Hole in Realtek software imperils countless home routers


— 9:30 AM on May 4, 2015

A host of home Wi-Fi routers based on Realtek silicon may be vulnerable to a remote code execution attack thanks to a hole in Realtek's software development kit (SDK).

To support the universal plug-and-play (UPnP) standard, Realtek built a service/daemon into its SDK that listens for UPnP calls. Unfortunately, the developers didn't implement a proper input sanitization for NewInternalClient call. As a result, the bad guys may be able to cause a Realtek-based device execute malicious code.

Here are a few resources to help identify if you have a SOHO router based on the Realtek 81xx-series SoC that may be vulnerable to attack.

  1. Try searching for your model of router on the WikiDevi, DD-WRT Wiki, and OpenWRT Wiki. These wikis are great resources to find out what SoC is powering your router.
  2. You can also test your own equipment using Shodan.
  • First head to Test IPv6 and write down your public IPv4 address.
  • Then go over to Shodan and sign up for a free account.
  • Now that you're logged into Shodan, you'll have access to the search engine filters. Here's the string you'll need to submit.
realtek port:1900 net:[ip address]
  • Put the IPv4 address you got from Test IPv6 in after the net: value.
  • Look for the following line:
Server: OS 1.0 UPnP/1.0 Realtek/V1.3

If you find that your router is vulnerable, you can protect yourself by disabling UPnP in the management interface. You'll also want to check to see if your vendor has announced a pending update to correct this flaw. Notably, D-Link is already at work on updates.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
   
Register
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.