TALOS-2015-0035 (CVE-2015-6031)

Bug #1506017 reported by Wladimir J. van der Laan on 2015-10-14
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
miniupnpc (Ubuntu)
Medium
Unassigned

Bug Description

Please upgrade the miniupnpc package, or backport a fix as soon as possible.
There is a remote-exploitable (from LAN) bug in miniupnpc:

See http://talosintel.com/reports/TALOS-2015-0035/

This affects transmission-gtk, as well as all other client software this uses this libary, such as bitcoind.

The commit fixing the vulnerability is https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78

I have a PoC exploit for amd64, if interested contact me at <email address hidden> , use GPG keyid: 0x74810B012346C9A6

it affect libminiupnpc, not 'miniupnpc' which is the executable that accompanies it. At least libminiupnpc8 on Ubuntu 14.04

Steve Beattie (sbeattie) wrote :

Thanks for the report. miniupnpc is the source package name, from which the libminiupnpc8 binary package is generated from.

Changed in miniupnpc (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium

BTW: for transmission-gtk and vino this appears to be a heap overflow, not a stack overflow.
The UPNP_GetValidIGD function overwrites a caller-provided pointer to a IGDdatas structure, and it happens to be on the heap.

- vino: https://git.gnome.org/browse/vino/tree/server/vino-upnp.c#n39
- transmission: https://trac.transmissionbt.com/browser/trunk/libtransmission/upnp.c#Lstatic45

For these packages, the structure is a static global variable

- maki-plugins
- libeiskaltdcpp2.2

For these it is on the stack:
- 0ad

Doesn't call UPNP_GetValidIGD at all:
- warzone2100
- megaglest

Bitcoin (not an ubuntu package, but the ppa used to rely on this package) is one of the few programs that has the structure on the stack. Apparently Cisco TALOS used that for their probing.

Steve Beattie (sbeattie) on 2015-10-20
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package miniupnpc - 1.6-3ubuntu1.2

---------------
miniupnpc (1.6-3ubuntu1.2) precise-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017)
    - igd_desc_parse.c: fix buffer overflow in
    - https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
    - CVE-2015-6031

 -- Steve Beattie <email address hidden> Thu, 15 Oct 2015 18:35:20 -0700

Changed in miniupnpc (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package miniupnpc - 1.9.20140610-2ubuntu1.1

---------------
miniupnpc (1.9.20140610-2ubuntu1.1) vivid-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017)
    - debian/patches/CVE-2015-6031.patch: fix buffer overflow in
      igd_desc_parse.c
    - CVE-2015-6031

 -- Steve Beattie <email address hidden> Thu, 15 Oct 2015 17:35:51 -0700

Changed in miniupnpc (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package miniupnpc - 1.6-3ubuntu2.14.04.2

---------------
miniupnpc (1.6-3ubuntu2.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017)
    - igd_desc_parse.c: fix buffer overflow in
    - https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
    - CVE-2015-6031

 -- Steve Beattie <email address hidden> Thu, 15 Oct 2015 17:41:05 -0700

Changed in miniupnpc (Ubuntu):
status: Confirmed → Fix Released

Awesome!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers