BugTraq
MiniUPnPd Information Disclosure (CVE-2013-2600) Jul 12 2013 06:16PM
cyoung tripwire com (1 replies)
Re: MiniUPnPd Information Disclosure (CVE-2013-2600) Jul 12 2013 08:32PM
Jeffrey Walton (noloader gmail com)
On Fri, Jul 12, 2013 at 2:16 PM, <cyoung (at) tripwire (dot) com [email concealed]> wrote:
> ...
>
> This issue was addressed on April 26, 2013 as noted in the changelog: http://miniupnp.free.fr/files/changelog.php?file=miniupnpd-1.8.20130607.
tar.gz
>
> 2013/04/26:
> Correctly handle truncated snprintf() in SSDP code
>
> The problem is illustrated in the following code snippet:
> Minissdp.c:
> 203 static void SendSSDPAnnounce2(int s, struct sockaddr_in sockname,
> 204 const char * st, int st_len,
> 205 const char * host, unsigned short port)
> 206 {
> 207 int l, n;
> 208 char buf[512];
> 209 /* TODO :
> 210 * follow guideline from document "UPnP Device Architecture 1.0"
> 211 * put in uppercase.
> 212 * DATE: is recommended
> 213 * SERVER: OS/ver UPnP/1.0 miniupnpd/1.0
> 214 * */
> 215 l = snprintf(buf, sizeof(buf), "HTTP/1.1 200 OK\r\n"
> 216 "Cache-Control: max-age=120\r\n"
> 217 "ST: %.*s\r\n"
> 218 "USN: %s::%.*s\r\n"
> 219 "EXT:\r\n"
> 220 "Server: " MINIUPNPD_SERVER_STRING "\r\n"
> 221 "Location: http://%s:%u" ROOTDESC_PATH "\r\n"
> 222 "\r\n",
> 223 st_len, st,
> 224 uuidvalue, st_len, st,
> 225 host, (unsigned int)port);
> 226 n = sendto(s, buf, l, 0,
> 227 (struct sockaddr *)&sockname, sizeof(struct sockaddr_in) );
> 228 #if 0 //JM: Don't fill up syslog, even in error condition
> 229 if(n<0)
> 230 {
> 231 syslog(LOG_ERR, "sendto: %m");
> 232 }
> 233 #endif
> 234 }
>
>
> Notice that the sendto on line 226 is using the snprintf return value, l, from line 215 without considering whether l > sizeof(buf) as is the case when the buffer is truncated.
Truncation occurs at l >= sizeof(buf) since because of the terminating NULL.

Jeff

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus