FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

upnp -- multiple vulnerabilities

Affected packages
upnp < 1.6.21

Details

VuXML ID 244c8288-cc4a-11e6-a475-bcaec524bf84
Discovery 2016-02-23
Entry 2016-12-27

Matthew Garett reports:

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

[source]

Scott Tenaglia reports:

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.

[source]

References

CVE Name CVE-2016-6255
CVE Name CVE-2016-8863
URL https://sourceforge.net/p/pupnp/bugs/133/
URL https://twitter.com/mjg59/status/755062278513319936

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.