Vulnerability Spotlight: MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow
Talos is disclosing the discovery of an exploitable buffer overflow vulnerability in the the MiniUPnP library TALOS-2015-0035 (CVE-2015-6031). The buffer overflow is present in client-side XML parser functionality in miniupnpc. A specially crafted XML response can lead to a buffer overflow, on the stack, resulting in remote code execution.
This miniupnpc buffer overflow is present in client-side part of the library. The vulnerable code is triggered by an oversized XML element name when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network.
MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as “hole punching”. Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.
When parsing the UPNP replies, the XML parser is initialized and `parsexml()` function is called:
The start element function callback is initialized to `IGDStartelt` function and parser `data` variable is of `struct IGDdatas` type:
The structure member `cureltname` is initialized to a static maximum value. The buffer overflow occurs in `IGDstartelt` function when parsing new XML element:
An unsafe call to `memcpy` is made with both source and length arguments under external control.
NAT and MiniUPnP
Many systems are sitting behind firewalls which NAT their traffic and these NAT based firewalls, by design, do not usually allow inbound traffic. To overcome this limitation, many peer-to-peer applications use a technique known as “hole punching” to enable two devices, both sitting behind NAT firewalls to establish direct connections to each other. This is common in peer-to-peer applications with various implementations for hole punching (of which MiniUPnP is one example). Common peer-to-peer applications include Tor, cryptocurrency miners and wallets, Skype, and bittorrent.
Tor is a service used to anonymize communication online. UPnP is commonly used to add port forwarding capabilities to these communications. Tor users choose a source-routed path through a set of nodes in which each node knows only its predecessor and successor, but no others. Traffic flowing down this path is unwrapped by a symmetric key at each node, which reveals the downstream node. Users ping-pong their TCP traffic (http, ssh, ftp) through the network. Connection end points, observers, and even the relays themselves have difficulty tracking the source of the traffic. Providing their communication relative anonymity.
Cryptocurrency – a Target Rich Environment
The anonymity of cryptocurrency makes it an ideal vehicle to use for monetary transactions that threat actors do not want tracked. Ransomware is a perfect example of how cryptocurrency is used to anonymously collect money from the targeted victims. The global impact of ransomware such as Teslacrypt , Cryptowall is clear and many of these ransoms are paid and collected via cryptowallets. Compromising cryptocoin wallet systems provide ideal targets for easy monetization with a low chance of detection. Common configurations using MiniUPnP for Cryptocurrency miners and wallets abound. This is potentially a target rich environment ripe for exploitation. Why bother to phish the end-users and infect them with your own ransomware when you can exploit the wallet configuration of an already successful campaign? All the payout with none of the overhead.
Talos’ research and discovery to find 0-days helps secure the platforms and software that our customers depend on. The disclosure of this and other vulnerabilities helps the entire online community by identifying security issues that otherwise could be exploited by threat actors. Uncovering new 0-days not only helps improve the overall security of the software that our customers use, but it also enables us to directly improve the procedures in our own security development lifecycle, which improves the security of all software that Cisco produces.
Related Snort rules: 35688-35690
For the most up to date list, please refer to Defense Center or FireSIGHT Management Center.
For further zero day or vulnerability reports and information visit: