cbcvebase.
CVE-2012-5959
published 2013-01-31

CVE-2012-5959: Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp…

PriorityP183critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.80%
99.5th percentile
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
portable_sdk_for_upnp_projectportable_sdk_for_upnp<= 1.6.17
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp
portable_sdk_for_upnp_projectportable_sdk_for_upnp

Detection & IOCsextracted from sources · hover to see the quote

port1900/udp
pathssdp/ssdp_server.c
snort
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]*Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:bad-unknown; sid:2016303; rev:5; metadata:created_at 2013_01_30, cve CVE_2012_5958, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_05_02; target:src_ip;)
  • Detect vulnerable 'Intel SDK for UPnP devices' banner in SSDP Server header responses on UDP/1900 — indicates unpatched libupnp instance
  • The exploit triggers via a crafted UDP packet to the SSDP listener; monitor for oversized UDN/uuid fields containing '::' (colon colon) in SSDP traffic on UDP/1900
  • Stack trace shows exploitation path through unique_service_name() → ssdp_request_type() → ssdp_handle_device_request(); monitor for crashes or anomalous thread activity in these functions
  • Shodan can be used to identify internet-exposed vulnerable UPnP instances; over 1,000 MediaTomb instances were found exposed
  • ·Only libupnp (portable SDK for UPnP Devices) versions before 1.6.18 are vulnerable; GUPnP is an independent implementation and is NOT affected
  • ·Cisco products were separately evaluated for exposure; Cisco bug IDs CSCue19318, CSCue20997, CSCue21009 track affected Cisco devices

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.