DSA-3736

[oss-security] 20160718 libupnp write files via POST

[oss-security] 20160720 Re: libupnp write files via POST

92050

https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd

GLSA-201701-52

https://sourceforge.net/p/pupnp/code/ci/master/tree/ChangeLog

https://twitter.com/mjg59/status/755062278513319936

40589

https://www.tenable.com/security/research/tra-2017-10

- miniserver: fix binding to ipv6 link-local addresses

  - Fix out-of-bound access in create_url_list()     (CVE-2016-8863)

  - If the error or info log files can not be created, use     stderr and stdout instead.

  - SF Bug Tracker #132 CVE-2016-6255: write files via POST

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update to libupnp 1.6.21 fixes the following security issues :

  - various string handling issues (bsc#898167)

  - CVE-2016-8863: out-of-bounds access (bsc#1006256)

  - CVE-2016-6255: fix for file write via POST (bsc#989948)

The remote host is affected by the vulnerability described in GLSA-201701-52 (libupnp: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in libupnp. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attack could arbitrarily write files to a users file system,       cause a Denial of Service condition, or execute arbitrary code.
  Workaround :

    There is no known workaround at this time.

Matthew Garett reports :

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem.
Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

Scott Tenaglia reports :

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.

Two vulnerabilities were discovered in libupnp, a portable SDK for UPnP devices.

  - CVE-2016-6255     Matthew Garret discovered that libupnp by default allows     any user to write to the filesystem of the host running     a libupnp-based server application.

  - CVE-2016-8863     Scott Tenaglia discovered a heap buffer overflow     vulnerability, that can lead to denial of service or     remote code execution.

The Portable SDK for UPnP Devices (libupnp) running on the remote host is affected by a flaw that is triggered when handling HTTP POST or GET requests. An unauthenticated, remote attacker can exploit this to write arbitrary files to the web server file system.

It has been discovered that libupnp's default behaviour allows anyone to write to the filesystem of the system running a libupnp-based server application.

For Debian 7 'Wheezy', these problems have been fixed in version 1.6.17-1.2+deb7u1.

We recommend that you upgrade your libupnp packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
101590	Fedora 26 : libupnp (2017-23535a31f8)	Nessus	Fedora Local Security Checks	critical
100612	openSUSE Security Update : libupnp (openSUSE-2017-650)	Nessus	SuSE Local Security Checks	critical
97702	Fedora 24 : libupnp (2017-3bd0b2e2c0)	Nessus	Fedora Local Security Checks	critical
97674	Fedora 25 : libupnp (2017-2c29702300)	Nessus	Fedora Local Security Checks	critical
96687	GLSA-201701-52 : libupnp: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
96163	FreeBSD : upnp -- multiple vulnerabilities (244c8288-cc4a-11e6-a475-bcaec524bf84)	Nessus	FreeBSD Local Security Checks	critical
96015	Debian DSA-3736-1 : libupnp - security update	Nessus	Debian Local Security Checks	critical
93221	Portable SDK for UPnP Devices (libupnp) HTTP Arbitrary File Write	Nessus	Misc.	high
93017	Debian DLA-597-1 : libupnp security update	Nessus	Debian Local Security Checks	high

CVE-2016-6255

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

high

high