /etc/config/upnpd file:

        option 'enable_natpmp' '1'
        option 'enable_upnp' '0'

Also, you need to apply changeset 25251: it's basically a matter of editing /etc/init.d/miniupnpd, something you can do directly on your live router using nano; please be advised that failing to apply the patch correctly miniupnpd might stop working correctly.

Finally, you may need to execute the following command:

root@OpenWrt:~# uci set upnpd.config.enable_natpmp=1
root@OpenWrt:~# /etc/init.d/miniupnpd restart

Once miniupnpd is installed, it may be necessary to take an addition step to enable it. Navigate to System > Startup, and ensure that the miniupnpd entry is enabled. If it is not, enable it, and click on start.

Click on Status > Firewall. If UPnP has been properly enabled, the chains zone_wan_forward and zone_wan_prerouting will both contain an entry named “miniupnpd”. Additionally if you have any UPnP application working, you will be able to find their port mappings. Please note if you have just enabled UPnP, your application may need to be restarted, in order to reconfigure the firewall.

From a shell, issue the command:

root@oberon:~# logread | grep -i "\-pmp"

If NAT-PMP is enabled you'll see something like this:

Mar 24 21:16:59 OpenWrt daemon.notice miniupnpd[2631]: Listening for NAT-PMP traffic on port 5351

Otherwise you will see no message.

As UPnP provides no authentication mechanisms, it is commonly regarded as one giant security hole. A great deal of concern was also generated by the discovery of a buffer overflow vulnerability in the UPnP stack of Windows XP in 2001, which made it possible to obtain SYSTEM level access, and some institutions recommended disabling it altogether. For an historical perspective, see this page from Gibson Research.

It is also been speculated that the design flaws in UPnP would lead to development of a new class of attacks which relied on UPnP. More information about this and possible exploits can be found on UPnP Hacks.