cbcvebase.
CVE-2017-8798
published 2017-05-11

CVE-2017-8798: Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v2.0 allows remote attackers to cause a denial of service or possibly have unspecified…

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
24.03%
97.6th percentile
Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v2.0 allows remote attackers to cause a denial of service or possibly have unspecified other impact.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianminiupnpc< miniupnpc 1.9.20140610-3 (bookworm)miniupnpc 1.9.20140610-3 (bookworm)
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd
miniupnp_projectminiupnpd

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798
portudp/1900
porttcp/65000
uaCentOS/7.2.1511, UPnP/1.1, MiniUPnPc/2.0
urlhttps://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229
bytes
Transfer-Encoding: chunked with negative chunk size 0x80000000
  • Detect malicious chunked HTTP responses targeting UPnP clients: look for HTTP responses with Transfer-Encoding: chunked where a chunk size value is 0x80000000 or any value with the high bit set (negative when cast to signed int), delivered over the UPnP/SSDP interaction flow on port 1900/UDP and 65000/TCP or any attacker-controlled HTTP port.
  • Monitor for SSDP M-SEARCH replies or NOTIFY messages on UDP/1900 (multicast 239.255.255.250) that redirect UPnP clients to attacker-controlled Location header URLs, as this is the first step to deliver the malicious chunked HTTP response.
  • Inspect HTTP responses served to UPnP clients for Content-Length values that are attacker-controlled (e.g. 9041) combined with a chunked body containing a chunk size of 0x80000000, which triggers the signedness bug in getHTTPResponse() at miniwget.c:305.
  • Alert on processes (e.g. bitcoind -upnp, qBittorrent, Transmission) making outbound HTTP GET requests to unexpected local-network hosts for XML root description URLs (e.g. GET /xxxx.xml), which indicates UPnP IGD discovery is active and the host may be targeted.
  • The vulnerable code path is getHTTPResponse() in miniwget.c; a crash/access violation at miniwget.c:305 (memcpy) is a strong indicator of exploitation. Look for crash dumps or AV signals referencing this function.
  • ·The attack requires the attacker to be on the local network segment (or able to respond to SSDP discovery) to intercept UPnP IGD requests; it is not a direct internet-facing remote exploit in typical configurations.
  • ·RCE is unconfirmed and considered only a theoretical possibility in multithreaded environments sharing a heap; the confirmed impact is DoS (ACCESS_VIOLATION_READ / heap corruption).
  • ·miniupnpc reads HTTP responses in chunks of max 2048 bytes, which limits the attacker's ability to supply large response chunks and renders a reliable RCE scenario impossible, reducing the impact to DoS.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.