More UPNP woes: Crashable library bites routers and software
You know the drill: patch fast or cry slowly
It's a patch for vendors and developers, but it could be nasty: there's a bug in a Universal Plug'N'Play (UPNP), used in a wide range of black-box devices.
The bug, in
miniupnpc, allows the lightweight UPNP library to be crashed by an attacker – and while the discoverer only confirmed its risk as a denial-of-service vector, library crashes always carry at least the potential that an attacker could find a way through to a shell.
The library in question pops up all over the place: as well as broadband routers, the bug was tested against the
bitcoind Bitcoin daemon, the qBittorrent open source alternative to uTorrent, and a C++ based Ethereum client.
Here's what's in the disclosure: “An integer signedness error was found in miniupnp's `miniwget` allowing an unauthenticated remote entity typically located on the local network segment to trigger a heap corruption or an access violation in miniupnp's http response parser when processing a specially crafted chunked-encoded response to a request for the xml root description url.
“To exploit this vulnerability, an attacker only has to provide a chunked-encode HTTP response with a negative chunk length to upnp clients requesting a resource on the attackers webserver. Upnp clients can easily be instructed to request resources on the attackers webserver by answering SSDP [Simple Service Discovery Protocol – The Register] discovery request or by issuing SSDP service notifications (low complexity, integral part of the protocol).”
The note at Full Disclosure presents three proof-of-concept scenarios, using the bug to trigger three different crash scenarios, and says “basically all”
miniwget and UPNP_* methods can be used as vectors.
Developers can get the tar.gz file with the fix here. ®