CVE-2016-6255
published 2017-03-07CVE-2016-6255: Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered…
PriorityP179high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.82%
97.8th percentile
Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| libupnp_project | libupnp | <= 1.6.20 | — |
| libupnp_project | libupnp | >= 0 < 1:1.6.17-1.2+deb7u1build0.14.04.1 | 1:1.6.17-1.2+deb7u1build0.14.04.1 |
| libupnp_project | libupnp | >= 0 < 1:1.6.19+git20160116-1ubuntu0.1~esm1 | 1:1.6.19+git20160116-1ubuntu0.1~esm1 |
Detection & IOCsextracted from sources · hover to see the quote
path/upnp/control/hag
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; startswith; endswith; fast_pattern; http.request_header; header_lowercase; content:"soapaction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:7; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, malware_family Mirai, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect unauthenticated HTTP POST requests to a libupnp webroot path with no registered handler — the core primitive of CVE-2016-6255. The Snort/Suricata rule keys on POST to /upnp/control/hag with a SOAPAction header containing 'urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua' and a body containing the byte pattern |3c|Code|3e|os|2e|execute|28 60| (i.e., <Code>os.execute(`).
- →Monitor for unexpected files appearing under the libupnp/mediatomb webroot (e.g., /usr/share/mediatomb/web/) following an inbound POST request — a direct indicator of successful CVE-2016-6255 exploitation. ↗
- →The reverse-shell payload uses mkfifo + netcat; look for process creation of 'mkfifo /tmp/a' or 'nc <ip> 1270' spawned from a UPnP service process as a post-exploitation indicator. ↗
- →The exploit uses the WebRTC internal IP leak (RTCPeerConnection with empty iceServers) to enumerate LAN hosts before targeting them — browser-side WebRTC ICE candidate generation with no STUN/TURN server is a client-side indicator of the recon phase. ↗
- →Nessus plugin 93911 can be used to actively test for the VeraLite RunLua vulnerability chained with CVE-2016-6255; plugin 94047 (UPnP API Listing) enumerates exposed UPnP actions. ↗
- ·The vulnerability allows writing files to the webroot as root in default configurations (e.g., Ubuntu mediatomb install), meaning the impact is elevated when the UPnP service runs with root privileges. ↗
- ·The Snort rule (sid:2027489) cross-references CVE-2019-12780 in addition to CVE-2016-6255, indicating it was later updated to cover Mirai/Echobot exploitation of the same endpoint; defenders should treat matches as potentially attributable to either CVE.
- ·No solution existed at time of the exploit-db publication for the VeraLite device specifically; mitigation requires restricting network access to the UPnP server port rather than patching the device. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cpx4-fhhq-52jh: Portable UPnP SDK (aka libupnp) before 1
ghsa_unreviewed·2022-05-17
CVE-2016-6255 [HIGH] CWE-284 GHSA-cpx4-fhhq-52jh: Portable UPnP SDK (aka libupnp) before 1
Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.
OSV
libupnp vulnerabilities
osv·2021-03-15·CVSS 7.5
CVE-2016-6255 [HIGH] libupnp vulnerabilities
libupnp vulnerabilities
Matthew Garrett discovered that libupnp mishandled POST requests by
default. An attacker could use this vulnerability to write files to
arbitrary locations in the victim's filesystem, possibly as root.
(CVE-2016-6255)
It was discovered that libupnp mishandled certain input. A remote attacker
could use this vulnerability to cause a denial of service (crash) or
possibly execute arbitrary code. (CVE-2016-8863)
OSV
CVE-2016-6255: Portable UPnP SDK (aka libupnp) before 1
osv·2017-03-07·CVSS 7.5
CVE-2016-6255 [HIGH] CVE-2016-6255: Portable UPnP SDK (aka libupnp) before 1
Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.
VulnCheck
debian debian_linux Improper Access Control
vulncheck·2016·CVSS 7.5
CVE-2016-6255 [HIGH] debian debian_linux Improper Access Control
debian debian_linux Improper Access Control
Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.
Affected: debian debian_linux
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
Exploit PoC: https://vulncheck.com/xdb/8948f343d824
Ubuntu
libupnp vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 7.5
CVE-2016-6255 [HIGH] libupnp vulnerabilities
Title: libupnp vulnerabilities
Summary: Several security issues were fixed in libupnp.
Matthew Garrett discovered that libupnp mishandled POST requests by
default. An attacker could use this vulnerability to write files to
arbitrary locations in the victim's filesystem, possibly as root.
