oss-sec mailing list archives
multiple flaws in minissdpd
From: Kees Cook <kees () ubuntu com>
Date: Thu, 28 Jul 2011 14:24:20 -0700
Hi! I recently did an audit[1] of minissdpd for Ubuntu, and found a lot of issues, unfortunately. There may be more hiding that I didn't notice, but here are the security bits of my notes: Denial of Service: - off-by-one in packet parsing can trigger crashes on unluckily alignment minissdpd.c line ~290 - walk off end of memory without length check in "cache-control" packet minissdpd.c line ~314 - some unchecked malloc uses could lead to crash - does not clean up /var/run files on crash Corruption, possible manipulation of responses: - linefeed injection in service requests - unchecked write lengths (could get interrupted, lead to corruption) Memory corruption, with execution control likely: - multiple buffer overflows in processRequest - unchecked decoded lengths - unchecked buffer creation length - integer overflows in decoded lengths - write null byte arbitrarily in heap - could read stack memory out on requests (including canary if OS used stack protector canary that wasn't null-started). e.g.: - add bogus service with giant coded-length "location" entry - read back with type==1 and matching "st" General Safety: - does not drop privileges Hopefully all of this can get fixed up, it looks like a useful service. :) Thanks, -Kees [1] https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313 -- Kees Cook Ubuntu Security Team
Current thread:
- multiple flaws in minissdpd Kees Cook (Jul 28)
- Re: multiple flaws in minissdpd miniupnp (Jul 29)