Cisco Blogs

Cisco Blog > Threat Research

Bypassing MiniUPnP Stack Smashing Protection

This post was authored by Aleksandar Nikolic, Warren Mercer, and Jaeson Schultz.


MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 (“Universal Pwn n Play”) about the client side attack surface of UPnP and this vulnerability was part of it.

Talos has developed a working exploit against Bitcoin-qt wallet which utilizes this library. The exploit developed by Talos includes a Stack Smashing Protection (SSP) bypass, the details of which we will discuss here.

The Vulnerability

The vulnerability lies in the XML parser code of the MiniUPnP library in the IGDstartelt function:

Vulnerable XML parser code of the MiniUPnP library

Vulnerable XML parser code of the MiniUPnP library


IGDdatas struct definition

IGDdatas struct definition



Tags: , , ,

Where is my (intermediate) TLS certificate?

When dealing with TLS connections, it is important to understand how a client (in most cases this is a web browser) will be acting. Let’s quickly check some of the steps that are happening when a TLS connection is made.

A web server will send its certificate down to the requesting client during the TLS handshake. But it is not only a single certificate but usually a complete chain of certificates.
There is the server certificate , in many cases an intermediate CA certificate and finally a Root CA.
When you check your browser this will look like this:

Read More »

Tags: , ,

Link Arms Against the Attackers: Observations from the 2016 Cisco ASR

Remember 2007, when the underground economy began to flourish, using simple protocols and static subnet ranges to control their infrastructure? That was the same year Cisco published the first Annual Security Report (ASR). Nine years later, the drumbeat of cyberthreats grow louder, but the actors and threats are familiar, just as John reminded us when this year’s report was released.

Cyber-crime stats

Read More »

Tags: , , , , , , ,

Hiding in Plain Sight: Malware’s Use of TLS and Encryption


TLS (Transport Layer Security) is a cryptographic protocol that provides privacy for applications. TLS is usually implemented on top of common protocols such as HTTP for web browsing or SMTP for email. HTTPS is the usage of TLS over HTTP, which is the most popular way of securing communication between a web server and client and is supported by the bulk of major web servers.

As TLS has become more popular and easier to use, we have seen the adoption of this technology by malware to secure its own communication. It is fairly straightforward for malware to plug into existing TLS libraries, and in some cases include an entire implementation in its own source code. This ease of use is troubling because it allows malware to easily evade detection and blend into benign traffic patterns typically observed on a network. In short, malware authors know how to use encryption, and they use it in TLS and in custom applications across many different ports and protocols.

In this blog post, we highlight some of the trends we are seeing with respect to the volume of malware traffic taking advantage of TLS, and on which ports this traffic appears. We compare and contrast malware’s usage of TLS with that of benign network traffic. Finally, we conclude by giving next steps to detect malware even in the face of encryption.

Read More »

Tags: , , , ,

Overcoming the DNS “Blind Spot”

[ed. note – this post was authored jointly by John Stuppi and Dan Hubbard]

The Domain Name Service (DNS) provides the IP addresses of intended domain names in response to queries from requesting end hosts. Because many threat actors today are leveraging DNS to compromise end hosts monitoring DNS is often a critical step in identifying and containing malware infections and investigating attacks. Yet our research found that few organizations actually monitor DNS for security purposes—or at all—which makes DNS a security “blind spot.”

We explore this issue in more detail Read More »

Tags: , , ,