Portable SDK for UPnP Devices (libupnp) < 1.6.18 Multiple Stack-based Buffer Overflows RCE

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

A network service running on the remote host is affected by multiple
remote code execution vulnerabilities.

Description :

According to its banner, the version of Portable SDK for UPnP Devices
(libupnp) running on the remote host is prior to 1.6.18. It is,
therefore, affected by multiple remote code execution
vulnerabilities :

- A stack-based buffer overflow condition exists in the
unique_service_name() function within file
ssdp/ssdp_server.c when handling Simple Service
Discovery Protocol (SSDP) requests that is triggered
while copying the DeviceType URN. An unauthenticated,
remote attacker can exploit this, via a specially
crafted SSDP request, to execute arbitrary code.
(CVE-2012-5958)

- A stack-based buffer overflow condition exists in the
unique_service_name() function within file
ssdp/ssdp_server.c when handling Simple Service
Discovery Protocol (SSDP) requests that is triggered
while copying the UDN prior to two colons. An
unauthenticated, remote attacker can exploit this, via a
specially crafted SSDP request, to execute arbitrary
code. (CVE-2012-5959)

- A stack-based buffer overflow condition exists in the
unique_service_name() function within file
ssdp/ssdp_server.c when handling Simple Service
Discovery Protocol (SSDP) requests that is triggered
while copying the UDN prior to the '::upnp:rootdevice'
string. An unauthenticated, remote attacker can exploit
this, via a specially crafted SSDP request, to execute
arbitrary code. (CVE-2012-5960)

- Multiple stack-based buffer overflow conditions exist in
the unique_service_name() function within file
ssdp/ssdp_server.c due to improper validation of the
UDN, DeviceType, and ServiceType fields when parsing
Simple Service Discovery Protocol (SSDP) requests. An
unauthenticated, remote attacker can exploit these
issues, via a specially crafted SSDP request, to execute
arbitrary code. (CVE-2012-5961, CVE-2012-5962,
CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)

See also :

http://www.nessus.org/u?37da582a
https://community.rapid7.com/docs/DOC-2150
http://www.nessus.org/u?54e32505
http://www.nessus.org/u?ef4b795d
http://www.nessus.org/u?698e06b3

Solution :

Upgrade to libupnp version 1.6.18 or later. If libupnp is used as a
third party library by a different application, contact the vendor of
that application for a fix.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.8
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Gain a shell remotely

Nessus Plugin ID: 64394 ()

Bugtraq ID: 57602

CVE ID: CVE-2012-5958
CVE-2012-5959
CVE-2012-5960
CVE-2012-5961
CVE-2012-5962
CVE-2012-5963
CVE-2012-5964
CVE-2012-5965

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now