CVE-2012-5959
published 2013-01-31CVE-2012-5959: Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp…
PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.80%
99.5th percentile
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | <= 1.6.17 | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
| portable_sdk_for_upnp_project | portable_sdk_for_upnp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port1900/udp
snort
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:bad-unknown; sid:2016303; rev:5; metadata:created_at 2013_01_30, cve CVE_2012_5958, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_05_02; target:src_ip;)
- →Detect vulnerable 'Intel SDK for UPnP devices' banner in SSDP Server header responses on UDP/1900 — indicates unpatched libupnp instance
- →The exploit triggers via a crafted UDP packet to the SSDP listener; monitor for oversized UDN/uuid fields containing '::' (colon colon) in SSDP traffic on UDP/1900 ↗
- →Stack trace shows exploitation path through unique_service_name() → ssdp_request_type() → ssdp_handle_device_request(); monitor for crashes or anomalous thread activity in these functions ↗
- →Shodan can be used to identify internet-exposed vulnerable UPnP instances; over 1,000 MediaTomb instances were found exposed ↗
- ·Only libupnp (portable SDK for UPnP Devices) versions before 1.6.18 are vulnerable; GUPnP is an independent implementation and is NOT affected ↗
- ·Cisco products were separately evaluated for exposure; Cisco bug IDs CSCue19318, CSCue20997, CSCue21009 track affected Cisco devices ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9qqc-r4wr-ffcc: Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server
ghsa_unreviewed·2022-05-17
CVE-2012-5959 [HIGH] CWE-119 GHSA-9qqc-r4wr-ffcc: Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.
VulnCheck
portable_sdk_for_upnp_project portable_sdk_for_upnp Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2012·CVSS 10.0
CVE-2012-5959 [CRITICAL] portable_sdk_for_upnp_project portable_sdk_for_upnp Improper Restriction of Operations within the Bounds of a Memory Buffer
portable_sdk_for_upnp_project portable_sdk_for_upnp Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.
Affected: portable_sdk_for_upnp_project portable_sdk_for_upnp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/18/g/vpnfilter-affected-devi
Red Hat
libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)
vendor_redhat·2013-01-29·CVSS 10.0
CVE-2012-5959 [CRITICAL] CWE-121 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)
libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.
Statement: Not vulnerable. This issue did not affect GUPnP, which is an independent implementation of the UPnP standard, entirely different from libupnp. libupnp, while affected, is not provided by any version of Red Hat Enterprise Linux.
Cisco
Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
vendor_cisco
CVE-2012-5959 Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
CVE-2012-5959: Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
The Portable Software Developer Kit (SDK) for Universal Plug-n-Play (UPnP) Devices contains a libupnp library, originally known as the Intel SDK for UPnP Devices, which is vulnerable to multiple stack-based buffer overflows when handling malicious Simple Service Discovery Protocol (SSDP) requests. This library is used in several vendor network devices, in addition to media streaming and file sharing applications. These vulnerabilities were disclosed on January 29th, 2013 in a CERT Vulnerability Note, VU#922681, which can be viewed at http://www.kb.cert.org/vuls/id/922681 . Cisco is currently evaluating products for possible exposure to these vulnerabilities. This advisory is available at the following lin
Suricata
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2
suricata·2013-01-30·CVSS 10.0
CVE-2012-5958 [CRITICAL] ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2
Rule: alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:bad-unknown; sid:2016303; rev:5; metadata:created_at 2013_01_30, cve CVE_2012_5958, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_05_02; target:src_ip;)
Suricata
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M3
suricata·2013-01-30·CVSS 10.0
CVE-2012-5958 [CRITICAL] ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M3
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M3
Rule: alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Portable SDK for UPnP devices(\/?\s*$|\/1\.([0-5]\..|8\.0.|(6\.[0-9]|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:bad-unknown; sid:2016304; rev:3; metadata:created_at 2013_01_30, cve CVE_2012_5958, deployment Perimeter, confidence High, signature_sev
Suricata
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M1
suricata·2013-01-30·CVSS 10.0
CVE-2013-0229 [CRITICAL] ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M1
ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M1
Rule: alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:bad-unknown; sid:2016302; rev:7; metadata:created_at 2013_01_30, cve CVE_2013_0229, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_05_02; target:src_ip;)
Exploit-DB
Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)
exploitdb·2013-02-05
CVE-2012-5965 Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)
Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Portable UPnP SDK unique_service_name() Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the unique_service_name()
function of libupnp's SSDP processor. The libupnp library is used across
thousands of devices and is referred to as the Intel SDK for UPnP
Devices or the Portable SDK for UPnP Devices.
