cbcvebase.
CVE-2013-0230
published 2013-01-31

CVE-2013-0230: Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers…

PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.15%
99.3th percentile
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianminiupnpd
miniupnp_projectminiupnpd

Detection & IOCsextracted from sources · hover to see the quote

port5555
port5555
port1900
commandSOAPAction: n:schemas-upnp-org:service:WANIPConnection:1#<payload>"
commandSOAPAction: n:schemas-upnp-org:service:WANIPConnection:1#<payload>
otherROP gadget: 0x0804ee43 (pop ebp; ret) from miniupnpd x86
otherMIPS libc_base: 0x2aabd000 (AirTies RT Series)
commandM-SEARCH * HTTP/1.1 + 1260 random bytes (SSDP DoS payload)
bytes
\xeb\x2d (JMP +0x2d shellcode prefix)
  • Detect exploit attempts by inspecting HTTP SOAPAction headers for the pattern 'n:schemas-upnp-org:service:WANIPConnection:1#' followed by a long string (>2052 bytes) sent via POST to port 5555.
  • The x86 exploit payload must end with a literal double-quote character '"' (0x22); a SOAPAction header containing a very long value ending in '"' on port 5555 is a strong indicator of CVE-2013-0230 exploitation.
  • Bad characters for the exploit payload are \x00 and \x22; shellcode in the SOAPAction header will therefore never contain null bytes or double-quote bytes before the trailing terminator.
  • The x86 exploit uses a stack offset of 2123 bytes and overwrites EIP with a 'pop ebp; ret' gadget at 0x0804ee43; look for crashes or ROP chains in miniupnpd at that address.
  • The MIPS exploit pads 2052 'C' bytes before ROP chain gadgets; a SOAPAction value starting with 2052+ identical bytes is a strong exploit indicator on MIPS targets.
  • The DoS variant sends oversized UDP SSDP M-SEARCH packets (1260+ random bytes) to port 1900; monitor for UDP packets to port 1900 with payloads exceeding normal M-SEARCH sizes.
  • Vulnerable service identifies itself via SSDP/HTTP Server banner as '1.0 UPnP/1.0 miniupnpd/1.0'; use this banner to identify exposed targets.
  • The vulnerability is in the ExecuteSoapAction function's SOAPAction HTTP header handling; stack-based buffer overflow is triggered by a long quoted method string.
  • ·The x86 ROP gadget address (0x0804ee43) is specific to the Debian GNU/Linux 6.0 build of MiniUPnPd 1.0; it will differ on other distributions or compiler versions.
  • ·The MIPS libc base address (0x2aabd000) and all derived ROP gadget offsets are specific to the AirTies RT-204v3 firmware; they will not apply to other MIPS targets.
  • ·The exploit payload space is limited to 2060 bytes and must not contain \x00 or \x22 (double-quote); shellcode must be encoded accordingly.
  • ·CVE-2013-0230 (stack BOF via long quoted SOAPAction method) is a distinct vulnerability from CVE-2013-1462 (integer signedness error when SOAPAction lacks a double-quote character), though both affect MiniUPnPd 1.0 ExecuteSoapAction.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.