Home page logo

oss-sec logo oss-sec mailing list archives

multiple flaws in minissdpd
From: Kees Cook <kees () ubuntu com>
Date: Thu, 28 Jul 2011 14:24:20 -0700


I recently did an audit[1] of minissdpd for Ubuntu, and found a lot of issues,
unfortunately. There may be more hiding that I didn't notice, but here
are the security bits of my notes:

Denial of Service:

- off-by-one in packet parsing can trigger crashes on unluckily alignment
    minissdpd.c line ~290

- walk off end of memory without length check in "cache-control" packet
    minissdpd.c line ~314

- some unchecked malloc uses could lead to crash

- does not clean up /var/run files on crash

Corruption, possible manipulation of responses:

- linefeed injection in service requests

- unchecked write lengths (could get interrupted, lead to corruption)

Memory corruption, with execution control likely:

- multiple buffer overflows in processRequest
    - unchecked decoded lengths
    - unchecked buffer creation length
    - integer overflows in decoded lengths
    - write null byte arbitrarily in heap
    - could read stack memory out on requests (including canary if OS
      used stack protector canary that wasn't null-started). e.g.:
      - add bogus service with giant coded-length "location" entry
      - read back with type==1 and matching "st"

General Safety:

- does not drop privileges

Hopefully all of this can get fixed up, it looks like a useful service. :)



[1] https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313

Kees Cook
Ubuntu Security Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]