CVE-2015-6031

Description

An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.

Tested Versions

MiniUPnP repository master branch

Product URLs

https://github.com/miniupnp/miniupnp

Details

Buffer overflow is present in client-side, miniupnpc, part of the library. Vulnerable part of the code is triggered when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network. Buffer overflow is triggered by an oversized XML element name.

When parsing the UPNP replies, the XML parser is initialized and parsexml() function is called:

parser.xmlstart = buffer; parser.xmlsize = bufsize; parser.data = data; parser.starteltfunc = IGDstartelt; parser.endeltfunc = IGDendelt; parser.datafunc = IGDdata; parser.attfunc = 0; parsexml(&parser);

Start element function callback is initialized to IGDStartelt function and parser data variable is of struct IGDdatas type:

struct IGDdatas { char cureltname[MINIUPNPC_URL_MAXSIZE]; char urlbase[MINIUPNPC_URL_MAXSIZE]; char presentationurl[MINIUPNPC_URL_MAXSIZE]; ... };

Structure member cureltname is initialized to a static maximum value.</>

Buffer overflow occurs in IGDstartelt function when parsing new XML element:

void IGDstartelt(void * d, const char * name, int l) { struct IGDdatas * datas = (struct IGDdatas *)d; memcpy( datas->cureltname, name, l); datas->cureltname[l] = '\0'; datas->level++; if( (l==7) && !memcmp(name, "service", l) ) { datas->tmp.controlurl[0] = '\0'; datas->tmp.eventsuburl[0] = '\0'; datas->tmp.scpdurl[0] = '\0'; datas->tmp.servicetype[0] = '\0'; } }