Talos Vulnerability Report

TALOS-2015-0035

MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

September 15, 2015
CVE Number

CVE-2015-6031

Description

An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.

Tested Versions

MiniUPnP repository master branch

Product URLs

https://github.com/miniupnp/miniupnp

Details

Buffer overflow is present in client-side, miniupnpc, part of the library. Vulnerable part of the code is triggered when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network. Buffer overflow is triggered by an oversized XML element name.

When parsing the UPNP replies, the XML parser is initialized and parsexml() function is called:

parser.xmlstart = buffer;
parser.xmlsize = bufsize;
parser.data = data;
parser.starteltfunc = IGDstartelt;
parser.endeltfunc = IGDendelt;
parser.datafunc = IGDdata;
parser.attfunc = 0;
parsexml(&parser);

Start element function callback is initialized to IGDStartelt function and parser data variable is of struct IGDdatas type:

struct IGDdatas {
char cureltname[MINIUPNPC_URL_MAXSIZE];
char urlbase[MINIUPNPC_URL_MAXSIZE];
char presentationurl[MINIUPNPC_URL_MAXSIZE];
...
};

Structure member cureltname is initialized to a static maximum value.</>

Buffer overflow occurs in IGDstartelt function when parsing new XML element:

void IGDstartelt(void * d, const char * name, int l)
{
struct IGDdatas * datas = (struct IGDdatas *)d;
memcpy( datas->cureltname, name, l);
datas->cureltname[l] = '\0';
datas->level++;
if( (l==7) && !memcmp(name, "service", l) ) {
datas->tmp.controlurl[0] = '\0';
datas->tmp.eventsuburl[0] = '\0';
datas->tmp.scpdurl[0] = '\0';
datas->tmp.servicetype[0] = '\0';
}
}

An unsafe call to memcpy is made with both source and length arguments under external control.

Credit

Aleksandar Nikolic of Cisco Talos