Due to size limitations on many devices, this exploit uses a separate TCP
listener to stage the real
Metasploit
UPnP SSDP M-SEARCH Information Discovery
metasploit
UPnP SSDP M-SEARCH Information Discovery
UPnP SSDP M-SEARCH Information Discovery
Discover information from UPnP-enabled systems
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee Jul 13, 2018 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
# VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee
2018/07/13
Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee 2018/07/13 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Tenable
[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities
blogs_tenable·2017-03-13
[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing sp
bugzilla·2013-01-30·CVSS 10.0
CVE-2012-5958 [CRITICAL] CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing sp
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as w
Bugzilla
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing sp
bugzilla·2013-01-30·CVSS 10.0
CVE-2012-5958 [CRITICAL] CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing sp
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681) [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as
Bugzilla
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing spe
bugzilla·2013-01-29·CVSS 10.0
CVE-2012-5958 [CRITICAL] CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing spe
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681) [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as
Bugzilla
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing spe
bugzilla·2013-01-29·CVSS 10.0
CVE-2012-5958 [CRITICAL] CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing spe
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 ibupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as we
Bugzilla
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing sp
bugzilla·2012-12-05·CVSS 10.0
CVE-2012-5958 [CRITICAL] CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing sp
CVE-2012-5958 CVE-2012-5959 CVE-2012-5960 CVE-2012-5961 CVE-2012-5962 CVE-2012-5963 CVE-2012-5964 CVE-2012-5965 libupnp: Multiple stack-based buffer overflows in unique_service_name() by processing specially-crafted SSDP request (VU#922681)
Multiple stack-based buffer overflow flaws were found in the way SSDP server component of libupnp, the Universal Plug and Play (UPnP) software development kit (SDK), performed assigment of various fields (like DeviceType, DeviceUDN or Service Type) to the SSDP event structure based on service name string. A remote attacker could provide a specially-crafted SSDP request that, when processed in an application linked against libupnp would lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the a
http://lists.opensuse.org/opensuse-updates/2013-02/msg00013.htmlhttp://pupnp.sourceforge.net/ChangeLoghttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnphttp://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdfhttp://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdfhttp://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdfhttp://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdfhttp://www.debian.org/security/2013/dsa-2614http://www.debian.org/security/2013/dsa-2615http://www.kb.cert.org/vuls/id/922681http://www.mandriva.com/security/advisories?name=MDVSA-2013:098http://www.securityfocus.com/bid/57602https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-playhttps://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdfhttps://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFbhttps://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037https://www.tenable.com/security/research/tra-2017-10http://lists.opensuse.org/opensuse-updates/2013-02/msg00013.htmlhttp://pupnp.sourceforge.net/ChangeLoghttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnphttp://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdfhttp://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdfhttp://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdfhttp://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdfhttp://www.debian.org/security/2013/dsa-2614http://www.debian.org/security/2013/dsa-2615http://www.kb.cert.org/vuls/id/922681http://www.mandriva.com/security/advisories?name=MDVSA-2013:098http://www.securityfocus.com/bid/57602https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-playhttps://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdfhttps://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFbhttps://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037https://www.tenable.com/security/research/tra-2017-10
2013-01-31
Published
Exploited in the wild