Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: multiple flaws in minissdpd
From: miniupnp <miniupnp () free fr>
Date: Fri, 29 Jul 2011 08:55:21 +0200

Thanks for the report, I'm having a look at theses issues.

Le 28/07/2011 23:24, Kees Cook a écrit :
Hi!

I recently did an audit[1] of minissdpd for Ubuntu, and found a lot of issues,
unfortunately. There may be more hiding that I didn't notice, but here
are the security bits of my notes:


Denial of Service:

- off-by-one in packet parsing can trigger crashes on unluckily alignment
    minissdpd.c line ~290

- walk off end of memory without length check in "cache-control" packet
    minissdpd.c line ~314

- some unchecked malloc uses could lead to crash

- does not clean up /var/run files on crash


Corruption, possible manipulation of responses:

- linefeed injection in service requests

- unchecked write lengths (could get interrupted, lead to corruption)


Memory corruption, with execution control likely:

- multiple buffer overflows in processRequest
    - unchecked decoded lengths
    - unchecked buffer creation length
    - integer overflows in decoded lengths
    - write null byte arbitrarily in heap
    - could read stack memory out on requests (including canary if OS
      used stack protector canary that wasn't null-started). e.g.:
      - add bogus service with giant coded-length "location" entry
      - read back with type==1 and matching "st"


General Safety:

- does not drop privileges


Hopefully all of this can get fixed up, it looks like a useful service. :)

Thanks,

-Kees

[1] https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313

  


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]