security shutterstock_173910542-680x400

Published on January 28th, 2016 | 430 views Post Views

MiniUPnP Vulnerability Clears Way for Stack Smashing Attack

The Internet of Things security challenge is twofold: finding bugs, and more urgent—fixing them.

Cisco’s Talos security intelligence and research group found and privately disclosed a serious and trivially exploitable client-side bug in MiniUPnP that was patched in September of last year.

The problem is: How many patches were applied by vendors in their products and how many admins knew about the patch and deployed it on networks worldwide?

The vulnerability in the library (CVE-2015-6031)—MiniUPnP facilitates local communication between devices behind a firewall—is a buffer overflow. A successful exploit gives an attacker remote-code execution capabilities on a device, and quite likely further access inside the local network.

“MiniUPnP is the second most used UPnP SDK behind Intel’s. It’s hard to judge raw numbers, but it has a very large market share,” said Craig Williams, security outreach manager for Cisco Talos. “There’s no way to tell how many have patched this, but we know a lot of [devices] are vulnerable and we’re fairly concerned about it. Hopefully people will realize this and patch their devices or contact their vendor for a patch.”

Software implementations of MiniUPnP live in popular peer-to-peer applications such as Tor or Bitcoin mining applications. On the hardware side, home, small office and big network routers often deploy the library.

Cisco Talos explains in a report published this morning that the MiniUPnP vulnerability lies in the XML parser code in the IGDstartelt function.

From Cisco’s report:

“The buffer overflow is triggered by a call to memcpy function with an unchecked length parameter “l”. Since datas­>cureltname is a fixed size buffer inside the IGDdatas structure, supplying a large length will result in a buffer overflow on the stack. … A potential attacker has full control over the length and contents of the memcpy source argument that is being copied into a destination buffer of size MINIUPNPC_URL_MAXSIZE”

Cisco published technical details of the vulnerability and demonstrated an attack against the Bitcoin-qt Wallet, the default Bitcoin client. An attacker would need to set up a phony UPnP server on the local network that would serve up an XML file with “overly long element names,” Cisco said.


Cisco’s exploit bypasses a mitigation in place called Stack Smashing Protection (SSP), which protects vulnerable buffers in a stack with a stack cookie, or canary. The cookie is a fixture in UNIX and Linux builds; Microsoft also deploys a similar mitigation. The Cisco attack bypasses the stack cookie on Linux systems.

“The cookie is supposed to prevent the exploitation of stack-based buffer overflows,” said Rich Johnson, Cisco Talos research manager. When a buffer overflow attack is successful, an attacker can learn where code should next execute on a stack and drop their attack in that spot instead. “SSP puts a cookie there and encrypts it so that an attacker can’t get it. They would have no idea what the next value is.”

Johnson said that Cisco’s attack against Bitcoin-qt—specifically libc in Linux—takes advantage of the fact that SSP doesn’t entire terminate processes right away, instead it executes some code first to notify users and log a crash. Other researchers have done previous work in bypassing SSP as well.

“We reference previous research on these bypasses. This is a new one specific to multithreaded apps,” Johnson said. “A lot of apps like OpenOffice, browsers, Bitcoin clients are multithreaded. Our research found a new approach that applies multithreaded bypasses to this generic mitigation.”


Cisco said it hopes its proof-of-concept exploit raises awareness to the MiniUPnP vulnerability and availability of a fix, especially for those managing embedded devices such as routers where often there isn’t a means of automatically updating devices or communicating the presence of a serious vulnerability.

“Most people have no idea what their embedded devices are running,” Williams said. “It’s a matter of the vendors making sure patches are pushed to users. This is the big struggle with IoT.”

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on Reddit0Email this to someonePrint this pageShare on StumbleUpon0Digg thisPin on Pinterest0Share on LinkedIn0

One Response to MiniUPnP Vulnerability Clears Way for Stack Smashing Attack

  1. Pingback: Apache XSSF

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑

You Might Also Like:
new strain of malware dubbed eFast browser that deletes and replaces the entire Chrome Browser

Security researchers have documented the existence of a new strain of malware dubbed eFast browser that deletes and replaces the...