cbcvebase.
CVE-2013-0229
published 2013-01-31

CVE-2013-0229: The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service…

PriorityP269high7.8CVSS 2.0
AVNACLAuNCNINAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
76.40%
99.5th percentile
The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianminiupnpd
miniupnp_projectminiupnpd<= 1.3
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd

Detection & IOCsextracted from sources · hover to see the quote

port1900/udp
commandM-SEARCH * HTTP/1.1 Host:239.255.255.250:1900 ST:uuid:schemas:device:MX:3
commandM-SEARCH * HTTP/1.1\r\n<1260 random chars>
pathminissdp.c
snort
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response - CVE-2012-5958 and CVE-2012-5959 Vulnerable UPnP device M1"; content:"miniupnpd/1."; fast_pattern; pcre:"/^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:bad-unknown; sid:2016302; rev:7; metadata:created_at 2013_01_30, cve CVE_2013_0229, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_05_02; target:src_ip;)
  • Detect vulnerable MiniUPnPd versions (1.0–1.3) by matching the Server header in UDP/1900 SSDP responses using the regex pattern /^Server\x3a[^\r\n]*miniupnpd\/1\.[0-3]/mi
  • Exploit traffic arrives as a crafted UDP packet to port 1900 beginning with 'M-SEARCH * HTTP/1.1' followed by an oversized payload (1260+ random bytes) designed to trigger a buffer over-read in ProcessSSDPRequest
  • The crafted M-SEARCH request uses a malformed ST header (ST:uuid:schemas:device:MX:3) to trigger the vulnerability; monitor for anomalous ST field values in SSDP M-SEARCH requests on UDP/1900
  • Source port 31337 is used in the exploit's raw UDP packet construction and can serve as an additional detection signal alongside destination port 1900
  • ·The Snort/ET rule (sid:2016302) fires on SSDP *responses* from internal hosts (HOME_NET:1900 -> any), not on inbound exploit requests; it identifies vulnerable devices rather than active exploitation attempts
  • ·The Metasploit module targets MiniUPnPd 1.0 specifically via crafted UDP, while the CVE covers all versions before 1.4; detection should account for the full vulnerable version range (1.0–1.3)

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.8HIGH
vendor_debian7.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.