Talos IntelligenceTALOS-2015-0035MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
73.0%
Talos Vulnerability Report
TALOS-2015-0035
MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow
September 15, 2015
CVE Number
CVE-2015-6031
Description
An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.
Tested Versions
MiniUPnP repository master branch
Product URLs
<https://github.com/miniupnp/miniupnp>
Details
Buffer overflow is present in client-side, miniupnpc, part of the library. Vulnerable part of the code is triggered when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network. Buffer overflow is triggered by an oversized XML element name.
When parsing the UPNP replies, the XML parser is initialized and parsexml() function is called:
parser.xmlstart = buffer;
parser.xmlsize = bufsize;
parser.data = data;
parser.starteltfunc = IGDstartelt;
parser.endeltfunc = IGDendelt;
parser.datafunc = IGDdata;
parser.attfunc = 0;
parsexml(&parser);
Start element function callback is initialized to IGDStartelt function and parser data variable is of struct IGDdatas type:
struct IGDdatas {
char cureltname[MINIUPNPC_URL_MAXSIZE];
char urlbase[MINIUPNPC_URL_MAXSIZE];
char presentationurl[MINIUPNPC_URL_MAXSIZE];
...
};
Structure member cureltname is initialized to a static maximum value.</>
Buffer overflow occurs in IGDstartelt function when parsing new XML element:
void IGDstartelt(void * d, const char * name, int l)
{
struct IGDdatas * datas = (struct IGDdatas *)d;
memcpy( datas->cureltname, name, l);
datas->cureltname[l] = '\0';
datas->level++;
if( (l==7) && !memcmp(name, "service", l) ) {
datas->tmp.controlurl[0] = '\0';
datas->tmp.eventsuburl[0] = '\0';
datas->tmp.scpdurl[0] = '\0';
datas->tmp.servicetype[0] = '\0';
}
}
An unsafe call to memcpy is made with both source and length arguments under external control.
Credit
Aleksandar Nikolic of Cisco Talos
Vulnerability Reports Next Report
TALOS-2015-0052
Previous Report
TALOS-2015-0007
Related
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
73.0%