Bugtraq mailing list archives
Re: MiniUPnPd Information Disclosure (CVE-2013-2600)
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 12 Jul 2013 16:32:56 -0400
On Fri, Jul 12, 2013 at 2:16 PM, <cyoung () tripwire com> wrote:
... This issue was addressed on April 26, 2013 as noted in the changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.tar.gz 2013/04/26: Correctly handle truncated snprintf() in SSDP code The problem is illustrated in the following code snippet: Minissdp.c: 203 static void SendSSDPAnnounce2(int s, struct sockaddr_in sockname, 204 const char * st, int st_len, 205 const char * host, unsigned short port) 206 { 207 int l, n; 208 char buf[512]; 209 /* TODO : 210 * follow guideline from document "UPnP Device Architecture 1.0" 211 * put in uppercase. 212 * DATE: is recommended 213 * SERVER: OS/ver UPnP/1.0 miniupnpd/1.0 214 * */ 215 l = snprintf(buf, sizeof(buf), "HTTP/1.1 200 OK\r\n" 216 "Cache-Control: max-age=120\r\n" 217 "ST: %.*s\r\n" 218 "USN: %s::%.*s\r\n" 219 "EXT:\r\n" 220 "Server: " MINIUPNPD_SERVER_STRING "\r\n" 221 "Location: http://%s:%u" ROOTDESC_PATH "\r\n" 222 "\r\n", 223 st_len, st, 224 uuidvalue, st_len, st, 225 host, (unsigned int)port); 226 n = sendto(s, buf, l, 0, 227 (struct sockaddr *)&sockname, sizeof(struct sockaddr_in) ); 228 #if 0 //JM: Don't fill up syslog, even in error condition 229 if(n<0) 230 { 231 syslog(LOG_ERR, "sendto: %m"); 232 } 233 #endif 234 } Notice that the sendto on line 226 is using the snprintf return value, l, from line 215 without considering whether lsizeof(buf) as is the case when the buffer is truncated.
Truncation occurs at l >= sizeof(buf) since because of the terminating NULL. Jeff
Current thread:
- MiniUPnPd Information Disclosure (CVE-2013-2600) cyoung (Jul 12)
- Re: MiniUPnPd Information Disclosure (CVE-2013-2600) Jeffrey Walton (Jul 12)