[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: multiple flaws in minissdpd
From: miniupnp <miniupnp () free ! fr>
Date: 2011-07-29 6:55:21
Message-ID: 4E325959.1060008 () free ! fr
[Download RAW message or body]
Thanks for the report, I'm having a look at theses issues.
Le 28/07/2011 23:24, Kees Cook a écrit :
> Hi!
>
> I recently did an audit[1] of minissdpd for Ubuntu, and found a lot of issues,
> unfortunately. There may be more hiding that I didn't notice, but here
> are the security bits of my notes:
>
>
> Denial of Service:
>
> - off-by-one in packet parsing can trigger crashes on unluckily alignment
> minissdpd.c line ~290
>
> - walk off end of memory without length check in "cache-control" packet
> minissdpd.c line ~314
>
> - some unchecked malloc uses could lead to crash
>
> - does not clean up /var/run files on crash
>
>
> Corruption, possible manipulation of responses:
>
> - linefeed injection in service requests
>
> - unchecked write lengths (could get interrupted, lead to corruption)
>
>
> Memory corruption, with execution control likely:
>
> - multiple buffer overflows in processRequest
> - unchecked decoded lengths
> - unchecked buffer creation length
> - integer overflows in decoded lengths
> - write null byte arbitrarily in heap
> - could read stack memory out on requests (including canary if OS
> used stack protector canary that wasn't null-started). e.g.:
> - add bogus service with giant coded-length "location" entry
> - read back with type==1 and matching "st"
>
>
> General Safety:
>
> - does not drop privileges
>
>
> Hopefully all of this can get fixed up, it looks like a useful service. :)
>
> Thanks,
>
> -Kees
>
> [1] https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic