An integer signedness error was found in miniupnpās miniwget
allowing
an unauthenticated remote entity typically located on the
local network segment to trigger a heap corruption or an access violation
in miniupnpās http response parser when processing a specially crafted
chunked-encoded response to a request for the xml root description url.
v1.4.20101221
(released 21/12/2010; ~6 years ago
)bitcoind
and almost all forks, CPP ethereum
, ā¦qBittorrent
, Transmission
, ā¦dlink
, linksys
, probably synology
or anything that allows IGD management / portforwardingminiwget
on google or github. closed source obviously not included but its likely to find this lib packed with embedded devices.The vulnerable component is a HTTP file download method called
miniwget
(precisely getHTTPResponse
) that fails to properly handle
invalid chunked-encoded HTTP responses. The root cause is a bounds check
that mistakenly casts an unsigned attacker-provided chunksize to signed
int leading to an incorrect decision on the destination heap buffer size
when copying data from the server response to an internal buffer. The
attacker controls both the size of the internal buffer as well as the
number of bytes to copy. In order for this attack to succeed, the number
of bytes to copy must be negative.
attacker controls:
int content_length
unsigned int chunksize
bytestocopy
if (int) chunksize
is negative (or at least < n-i
~ 1900 bytes)content_buf
if bytestocopy
is negativeIn the end, the attacker has almost full control of the following two methods
realloc(content_buf, content_length)
memcpy(content_buf+x, http_response, chunksize)
affected methods (almost all exposed API):
basically all `miniwget*` and `UPNP_*` methods.
* getHTTPResponse (vulnerable)
* miniwget3
* miniwget2
* miniwget
* miniwget_getaddr
* UPNP_GetIGDFromUrl
* UPNP_GetValidIGD
* UPnP_selectigd
* UPNP_Get*
* UPNP_Check*
* UPNP_Delete*
* UPNP_Update*
* UPNP_Add*
This vulnerability is easily exploitable with an attacker being on the same network segment/multicast domain by answering SSDP discovery requests (1) (or sending notification requests) providing an URL to the attacker controlled webserver. Answering this request (2) makes upnp clients download a description file from that webserver (3)(4) in order to learn more about the capabilities of the Internet Gateway Device (IGD). By providing a negative chunk length in the chunked-encoded answer (4) to this request the malicious webserver triggers the vulnerability. This way one malicous client could exploit all other clients in the same multicast domain. (Funny sidenote: I had to implement a target ip filter otherwise the PoC would attract devices like a magnet and crash all of them)
client (miniupnpc) server (poc.py)
| |
| |
| SSDP: Discovery - M-SEARCH |
1. | --------------------------------------> |
| |
| SSDP: Reply - Location Header |
2. | <-------------------------------------- |
| |
| SCPD: GET (Location Header/xxxx.xml) |
3. | --------------------------------------> |
| |
| SCPD: HTTP chunked-encoded reply |
4. | <-------------------------------------- |
| |
Note: the vulnerability is basically not bound to the adjacent network since miniwget
could also be used to download arbitrary files on the internet. This is just the most common/typical vector, otherwise the CVSS score would be higher.
coordinated disclosure and reported to the miniupnp project owner, provided detailed vulnerability analysis
, a one-click exploit all PoC
and a minimal patch
. The patch was accepted with minor changes. Fixed within a few days of first contact (May 1st ->May 9th).
details and the actual research material that was securely shared with the miniupnp project is going to be be pushed to the following github repository once vendors picked up the changes: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798
Vendor response [2] and Patch [3]
ā¤ Thanks to miniupnp for treating this with priority.
[1] http://miniupnp.free.fr
[2] http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20170509.tar.gz
[3] https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229