Universal Plug'n'Play and NAT-PMP on OpenWrt

UPnP (Universal Plug'n'Play) is a protocol that enables programs running on a host to automatically configure port forwardings on their NAT-Router. UPnP basically allows a program to make the router to open necessary ports, without any intervention from the user, without making any check. For this reason, there is a security risk associated with enabling UPnP on your router: technically a worm or malware program could use this function to compromise security for the entire LAN.

Thus, it is recommended to set up port forwarding manually whenever possible, and leave UPnP disabled. However, in some cases dynamic port forwarding is required and manual port forwarding becomes impractical, leaving the user with no other option than to enable UPnP.

NAT-PMP and its newer version PCP is a simpler binary protocol similar to UPnP, that is currently an IETF standard, and a number of Windows and Linux applications support it. It was originally developed by Apple for their routers but didn't received wide adoption.

Important! CAUTION: mixing up WAN and LAN interfaces may introduce security risks! See also Incorrect implementation of NAT-PMP in multiple devices.

miniupnpd in OpenWrt 10 Backfire is vulnerable to remote code execution CVE-2013-0230. It is strongly recommended not to use UPnP on this OpenWRT version.

The repository for OpenWrt contains minidlna and miniupnpd to provide UPnP support. They are configured in /etc/config/minidlna or /etc/config/miniupnpd respectively. Note that the the minidlna package is quite large, and may not fit on routers with a fresh install on OpenWrt. If you are only looking for UPnP functionality, the miniupnpd is all you need.

Once the miniupnpd is installed, it may be necessary to take an addition step to enable it. Navigate to Services > UPnP, and ensure that the Start service option is enabled. If it is not, enable it, and click on Save & Apply.

You can do this from a command line:

uci set upnpd.config.enabled=1
uci commit
/etc/init.d/miniupnpd restart

Read logs with logread -e miniupnpd.

You can enable verbose logs:

 
uci set upnpd.config.log_output=1
uci commit
/etc/init.d/miniupnpd restart

Use miniupnpc to open a port with UPnP. Or use natpmpc for NAT-PMP/PCP.

The GUI tool UPnP Router Control allows to see network usage and currently open ports.

Some apps like Transmission allows to open a port with both UPnP and NAT-PMP/PCP. Internally it uses libminiupnpc and libnatpmp libraries from the miniupnpd author.

Checking if UPnP is working

Click on Status > Firewall. If UPnP has been properly enabled, the chains zone_wan_forward and zone_wan_prerouting will both contain an entry named miniupnpd. Additionally if you have any UPnP application working, you will be able to find their port mappings. Please note if you have just enabled UPnP, your application may need to be restarted, in order to reconfigure the firewall.

Checking if NAT-PMP is working

From a shell, issue the command:

logread -e "\-PMP"

If NAT-PMP is enabled you'll see something like this:

Listening for NAT-PMP/PCP traffic on port 5351

Otherwise you will see no message.

As UPnP provides no authentication mechanisms, it is commonly regarded as one giant security hole. A great deal of concern was also generated by the discovery of a buffer overflow vulnerability in the UPnP stack of Windows XP in 2001, which made it possible to obtain SYSTEM level access, and some institutions recommended disabling it altogether. For an historical perspective, see this page from Gibson Research.

It is also been speculated that the design flaws in UPnP would lead to development of a new class of attacks which relied on UPnP. More information about this and possible exploits see in a talk Martin Zeiser: UPnP - Universal Pwn n Play.

You can check your device with Metasploit:

msfconsole
msf>
msf > use auxiliary/scanner/upnp/ssdp_msearch
msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24
msf auxiliary(ssdp_msearch) > run

See something like

[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml
[+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/09/04 06:50
  • by stokito