cbcvebase.
CVE-2012-5958
published 2013-01-31

CVE-2012-5958: Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp…

PriorityP182critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.81%
99.6th percentile
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
libupnp_projectlibupnp<= 1.6.17
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp
libupnp_projectlibupnp

Detection & IOCsextracted from sources · hover to see the quote

port1900/UDP
ip239.255.255.250
commandM-SEARCH * HTTP/1.1 HOST: 239.255.255.250:1900 ST:uuid:schemas:device:<324*A>BBBB:urn: MX:2 MAN:"ssdp:discover"
pathupnp/src/ssdp/ssdp_server.c
  • Detect CVE-2012-5958 exploitation by monitoring UDP traffic to port 1900 (SSDP) containing M-SEARCH requests with an ST header beginning with 'uuid:schemas:device:' followed by an anomalously long string (>300 bytes).
  • The vulnerable code path is in the unique_service_name() function within ssdp/ssdp_server.c; a crash/stack buffer overflow in this function (e.g., via __strncpy_chk fortify failure) is a strong indicator of exploitation.
  • The exploit is delivered via a UDP packet (SOCK_DGRAM) to the SSDP multicast address 239.255.255.250 on port 1900; network monitoring should flag oversized SSDP ST header fields targeting this multicast group.
  • The Metasploit exploit module for this CVE uses a separate TCP listener to stage the real payload due to size limitations; monitor for unexpected outbound TCP connections from UPnP/SSDP-enabled devices following receipt of a crafted M-SEARCH packet.
  • Over 1,000 instances of vulnerable MediaTomb (which embeds an unpatched libupnp fork) are visible via Shodan; prioritize scanning and patching internet-exposed UPnP services.
  • ·The vulnerability affects libupnp (portable SDK for UPnP Devices) versions before 1.6.18; the exploit PoC on Exploit-DB was tested against version 1.6.6 specifically. Ensure version checks cover all releases < 1.6.18.
  • ·Red Hat Enterprise Linux is NOT affected; GUPnP is an independent implementation of UPnP and is not the same as libupnp, so detections targeting libupnp do not apply to GUPnP-based systems.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_cisco10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.