This paper is the result of a research project spanning the second half of 2012 that measured the global exposure of UPnP-enabled network devices. The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet. Somewhere between 40 and 50 million IPs are vulnerable to at least one of three attacks outlined in this paper. The two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet. All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself.
The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products. In most cases, network equipment that is "no longer shipping" will not be updated at all, exposing these users to remote compromise until UPnP is disabled or the product is swapped for something new. The flaws identified in the MiniUPnP software were fixed over two years ago, yet over 330 products are still using older versions.
[...]
Portable SDK for UPnP Devices unique_service_name() Buffer Overflows
The libupnp library, originally known as the Intel SDK for UPnP Devices and now maintained as the Portable SDK for UPnP Devices, is vulnerable to multiple stack-based buffer overflows when handling malicious SSDP requests. This library is used by tens of millions of deployed network devices, of which approximately twenty million are exposed directly to the internet. In addition to network devices, many streaming media and file sharing applications are also exposed to attack through this library.
This advisory does not address historic or current vulnerabilities in the HTTP and SOAP processing code of libupnp.
Affected Versions
Versions 1.2 (Intel SDK) and 1.2.1a - 1.8.0 (Portable SDK) are affected by at least three remotely exploitable buffer overflows in the unique_service_name() function, which is called to process incoming SSDP requests on UDP port 1900. Additionally, versions prior to 1.6.17 are vulnerable to additional issues in the same function. Please see Appendix A for a review of the vulnerable code by version.
Affected Vendors
Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected and a list of confirmed vendors and products is provided in Appendix B.