Cisco Blogs
Share
tweet

Bypassing MiniUPnP Stack Smashing Protection

- January 27, 2016 - 1 Comment

This post was authored by Aleksandar Nikolic, Warren Mercer, and Jaeson Schultz.

Summary

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 (“Universal Pwn n Play”) about the client side attack surface of UPnP and this vulnerability was part of it.

Talos has developed a working exploit against Bitcoin-qt wallet which utilizes this library. The exploit developed by Talos includes a Stack Smashing Protection (SSP) bypass, the details of which we will discuss here.

The Vulnerability

The vulnerability lies in the XML parser code of the MiniUPnP library in the IGDstartelt function:

Vulnerable XML parser code of the MiniUPnP library

Vulnerable XML parser code of the MiniUPnP library

 

IGDdatas struct definition

IGDdatas struct definition

 

Read More >>

Tags:
Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments

    can you please show us a config on a a ASA 550x-x system that can monitor and block this attempts cheers good post

Share
tweet