Cisco Blogs

Cisco Blog > Threat Research

Vulnerability Spotlight: MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

Vulnerability discovered by Aleksandar Nikolic of Cisco Talos. Post authored by Earl Carter and William Largent

Talos is disclosing the discovery of an exploitable buffer overflow vulnerability in the the MiniUPnP library TALOS-2015-0035 (CVE-2015-6031). The buffer overflow is present in client-side XML parser functionality in miniupnpc. A specially crafted XML response can lead to a buffer overflow, on the stack, resulting in remote code execution.

This miniupnpc buffer overflow is present in client-side part of the library. The vulnerable code is triggered by an oversized XML element name when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network.

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

When parsing the UPNP replies, the XML parser is initialized and `parsexml()` function is called:


Read More »

Tags: , , , ,

Vulnerability Spotlight: Microsoft Windows CDD Font Parsing Kernel Memory Corruption

Discovered by Andrea Allievi and Piotr Bania of Cisco Talos.


Talos, in conjunction with Microsoft’s security advisory issued on September 8th, is disclosing the discovery of a memory corruption vulnerability within the Microsoft Windows CDD Font Parsing Kernel Driver. This vulnerability was initially discovered by the Talos and reported in accordance with responsible disclosure policies to Microsoft. Please see Talos’s Microsoft Tuesday Blog for coverage information for this vulnerability. Read the full Talos Vulnerability Report via the portal here: TALOS-2015-0007


A specially crafted font file can cause the Microsoft Windows CDD Font Parsing Kernel driver to corrupt internal memory structures. The DrvTextOut routine acquires and locks the associated device and behaves differently based on the surface type. If the type is a bitmap and the Windows DWM is on, the driver will read and write directly to the video frame buffer and calls EngTextOut, then exits. However, the driver behaves in an unexpected manner where a new background rect is generated mixing the “OpaqueRect” rectangle located in the sixth parameter and the rectangle located in the “pStringTextObj” object.


If the ClipObject describes a NON-Trivial clip, even the “rclBounds” of the clip object is merged to the background rectangle. The Font Object is parsed, and finally the routine decides if it should clip the background rect or not.


The final decision is based on the following check:


Read More »

Tags: , , ,

Microsoft Internet Explorer Out of Band Advisory

Today an out of band advisory was released by Microsoft to address CVE-2015-2502. This vulnerability is addressed by MS15-093.

MS15-093 address a memory corruption vulnerability in Internet Explorer versions 7, 8, 9, 10, and 11. This affects all currently supported versions of Windows, including Windows 10.

This advisory is rated critical. An attacker can craft a web page designed to exploit this vulnerability and lure a user into visiting it.  The compromise will result in remote code execution at the permission level of the affected user. The use of proper user access controls can limit the severity of the compromise.

As with most out of band releases, it has been reported that this attack is being exploited in the wild. Users should patch immediately.

Read More »

Tags: , , , ,

Talos Identifies Multiple Memory Corruption Issues in Quicktime

Update 2015-08-21: This post has been updated to reflect an additional advisory released on August 20.

Talos, in conjunction with Apple’s security advisories issued on August 13 and August 20, has released six advisories for vulnerabilities that Talos found in Apple Quicktime. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been reported to Apple and CERT.  This post serves as a summary for the advisories being released in coordination with Apple and CERT.

Ryan Pentney and Richard Johnson of Talos are credited with the discovery of these vulnerabilities.

Read More »

Tags: , , ,

Vulnerability Spotlight: Total Commander FileInfo Plugin Denial of Service

Talos is releasing an advisory for multiple vulnerabilities that have been found within the Total Commander FileInfo Plugin. These vulnerabilities are local denial of service flaws and have been assigned CVE-2015-2869. In accordance with our Vendor Vulnerability Reporting and Disclosure policy, these vulnerabilities have been disclosed to the plugin author(s) and CERT.  This post serves as a summary of the advisory.

Credit for these discoveries belongs to Marcin Noga of Talos.


An attacker who controls the content of a COFF Archive Library (.lib) file can can cause an out of bounds read by specifying overly large values for the ‘Size’ field of the Archive Member Header or the “Number Of Symbols” field in the 1st Linker Member. The second half of the vulnerability concerns an attacker who controls the content of a Linear Executable file can cause an out of bounds read by specifying overly large values for the “Resource Table Count” field of the LE Header or the “Object” field at offset 0x8 from a “Resource Table Entry”. An attacker who successfully exploits this vulnerability can cause the Total Commander application to unexpectedly terminate.

These vulnerabilities has been tested against FileInfo 2.21 and FileInfo 2.22.

Product URL

Finding and disclosing zero-day vulnerabilities responsibly helps improve the overall security of the devices and software people use on a day-to-day basis.  Talos is committed to this effort via developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers. These developments help secure the platforms and software customers use and also help provide insight into how Cisco can improve its own processes to develop better products.

For further zero day or vulnerability reports and information visit:

Tags: , , ,