ID CVE-2012-5958
Summary Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.
References
Vulnerable Configurations
  • libupnp project libupnp 1.4.0
    cpe:2.3:a:libupnp_project:libupnp:1.4.0
  • libupnp project libupnp 1.4.1
    cpe:2.3:a:libupnp_project:libupnp:1.4.1
  • libupnp project libupnp 1.4.2
    cpe:2.3:a:libupnp_project:libupnp:1.4.2
  • libupnp project libupnp 1.4.3
    cpe:2.3:a:libupnp_project:libupnp:1.4.3
  • libupnp project libupnp 1.4.4
    cpe:2.3:a:libupnp_project:libupnp:1.4.4
  • libupnp project libupnp 1.4.5
    cpe:2.3:a:libupnp_project:libupnp:1.4.5
  • libupnp project libupnp 1.4.6
    cpe:2.3:a:libupnp_project:libupnp:1.4.6
  • libupnp project libupnp 1.4.7
    cpe:2.3:a:libupnp_project:libupnp:1.4.7
  • libupnp project libupnp 1.6.0
    cpe:2.3:a:libupnp_project:libupnp:1.6.0
  • libupnp project libupnp 1.6.1
    cpe:2.3:a:libupnp_project:libupnp:1.6.1
  • libupnp project libupnp 1.6.2
    cpe:2.3:a:libupnp_project:libupnp:1.6.2
  • libupnp project libupnp 1.6.3
    cpe:2.3:a:libupnp_project:libupnp:1.6.3
  • libupnp project libupnp 1.6.4
    cpe:2.3:a:libupnp_project:libupnp:1.6.4
  • libupnp project libupnp 1.6.5
    cpe:2.3:a:libupnp_project:libupnp:1.6.5
  • libupnp project libupnp 1.6.6
    cpe:2.3:a:libupnp_project:libupnp:1.6.6
  • libupnp project libupnp 1.6.7
    cpe:2.3:a:libupnp_project:libupnp:1.6.7
  • libupnp project libupnp 1.6.8
    cpe:2.3:a:libupnp_project:libupnp:1.6.8
  • libupnp project libupnp 1.6.9
    cpe:2.3:a:libupnp_project:libupnp:1.6.9
  • libupnp project libupnp 1.6.10
    cpe:2.3:a:libupnp_project:libupnp:1.6.10
  • libupnp project libupnp 1.6.11
    cpe:2.3:a:libupnp_project:libupnp:1.6.11
  • libupnp project libupnp 1.6.12
    cpe:2.3:a:libupnp_project:libupnp:1.6.12
  • libupnp project libupnp 1.6.13
    cpe:2.3:a:libupnp_project:libupnp:1.6.13
  • libupnp project libupnp 1.6.14
    cpe:2.3:a:libupnp_project:libupnp:1.6.14
  • libupnp project libupnp 1.6.15
    cpe:2.3:a:libupnp_project:libupnp:1.6.15
  • libupnp project libupnp 1.6.16
    cpe:2.3:a:libupnp_project:libupnp:1.6.16
  • libupnp project libupnp 1.6.17
    cpe:2.3:a:libupnp_project:libupnp:1.6.17
CVSS
Base: 10.0 (as of 02-09-2015 - 12:45)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Portable UPnP SDK unique_service_name() Remote Code Execution. CVE-2012-5858,CVE-2012-5958,CVE-2012-5959,CVE-2012-5960,CVE-2012-5961,CVE-2012-5962,CVE-2012-5...
id EDB-ID:24455
last seen 2016-02-02
modified 2013-02-05
published 2013-02-05
reporter metasploit
source https://www.exploit-db.com/download/24455/
title Portable UPnP SDK unique_service_name Remote Code Execution
metasploit via4
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1734.NASL
    description libupnp 1.6.18 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-03-20
    plugin id 64600
    published 2013-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64600
    title Fedora 17 : libupnp-1.6.18-1.fc17 (2013-1734)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201403-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201403-06 (libupnp: Arbitrary code execution) Multiple buffer overflow vulnerabilities have been discovered in libupnp. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 73219
    published 2014-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73219
    title GLSA-201403-06 : libupnp: Arbitrary code execution
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-2352.NASL
    description Unbundle libupnp. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 64735
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64735
    title Fedora 17 : mediatomb-0.12.1-23.fc17 (2013-2352)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-2377.NASL
    description Unbundle libupnp. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 64736
    published 2013-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64736
    title Fedora 18 : mediatomb-0.12.1-23.fc18 (2013-2377)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2614.NASL
    description Multiple stack-based buffer overflows were discovered in libupnp, a library used for handling the Universal Plug and Play protocol. HD Moore from Rapid7 discovered that SSDP queries where not correctly handled by the unique_service_name() function. An attacker sending carefully crafted SSDP queries to a daemon built on libupnp could generate a buffer overflow, overwriting the stack, leading to the daemon crash and possible remote code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64395
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64395
    title Debian DSA-2614-1 : libupnp - several vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-098.NASL
    description Updated libupnp packages fix security vulnerabilities : The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965).
