CVE-2013-0230
published 2013-01-31CVE-2013-0230: Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers…
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.15%
99.3th percentile
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | miniupnpd | — | — |
| miniupnp_project | miniupnpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x2d (JMP +0x2d shellcode prefix)
- →Detect exploit attempts by inspecting HTTP SOAPAction headers for the pattern 'n:schemas-upnp-org:service:WANIPConnection:1#' followed by a long string (>2052 bytes) sent via POST to port 5555. ↗
- →The x86 exploit payload must end with a literal double-quote character '"' (0x22); a SOAPAction header containing a very long value ending in '"' on port 5555 is a strong indicator of CVE-2013-0230 exploitation. ↗
- →Bad characters for the exploit payload are \x00 and \x22; shellcode in the SOAPAction header will therefore never contain null bytes or double-quote bytes before the trailing terminator. ↗
- →The x86 exploit uses a stack offset of 2123 bytes and overwrites EIP with a 'pop ebp; ret' gadget at 0x0804ee43; look for crashes or ROP chains in miniupnpd at that address. ↗
- →The MIPS exploit pads 2052 'C' bytes before ROP chain gadgets; a SOAPAction value starting with 2052+ identical bytes is a strong exploit indicator on MIPS targets. ↗
- →The DoS variant sends oversized UDP SSDP M-SEARCH packets (1260+ random bytes) to port 1900; monitor for UDP packets to port 1900 with payloads exceeding normal M-SEARCH sizes. ↗
- →Vulnerable service identifies itself via SSDP/HTTP Server banner as '1.0 UPnP/1.0 miniupnpd/1.0'; use this banner to identify exposed targets. ↗
- →The vulnerability is in the ExecuteSoapAction function's SOAPAction HTTP header handling; stack-based buffer overflow is triggered by a long quoted method string. ↗
- ·The x86 ROP gadget address (0x0804ee43) is specific to the Debian GNU/Linux 6.0 build of MiniUPnPd 1.0; it will differ on other distributions or compiler versions. ↗
- ·The MIPS libc base address (0x2aabd000) and all derived ROP gadget offsets are specific to the AirTies RT-204v3 firmware; they will not apply to other MIPS targets. ↗
- ·The exploit payload space is limited to 2060 bytes and must not contain \x00 or \x22 (double-quote); shellcode must be encoded accordingly. ↗
- ·CVE-2013-0230 (stack BOF via long quoted SOAPAction method) is a distinct vulnerability from CVE-2013-1462 (integer signedness error when SOAPAction lacks a double-quote character), though both affect MiniUPnPd 1.0 ExecuteSoapAction. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_debian10.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rhgq-m6r3-xf46: Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-1462 [CRITICAL] GHSA-rhgq-m6r3-xf46: Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1
Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (incorrect memory copy) via a SOAPAction header that lacks a " (double quote) character, a different vulnerability than CVE-2013-0230.
GHSA
GHSA-fp8r-qhv9-2hqm: The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-1461 [CRITICAL] GHSA-fp8r-qhv9-2hqm: The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1
The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (NULL pointer dereference and service crash) via a SOAPAction header that lacks a # (pound sign) character, a different vulnerability than CVE-2013-0230.
GHSA
GHSA-v9m6-5wqp-m9mc: Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1
ghsa_unreviewed·2022-05-05
CVE-2013-0230 [HIGH] CWE-119 GHSA-v9m6-5wqp-m9mc: Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
VulnCheck
miniupnp_project miniupnpd Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2013·CVSS 10.0
CVE-2013-0230 [CRITICAL] miniupnp_project miniupnpd Improper Restriction of Operations within the Bounds of a Memory Buffer
miniupnp_project miniupnpd Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
Affected: miniupnp_project miniupnpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/18/g/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities.html; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
Debian
CVE-2013-0230: miniupnpd - Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction ...
vendor_debian·2013·CVSS 10.0
CVE-2013-0230 [CRITICAL] CVE-2013-0230: miniupnpd - Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction ...
Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Debian
CVE-2013-1462: miniupnpd - Integer signedness error in the ExecuteSoapAction function in the SOAPAction han...
vendor_debian·2013·CVSS 10.0
CVE-2013-1462 [CRITICAL] CVE-2013-1462: miniupnpd - Integer signedness error in the ExecuteSoapAction function in the SOAPAction han...
Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (incorrect memory copy) via a SOAPAction header that lacks a " (double quote) character, a different vulnerability than CVE-2013-0230.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
Debian
CVE-2013-1461: miniupnpd - The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in ...
vendor_debian·2013·CVSS 10.0
CVE-2013-1461 [CRITICAL] CVE-2013-1461: miniupnpd - The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in ...
