ID CVE-2016-6255
Summary Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.
References
Vulnerable Configurations
  • Debian Linux 8.0 (Jessie)
    cpe:2.3:o:debian:debian_linux:8.0
  • cpe:2.3:a:libupnp_project:libupnp:1.6.20
    cpe:2.3:a:libupnp_project:libupnp:1.6.20
CVSS
Base: 5.0 (as of 07-03-2017 - 13:49)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
exploit-db via4
description MiCasa VeraLite - Remote Code Execution. CVE-2013-4863,CVE-2016-6255. Remote exploit for Hardware platform
file exploits/hardware/remote/40589.html
id EDB-ID:40589
last seen 2016-10-20
modified 2016-10-20
platform hardware
port
published 2016-10-20
reporter Jacob Baines
source https://www.exploit-db.com/download/40589/
title MiCasa VeraLite - Remote Code Execution
type remote
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-3BD0B2E2C0.NASL
    description - miniserver: fix binding to ipv6 link-local addresses - Fix out-of-bound access in create_url_list() (CVE-2016-8863) - If the error or info log files can not be created, use stderr and stdout instead. - SF Bug Tracker #132 CVE-2016-6255: write files via POST Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-03-27
    plugin id 97702
    published 2017-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97702
    title Fedora 24 : libupnp (2017-3bd0b2e2c0)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-52.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-52 (libupnp: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in libupnp. Please review the CVE identifiers referenced below for details. Impact : A remote attack could arbitrarily write files to a users file system, cause a Denial of Service condition, or execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-03-27
    plugin id 96687
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96687
    title GLSA-201701-52 : libupnp: Multiple vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3736.NASL
    description Two vulnerabilities were discovered in libupnp, a portable SDK for UPnP devices. - CVE-2016-6255 Matthew Garret discovered that libupnp by default allows any user to write to the filesystem of the host running a libupnp-based server application. - CVE-2016-8863 Scott Tenaglia discovered a heap buffer overflow vulnerability, that can lead to denial of service or remote code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96015
    published 2016-12-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96015
    title Debian DSA-3736-1 : libupnp - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_244C8288CC4A11E6A475BCAEC524BF84.NASL
    description Matthew Garett reports : Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access. Scott Tenaglia reports : There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96163
    published 2016-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96163
    title FreeBSD : upnp -- multiple vulnerabilities (244c8288-cc4a-11e6-a475-bcaec524bf84)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-650.NASL
    description This update to libupnp 1.6.21 fixes the following security issues : - various string handling issues (bsc#898167) - CVE-2016-8863: out-of-bounds access (bsc#1006256) - CVE-2016-6255: fix for file write via POST (bsc#989948)
    last seen 2018-09-02
    modified 2017-06-05
    plugin id 100612
    published 2017-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100612
    title openSUSE Security Update : libupnp (openSUSE-2017-650)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-2C29702300.NASL
    description - miniserver: fix binding to ipv6 link-local addresses - Fix out-of-bound access in create_url_list() (CVE-2016-8863) - If the error or info log files can not be created, use stderr and stdout instead. - SF Bug Tracker #132 CVE-2016-6255: write files via POST Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-03-27
    plugin id 97674
    published 2017-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97674
    title Fedora 25 : libupnp (2017-2c29702300)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-23535A31F8.NASL
    description - miniserver: fix binding to ipv6 link-local addresses - Fix out-of-bound access in create_url_list() (CVE-2016-8863) - If the error or info log files can not be created, use stderr and stdout instead. - SF Bug Tracker #132 CVE-2016-6255: write files via POST Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-07-17
    plugin id 101590
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101590
    title Fedora 26 : libupnp (2017-23535a31f8)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-597.NASL
    description It has been discovered that libupnp's default behaviour allows anyone to write to the filesystem of the system running a libupnp-based server application. For Debian 7 'Wheezy', these problems have been fixed in version 1.6.17-1.2+deb7u1. We recommend that you upgrade your libupnp packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 93017
    published 2016-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93017
    title Debian DLA-597-1 : libupnp security update
  • NASL family Misc.
    NASL id LIBUPNP_2016_6255.NASL
    description The Portable SDK for UPnP Devices (libupnp) running on the remote host is affected by a flaw that is triggered when handling HTTP POST or GET requests. An unauthenticated, remote attacker can exploit this to write arbitrary files to the web server file system.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 93221
    published 2016-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93221
    title Portable SDK for UPnP Devices (libupnp) HTTP Arbitrary File Write
packetstorm via4
data source https://packetstormsecurity.com/files/download/139298/micasaveralite-exec.txt
id PACKETSTORM:139298
last seen 2016-12-05
published 2016-10-21
reporter Jacob Baines
source https://packetstormsecurity.com/files/139298/MiCasa-VeraLite-Remote-Code-Execution.html
title MiCasa VeraLite Remote Code Execution
refmap via4
bid 92050
confirm https://sourceforge.net/p/pupnp/code/ci/master/tree/ChangeLog
debian DSA-3736
exploit-db 40589
gentoo GLSA-201701-52
misc
mlist
  • [oss-security] 20160718 libupnp write files via POST
  • [oss-security] 20160720 Re: libupnp write files via POST
Last major update 08-03-2017 - 12:30
Published 07-03-2017 - 11:59
Last modified 02-11-2017 - 21:29
Back to Top