(CVE-2016-6255)
It was discovered that libupnp mishandled certain input. A remote attacker
could use this vulnerability to cause a denial of service (crash) or
possibly execute arbitrary code. (CVE-2016-8863)
Instructions: In general, a standard system update will make all the necessary changes.
Suricata
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)
suricata·2019-06-18·CVSS 7.5
CVE-2016-6255 [HIGH] ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; startswith; endswith; fast_pattern; http.request_header; header_lowercase; content:"soapaction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:7; m
Suricata
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)
suricata·2019-06-18·CVSS 7.5
CVE-2016-6255 [HIGH] ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)
ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; startswith; endswith; fast_pattern; http.request_header; header_lowercase; content:"soapaction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:7;
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Tenable
[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities
blogs_tenable·2017-03-13
[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Do You Know Where Your UPnP Is?
blogs_tenable·2016-10-20
Do You Know Where Your UPnP Is?
Blog /
Subscribe
# Do You Know Where Your UPnP Is?
Jacob Baines
October 20, 2016
9 Min Read
Much has been said about the security of Universal Plugin and Play (UPnP) over the years. There have been FBI warnings, security researchers have published papers, and even Forbes has told us to disable UPnP. But how do you know if UPnP servers are on your network? Are there specific services we should worry about? Do we really need to be concerned about UPnP?
### Finding UPnP services
To answer some of these questions, Tenable wrote a simple Python script called upnp_info.py. You can find it on our GitHub. The script finds all UPnP services and enumerates their functionality. Check out the README for full details.
Some of you may be thinking, “I don’t need that script. I know I disabled UPn
Tenable
Do You Know Where Your UPnP Is?
blogs_tenable·2016-10-20
Do You Know Where Your UPnP Is?
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [epel-7]
bugzilla·2016-07-21·CVSS 7.5
CVE-2016-6255 [HIGH] CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [epel-7]
CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-trackin
Bugzilla
CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [fedora-all]
bugzilla·2016-07-21·CVSS 7.5
CVE-2016-6255 [HIGH] CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [fedora-all]
CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default
bugzilla·2016-07-21·CVSS 7.5
CVE-2016-6255 [HIGH] CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default
CVE-2016-6255 libupnp: Unhandled POSTs can write to the filesystem by default
A vulnerability was found in libupnp. If there's no registered handler for a POST request, the default behaviour is to write it to the filesyste. This allows attacker to store arbitrary data on deployed devices.
References:
http://seclists.org/oss-sec/2016/q3/102
Upstream fix:
https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd
Discussion:
Created libupnp tracking bugs for this issue:
Affects: fedora-all [bug 1358613]
Affects: epel-7 [bug 1358614]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community p
arXiv
Beware of the App! On the Vulnerability Surface of Smart Devices through their Companion Apps
arxiv_fulltext·2019-01-29
Beware of the App! On the Vulnerability Surface of Smart Devices through their Companion Apps
Beware of the App! On the Vulnerability Surface of Smart
Devices through their Companion Apps
Davino Mauro Junior
Federal University of
Pernambuco, Brazil
[email protected]
Luis Melo
Federal University of
Pernambuco, Brazil
[email protected]
Harvey Lu
University of
Michigan, USA
[email protected]
Marcelo d'Amorim
Federal University of
Pernambuco, Brazil
[email protected]
Atul Prakash
University of
Michigan, USA
[email protected]
plain
plain
## Abstract
Internet of Things () devices are becoming increasingly
important. These devices are often resource-limited, hindering
rigorous enforcement of security policies. Assessing the vulnerability of
devices is an important problem, but analyzing their firmware is
difficult for a variety of reasons, including requiring the pur
http://www.debian.org/security/2016/dsa-3736http://www.openwall.com/lists/oss-security/2016/07/18/13http://www.openwall.com/lists/oss-security/2016/07/20/5http://www.securityfocus.com/bid/92050https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbdhttps://security.gentoo.org/glsa/201701-52https://sourceforge.net/p/pupnp/code/ci/master/tree/ChangeLoghttps://twitter.com/mjg59/status/755062278513319936https://www.exploit-db.com/exploits/40589/https://www.tenable.com/security/research/tra-2017-10http://www.debian.org/security/2016/dsa-3736http://www.openwall.com/lists/oss-security/2016/07/18/13http://www.openwall.com/lists/oss-security/2016/07/20/5http://www.securityfocus.com/bid/92050https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbdhttps://security.gentoo.org/glsa/201701-52https://sourceforge.net/p/pupnp/code/ci/master/tree/ChangeLoghttps://twitter.com/mjg59/status/755062278513319936https://www.exploit-db.com/exploits/40589/https://www.tenable.com/security/research/tra-2017-10
2017-03-07
Published
Exploited in the wild