[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: multiple flaws in minissdpd
From:       miniupnp <miniupnp () free ! fr>
Date:       2011-07-29 6:55:21
Message-ID: 4E325959.1060008 () free ! fr
[Download RAW message or body]

Thanks for the report, I'm having a look at theses issues.

Le 28/07/2011 23:24, Kees Cook a écrit :
> Hi!
>
> I recently did an audit[1] of minissdpd for Ubuntu, and found a lot of issues,
> unfortunately. There may be more hiding that I didn't notice, but here
> are the security bits of my notes:
>
>
> Denial of Service:
>
> - off-by-one in packet parsing can trigger crashes on unluckily alignment
>     minissdpd.c line ~290
>
> - walk off end of memory without length check in "cache-control" packet
>     minissdpd.c line ~314
>
> - some unchecked malloc uses could lead to crash
>
> - does not clean up /var/run files on crash
>
>
> Corruption, possible manipulation of responses:
>
> - linefeed injection in service requests
>
> - unchecked write lengths (could get interrupted, lead to corruption)
>
>
> Memory corruption, with execution control likely:
>
> - multiple buffer overflows in processRequest
>     - unchecked decoded lengths
>     - unchecked buffer creation length
>     - integer overflows in decoded lengths
>     - write null byte arbitrarily in heap
>     - could read stack memory out on requests (including canary if OS
>       used stack protector canary that wasn't null-started). e.g.:
>       - add bogus service with giant coded-length "location" entry
>       - read back with type==1 and matching "st"
>
>
> General Safety:
>
> - does not drop privileges
>
>
> Hopefully all of this can get fixed up, it looks like a useful service. :)
>
> Thanks,
>
> -Kees
>
> [1] https://bugs.launchpad.net/ubuntu/+source/minissdpd/+bug/813313
>
>   

[prev in list] [next in list] [prev in thread] [next in thread]