Ubuntu
miniupnpc package

TALOS-2015-0035 (CVE-2015-6031)

Bug #1506017 reported by Wladimir J. van der Laan
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
miniupnpc (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Please upgrade the miniupnpc package, or backport a fix as soon as possible.
There is a remote-exploitable (from LAN) bug in miniupnpc:

See http://talosintel.com/reports/TALOS-2015-0035/

This affects transmission-gtk, as well as all other client software this uses this libary, such as bitcoind.

The commit fixing the vulnerability is https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78

I have a PoC exploit for amd64, if interested contact me at <email address hidden> , use GPG keyid: 0x74810B012346C9A6

Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

it affect libminiupnpc, not 'miniupnpc' which is the executable that accompanies it. At least libminiupnpc8 on Ubuntu 14.04

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for the report. miniupnpc is the source package name, from which the libminiupnpc8 binary package is generated from.

Changed in miniupnpc (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

BTW: for transmission-gtk and vino this appears to be a heap overflow, not a stack overflow.
The UPNP_GetValidIGD function overwrites a caller-provided pointer to a IGDdatas structure, and it happens to be on the heap.

- vino: https://git.gnome.org/browse/vino/tree/server/vino-upnp.c#n39
- transmission: https://trac.transmissionbt.com/browser/trunk/libtransmission/upnp.c#Lstatic45

For these packages, the structure is a static global variable

- maki-plugins
- libeiskaltdcpp2.2

For these it is on the stack:
- 0ad

Doesn't call UPNP_GetValidIGD at all:
- warzone2100
- megaglest

Bitcoin (not an ubuntu package, but the ppa used to rely on this package) is one of the few programs that has the structure on the stack. Apparently Cisco TALOS used that for their probing.

Steve Beattie (sbeattie)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package miniupnpc - 1.6-3ubuntu1.2

---------------
miniupnpc (1.6-3ubuntu1.2) precise-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017)
    - igd_desc_parse.c: fix buffer overflow in
    - https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
    - CVE-2015-6031

 -- Steve Beattie <email address hidden> Thu, 15 Oct 2015 18:35:20 -0700

Changed in miniupnpc (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package miniupnpc - 1.9.20140610-2ubuntu1.1

---------------
miniupnpc (1.9.20140610-2ubuntu1.1) vivid-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017)
    - debian/patches/CVE-2015-6031.patch: fix buffer overflow in
      igd_desc_parse.c
    - CVE-2015-6031

 -- Steve Beattie <email address hidden> Thu, 15 Oct 2015 17:35:51 -0700

Changed in miniupnpc (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package miniupnpc - 1.6-3ubuntu2.14.04.2

---------------
miniupnpc (1.6-3ubuntu2.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overflow in XML parser (LP: #1506017)
    - igd_desc_parse.c: fix buffer overflow in
    - https://github.com/miniupnp/miniupnp/commit/79cca974a4c2ab1199786732a67ff6d898051b78
    - CVE-2015-6031

 -- Steve Beattie <email address hidden> Thu, 15 Oct 2015 17:41:05 -0700

Changed in miniupnpc (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Wladimir J. van der Laan (laanwj) wrote :

Awesome!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.