A host of home Wi-Fi routers based on Realtek silicon may be vulnerable to a remote code execution attack thanks to a hole in Realtek's software development kit (SDK).
To support the universal plug-and-play (UPnP) standard, Realtek built a service/daemon into its SDK that listens for UPnP calls. Unfortunately, the developers didn't implement a proper input sanitization for NewInternalClient call. As a result, the bad guys may be able to cause a Realtek-based device execute malicious code.
Here are a few resources to help identify if you have a SOHO router based on the Realtek 81xx-series SoC that may be vulnerable to attack.
- Try searching for your model of router on the WikiDevi, DD-WRT Wiki, and OpenWRT Wiki. These wikis are great resources to find out what SoC is powering your router.
- You can also test your own equipment using Shodan.
- First head to Test IPv6 and write down your public IPv4 address.
- Then go over to Shodan and sign up for a free account.
- Now that you're logged into Shodan, you'll have access to the search engine filters. Here's the string you'll need to submit.
realtek port:1900 net:[ip address]
- Put the IPv4 address you got from Test IPv6 in after the net: value.
- Look for the following line:
Server: OS 1.0 UPnP/1.0 Realtek/V1.3
If you find that your router is vulnerable, you can protect yourself by disabling UPnP in the management interface. You'll also want to check to see if your vendor has announced a pending update to correct this flaw. Notably, D-Link is already at work on updates.