Reg comments16

More UPNP woes: Crashable library bites routers and software

You know the drill: patch fast or cry slowly

It's a patch for vendors and developers, but it could be nasty: there's a bug in a Universal Plug'N'Play (UPNP), used in a wide range of black-box devices.

The bug, in miniupnpc, allows the lightweight UPNP library to be crashed by an attacker – and while the discoverer only confirmed its risk as a denial-of-service vector, library crashes always carry at least the potential that an attacker could find a way through to a shell.

The library in question pops up all over the place: as well as broadband routers, the bug was tested against the bitcoind Bitcoin daemon, the qBittorrent open source alternative to uTorrent, and a C++ based Ethereum client.

Here's what's in the disclosure: “An integer signedness error was found in miniupnp's `miniwget` allowing an unauthenticated remote entity typically located on the local network segment to trigger a heap corruption or an access violation in miniupnp's http response parser when processing a specially crafted chunked-encoded response to a request for the xml root description url.

“To exploit this vulnerability, an attacker only has to provide a chunked-encode HTTP response with a negative chunk length to upnp clients requesting a resource on the attackers webserver. Upnp clients can easily be instructed to request resources on the attackers webserver by answering SSDP [Simple Service Discovery Protocol – The Register] discovery request or by issuing SSDP service notifications (low complexity, integral part of the protocol).”

The note at Full Disclosure presents three proof-of-concept scenarios, using the bug to trigger three different crash scenarios, and says “basically all” miniwget and UPNP_* methods can be used as vectors.

Developers can get the tar.gz file with the fix here. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017