Universal Plug'n'Play and NAT-PMP on OpenWrt
UPnP (Universal Plug'n'Play) is a protocol that enables programs running on a host to automatically configure port forwardings on their NAT-Router. UPnP basically allows a program to make the router to open necessary ports, without any intervention from the user, without making any check. For this reason, there is a security risk associated with enabling UPnP on your router: technically a worm or malware program could use this function to compromise security for the entire LAN.
Thus, it is recommended to set up port forwarding manually whenever possible, and leave UPnP disabled. However, in some cases dynamic port forwarding is required and manual port forwarding becomes impractical, leaving the user with no other option than to enable UPnP.
NAT-PMP and its newer version PCP is a simpler binary protocol similar to UPnP, that is currently an IETF standard, and a number of Windows and Linux applications support it. It was originally developed by Apple for their routers but didn't received wide adoption.
Security Concerns
CAUTION: mixing up WAN and LAN interfaces may introduce security risks! See also Incorrect implementation of NAT-PMP in multiple devices.
miniupnpd in OpenWrt 10 Backfire is vulnerable to remote code execution CVE-2013-0230. It is strongly recommended not to use UPnP on this OpenWRT version.
Setting up UPnP in OpenWrt
The repository for OpenWrt contains minidlna
and miniupnpd
to provide UPnP support. They are configured in /etc/config/minidlna
or /etc/config/miniupnpd
respectively. Note that the the minidlna
package is quite large, and may not fit on routers with a fresh install on OpenWrt. If you are only looking for UPnP functionality, the miniupnpd
is all you need.
Once the miniupnpd
is installed, it may be necessary to take an addition step to enable it.
Navigate to Services
> UPnP
, and ensure that the Start service
option is enabled.
If it is not, enable it, and click on Save & Apply
.
You can do this from a command line:
uci set upnpd.config.enabled=1 uci commit /etc/init.d/miniupnpd restart
Troubleshooting
Read logs with logread -e miniupnpd
.
You can enable verbose logs:
uci set upnpd.config.log_output=1 uci commit /etc/init.d/miniupnpd restart
Use miniupnpc to open a port with UPnP. Or use natpmpc for NAT-PMP/PCP.
The GUI tool UPnP Router Control allows to see network usage and currently open ports.
Some apps like Transmission allows to open a port with both UPnP and NAT-PMP/PCP. Internally it uses libminiupnpc
and libnatpmp
libraries from the miniupnpd
author.
Checking if UPnP is working
Click on Status
> Firewall
. If UPnP has been properly enabled, the chains zone_wan_forward
and zone_wan_prerouting
will both contain an entry named miniupnpd
. Additionally if you have any UPnP application working, you will be able to find their port mappings. Please note if you have just enabled UPnP, your application may need to be restarted, in order to reconfigure the firewall.
Checking if NAT-PMP is working
From a shell, issue the command:
logread -e "\-PMP"
If NAT-PMP is enabled you'll see something like this:
Listening for NAT-PMP/PCP traffic on port 5351
Otherwise you will see no message.
Security considerations
As UPnP provides no authentication mechanisms, it is commonly regarded as one giant security hole. A great deal of concern was also generated by the discovery of a buffer overflow vulnerability in the UPnP stack of Windows XP in 2001, which made it possible to obtain SYSTEM level access, and some institutions recommended disabling it altogether. For an historical perspective, see this page from Gibson Research.
It is also been speculated that the design flaws in UPnP would lead to development of a new class of attacks which relied on UPnP. More information about this and possible exploits see in a talk Martin Zeiser: UPnP - Universal Pwn n Play.
Check if a router has the insecure UPnP
You can check your device with Metasploit:
msfconsole msf> msf > use auxiliary/scanner/upnp/ssdp_msearch msf auxiliary(ssdp_msearch) > set RHOSTS 192.168.0.0/24 msf auxiliary(ssdp_msearch) > run
See something like
[*] 192.168.0.9:1900 SSDP Net-OS 5.xx UPnP/1.0 | 192.168.0.9:3278/etc/linuxigd/gatedesc.xml [+] 192.168.0.254:1900 SSDP miniupnpd/1.0 UPnP/1.0 | vulns:2 (CVE-2013-0229, CVE-2013-0230)