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 66110
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66110
    title Mandriva Linux Security Advisory : libupnp (MDVSA-2013:098)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1713.NASL
    description linupnp 1.6.18 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-03-20
    plugin id 64597
    published 2013-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64597
    title Fedora 16 : libupnp-1.6.18-1.fc16 (2013-1713)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-90.NASL
    description - Update to version 1.6.18 (bnc#801061) + Security fix for CERT issue VU#922681 This patch addresses three possible buffer overflows in function unique_service_name(). The three issues have the folowing CVE numbers: CVE-2012-5958 Issue #2: Stack-based buffer overflow of Tempbuf CVE-2012-5959 Issue #4: Stack-based buffer overflow of Event->UDN CVE-2012-5960 Issue #8: Stack-based buffer overflow of Event->UDN + Notice that the following issues have already been dealt by previous work: CVE-2012-5961 Issue #1: Stack-based buffer overflow of Evt->UDN CVE-2012-5962 Issue #3: Stack-based buffer overflow of Evt->DeviceType CVE-2012-5963 Issue #5: Stack-based buffer overflow of Event->UDN CVE-2012-5964 Issue #6: Stack-based buffer overflow of Event->DeviceType CVE-2012-5965 Issue #7: Stack-based buffer overflow of Event->DeviceType
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75214
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75214
    title openSUSE Security Update : libupnp (openSUSE-SU-2013:0255-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_2EA6CE3D6AFD11E29D4EBCAEC524BF84.NASL
    description Project changelog reports : This patch addresses three possible buffer overflows in function unique_service_name().The three issues have the folowing CVE numbers : - CVE-2012-5958 Issue #2: Stack buffer overflow of Tempbuf - CVE-2012-5959 Issue #4: Stack buffer overflow of Event->UDN - CVE-2012-5960 Issue #8: Stack buffer overflow of Event->UDN Notice that the following issues have already been dealt by previous work : - CVE-2012-5961 Issue #1: Stack buffer overflow of Evt->UDN - CVE-2012-5962 Issue #3: Stack buffer overflow of Evt->DeviceType - CVE-2012-5963 Issue #5: Stack buffer overflow of Event->UDN - CVE-2012-5964 Issue #6: Stack buffer overflow of Event->DeviceType - CVE-2012-5965 Issue #7: Stack buffer overflow of Event->DeviceType
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64374
    published 2013-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64374
    title FreeBSD : upnp -- multiple vulnerabilities (2ea6ce3d-6afd-11e2-9d4e-bcaec524bf84)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-1765.NASL
    description libupnp 1.6.18 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-03-20
    plugin id 64601
    published 2013-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64601
    title Fedora 18 : libupnp-1.6.18-1.fc18 (2013-1765)
  • NASL family Gain a shell remotely
    NASL id LIBUPNP_1_6_18.NASL
    description According to its banner, the version of Portable SDK for UPnP Devices (libupnp) running on the remote host is prior to 1.6.18. It is, therefore, affected by multiple remote code execution vulnerabilities : - A stack-based buffer overflow condition exists in the unique_service_name() function within file ssdp/ssdp_server.c when handling Simple Service Discovery Protocol (SSDP) requests that is triggered while copying the DeviceType URN. An unauthenticated, remote attacker can exploit this, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5958) - A stack-based buffer overflow condition exists in the unique_service_name() function within file ssdp/ssdp_server.c when handling Simple Service Discovery Protocol (SSDP) requests that is triggered while copying the UDN prior to two colons. An unauthenticated, remote attacker can exploit this, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5959) - A stack-based buffer overflow condition exists in the unique_service_name() function within file ssdp/ssdp_server.c when handling Simple Service Discovery Protocol (SSDP) requests that is triggered while copying the UDN prior to the '::upnp:rootdevice' string. An unauthenticated, remote attacker can exploit this, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5960) - Multiple stack-based buffer overflow conditions exist in the unique_service_name() function within file ssdp/ssdp_server.c due to improper validation of the UDN, DeviceType, and ServiceType fields when parsing Simple Service Discovery Protocol (SSDP) requests. An unauthenticated, remote attacker can exploit these issues, via a specially crafted SSDP request, to execute arbitrary code. (CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 64394
    published 2013-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64394
    title Portable SDK for UPnP Devices (libupnp) < 1.6.18 Multiple Stack-based Buffer Overflows RCE
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2615.NASL
    description Multiple stack-based buffer overflows were discovered in libupnp4, a library used for handling the Universal Plug and Play protocol. HD Moore from Rapid7 discovered that SSDP queries where not correctly handled by the unique_service_name() function. An attacker sending carefully crafted SSDP queries to a daemon built on libupnp4 could generate a buffer overflow, overwriting the stack, leading to the daemon crash and possible remote code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 64396
    published 2013-02-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64396
    title Debian DSA-2615-1 : libupnp4 - several vulnerabilities
refmap via4
bid 57602
cert-vn VU#922681
cisco 20130129 Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
confirm
debian
  • DSA-2614
  • DSA-2615
mandriva MDVSA-2013:098
misc
suse openSUSE-SU-2013:0255
Last major update 02-09-2015 - 21:09
Published 31-01-2013 - 16:55
Last modified 02-11-2017 - 21:29
Back to Top