CVE-2015-6031
An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.
MiniUPnP repository master branch
https://github.com/miniupnp/miniupnp
Buffer overflow is present in client-side, miniupnpc, part of the library. Vulnerable part of the code is triggered when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network. Buffer overflow is triggered by an oversized XML element name.
When parsing the UPNP replies, the XML parser is initialized and parsexml() function is called:
parser.xmlstart = buffer;
parser.xmlsize = bufsize;
parser.data = data;
parser.starteltfunc = IGDstartelt;
parser.endeltfunc = IGDendelt;
parser.datafunc = IGDdata;
parser.attfunc = 0;
parsexml(&parser);
Start element function callback is initialized to IGDStartelt function and parser data variable is of struct IGDdatas type:
struct IGDdatas {
char cureltname[MINIUPNPC_URL_MAXSIZE];
char urlbase[MINIUPNPC_URL_MAXSIZE];
char presentationurl[MINIUPNPC_URL_MAXSIZE];
...
};
Structure member cureltname is initialized to a static maximum value.</>
Buffer overflow occurs in IGDstartelt function when parsing new XML element:
void IGDstartelt(void * d, const char * name, int l)
{
struct IGDdatas * datas = (struct IGDdatas *)d;
memcpy( datas->cureltname, name, l);
datas->cureltname[l] = '\0';
datas->level++;
if( (l==7) && !memcmp(name, "service", l) ) {
datas->tmp.controlurl[0] = '\0';
datas->tmp.eventsuburl[0] = '\0';
datas->tmp.scpdurl[0] = '\0';
datas->tmp.servicetype[0] = '\0';
}
}
An unsafe call to memcpy is made with both source and length arguments under external control.
Aleksandar Nikolic of Cisco Talos