The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (NULL pointer dereference and service crash) via a SOAPAction header that lacks a # (pound sign) character, a different vulnerability than CVE-2013-0230.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
INFOMARK IMW-C920W MiniUPnPd 1.0 - Denial of Service
exploitdb·2015-07-07·CVSS 7.8
CVE-2013-0230 [HIGH] INFOMARK IMW-C920W MiniUPnPd 1.0 - Denial of Service
INFOMARK IMW-C920W MiniUPnPd 1.0 - Denial of Service
---
#!/usr/bin/perl
#
# miniupnpd/1.0 remote denial of service exploit
#
# Copyright 2015 (c) Todor Donev
# [email protected]
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# The SSDP protocol can discover Plug & Play devices,
# with uPnP (Universal Plug and Play). SSDP is HTTP
# like protocol and work with NOTIFY and M-SEARCH
# methods.
#
# See also:
# CVE-2013-0229
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229
# CVE-2013-0230
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
#
# Tested on
# Device Name : IMW-C920W
# Device Manufacturer : INFOMARK (http://infomark.co.kr)
#
# These devices are commonly used by Max Telecom, Bulgaria
#
# Disclaimer:
# This or previous progra
Exploit-DB
MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series
exploitdb·2015-04-27·CVSS 10.0
CVE-2013-0230 [CRITICAL] MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series
MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series
---
#!/usr/bin/env python
# Exploit Title: MiniUPnPd 1.0 Stack Overflow RCE for AirTies RT Series
# Date: 26.04.2015
# Exploit Author: Onur ALANBEL (BGA)
# Vendor Homepage: http://miniupnp.free.fr/
# Version: 1.0
# Architecture: MIPS
# Tested on: AirTies RT-204v3
# CVE : 2013-0230
# Exploit gives a reverse shell to lhost:lport
# Details: https://www.exploit-db.com/docs/english/36806-developing-mips-exploits-to-hack-routers.pdf
import urllib2
from string import join
from argparse import ArgumentParser
from struct import pack
from socket import inet_aton
BYTES = 4
def hex2str(value, size=BYTES):
data = ""
for i in range(0, size):
data += chr((value >> (8*i)) & 0xFF)
data = data[::-1]
return dat
Exploit-DB
MiniUPnPd 1.0 - Remote Stack Buffer Overflow Remote Code Execution (Metasploit)
exploitdb·2013-06-05
CVE-2013-0230 MiniUPnPd 1.0 - Remote Stack Buffer Overflow Remote Code Execution (Metasploit)
MiniUPnPd 1.0 - Remote Stack Buffer Overflow Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution',
'Description' => %q{
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability
present in the SOAPAction HTTP header handling.
},
'Author' =>
[
'hdm', # Vulnerability discovery
'Dejan Lukan' # Metasploit module
],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'EXITFUNC' => 'process', },
# the byte '\x22' is the '"' character and the miniupnpd scans for
Metasploit
UPnP SSDP M-SEARCH Information Discovery
metasploit
UPnP SSDP M-SEARCH Information Discovery
UPnP SSDP M-SEARCH Information Discovery
Discover information from UPnP-enabled systems
Metasploit
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
metasploit
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
MiniUPnPd 1.0 Stack Buffer Overflow Remote Code Execution
This module exploits the MiniUPnP 1.0 SOAP stack buffer overflow vulnerability present in the SOAPAction HTTP header handling.
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
# UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang
Mar 06, 2019
Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward publ
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
# UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang
2019/03/06
Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
## UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang 2019/03/06 Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public
Trendmicro
UPnP-enabled Home Devices and Vulnerabilities
blogs_trendmicro·2019-03-06
UPnP-enabled Home Devices and Vulnerabilities
## UPnP-enabled Home Devices and Vulnerabilities
UPnP convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections. We looked into UPnP-related events in home networks and found that many users still have UPnP enabled in their devices."
By: Tony Yang Mar 06, 2019 Read time: ( words)
Save to Folio
Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward publ
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee Jul 13, 2018 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
# VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee
2018/07/13
Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Trendmicro
VPNFilter-affected Devices Still Riddled with 19 Bugs
blogs_trendmicro·2018-07-13
VPNFilter-affected Devices Still Riddled with 19 Bugs
IoT
## VPNFilter-affected Devices Still Riddled with 19 Bugs
This blog tackles the VPNFilter malware and if deployed devices are vulnerable to it. Based on our data, plenty of the devices are still using old firmware versions. In fact, 19 known vulnerabilities can still be detected in devices up to this day.
By: Tony Yang, Peter Lee 2018/07/13 Read time: ( words)
Save to Folio
Our IoT scanning tool allows users to identify if connected devices (e.g. routers, network attached storage devices, IP cameras, and printers) in a given network are vulnerable to security risks and vulnerabilities, such as those related to Mirai, Reaper, and WannaCry.
We gather our data from the Trend Micro™ Home Network Security solution and HouseCall™ for Home Networks scanner. HouseCall for Home Networks is
Bugzilla
CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
bugzilla·2012-12-10·CVSS 7.5
CVE-2012-5629 [HIGH] CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
CVE-2012-5629 JBoss: allows empty password to authenticate against LDAP
The jboss-as-domain-management and jbosssx (now part of PicketLink) modules under default conditions allow users to authenticate with a blank password when LDAP authentication is configured and unauthenticated authentication is supported by the LDAP server. This is in violation of the recommendations of RFC 4513, which states that clients should disallow empty passwords as input to a name/password authentication interface, and not allow the input of an empty password to trigger the selection of the unauthenticated authentication mechanism.
Discussion:
This issue has been addressed in following products:
JBEWP 5 for RHEL 4
JBEWP 5 for RHEL 5
JBEWP 5 for RHEL 6
Via RHSA-2013:0230 https://rhn.redhat.com/errata/RHSA-2
http://www.securityfocus.com/bid/57608https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-playhttps://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdfhttps://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFbhttps://www.exploit-db.com/exploits/36839/http://www.securityfocus.com/bid/57608https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-playhttps://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdfhttps://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFbhttps://www.exploit-db.com/exploits/36839/
2013-01-31
Published
Exploited in the wild