Bypassing MiniUPnP Stack Smashing Protection
This post was authored by Aleksandar Nikolic, Warren Mercer, and Jaeson Schultz.
MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.
In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 (“Universal Pwn n Play”) about the client side attack surface of UPnP and this vulnerability was part of it.
Talos has developed a working exploit against Bitcoin-qt wallet which utilizes this library. The exploit developed by Talos includes a Stack Smashing Protection (SSP) bypass, the details of which we will discuss here.
The vulnerability lies in the XML parser code of the MiniUPnP library in the IGDstartelt function: