Details:
It appears that some SSDP/UPnP servers are vulnerable to a type of attack that allowed for an attacker to use UPnP to redirect certain ports on the WAN back to the router itself (example: WAN port 5555 --> port 80 on router), resulting in way to access the device remotely. This has been reported on several models of routers, including Asus routers that are commonly-used with TomatoUSB.
For the attack to work, the SSDP/UPnP server must be listening on the WAN...
UPnProxy attack/vulnerability details
It appears that some SSDP/UPnP servers are vulnerable to a type of attack that allowed for an attacker to use UPnP to redirect certain ports on the WAN back to the router itself (example: WAN port 5555 --> port 80 on router), resulting in way to access the device remotely. This has been reported on several models of routers, including Asus routers that are commonly-used with TomatoUSB.
For the attack to work, the SSDP/UPnP server must be listening on the WAN...
UPnProxy attack/vulnerability details