Bypassing Miniupnp Stack Smashing Protection

SERVIDORES

This post was authored by Aleksandar Nikolic, Warren Mercer, and Jaeson Schultz.

Summary

MiniUPnP is commonly used to allow two devices which are behind NAT firewalls to communicate with each other by opening connections in each of the firewalls, commonly known as "hole punching". Various software implementations of this technique enable various peer-to-peer software applications, such as Tor and cryptocurrency miners and wallets, to operate on the network.

In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 ("Universal Pwn n Play") about the client side attack surface of UPnP and this vulnerability was part of it.

Talos has developed a working exploit against Bitcoin-qt wallet which utilizes this library. The exploit developed by Talos includes a Stack Smashing Protection (SSP) bypass, the details of which we will discuss here.

The Vulnerability

The vulnerability lies in the XML parser code of the MiniUPnP library in the IGDstartelt function:

Vulnerable XML parser code of the MiniUPnP library

IGDdatas struct definition

Cisco Price, Dell Price, Huawei Price, ZTE HPE Fortinet Switch Router Server At Low Price

SERVIDORES

NOTÍCIAS QUENTES

Cisco Catalyst 9200 9200L Series Manual free PDF download

Quick Replacement Methods for Faulty Network Switches

2024 Revised Edition: How to Check Cisco Product Serial Numbers?

Cisco Catalyst 1300 Series Firmware: A Comprehensive Guide

What is the phone number for Cisco support?

What is Cisco WLAN controller?

What does a Cisco wireless controller do?

What is Active-Active Data Center?

What is Cisco Partner Program? How to join Cisco partner?

What does Cisco ASR do?

Huawei S6700: How to Configure the MTU Value of an Interface

Huawei Switch S6700 Configuring the Traffic Statistics Interval

Huawei NE router: forget console password, how to recover it

What is Cisco Catalyst 3650?

How about cisco 2960X?

Huawei CloudEngine switches split stacking

What is Cisco ISR?

What is the Cisco SD-WAN?

What is Cisco licenses?

What is Cisco Catalyst 3750?

Huawei S6700 Backup Configuration File to FTP Server or Client

Restoring Factory Settings on Huawei CloudEngine Series Switches

What is Catalyst 9500?

Difference between Huawei HC & HCS & HCSO

What is the difference between Catalyst 9200 and 9200L?

Is the Cisco 3850 a switch or a router?

HUAWEI Switches S6700 - Example: Configuring the Device as an SCP Client

What does the Cisco company do?

What is Cisco ISR 4331 router?

Public Cloud Hardware Integration Implementation

Bypassing MiniUPnP Stack Smashing Protection

Summary

The Vulnerability

Tags quentes : Cisco Talos Talos Threat Research Vulnerability Research miniupnp

Ordering Guide

Recursos

Quem somos

Cisco Price, Dell Price, Huawei Price, ZTE HPE Fortinet Switch Router Server At Low Price

SERVIDORES

NOTÍCIAS QUENTES

Cisco Catalyst 9200 9200L Series Manual free PDF download

Quick Replacement Methods for Faulty Network Switches

2024 Revised Edition: How to Check Cisco Product Serial Numbers?

Cisco Catalyst 1300 Series Firmware: A Comprehensive Guide

What is the phone number for Cisco support?

What is Cisco WLAN controller?

What does a Cisco wireless controller do?

What is Active-Active Data Center?

​What is Cisco Partner Program? How to join Cisco partner?

What does Cisco ASR do?

Huawei S6700: How to Configure the MTU Value of an Interface

Huawei Switch S6700 Configuring the Traffic Statistics Interval

Huawei NE router: forget console password, how to recover it

What is Cisco Catalyst 3650?

How about cisco 2960X?

Huawei CloudEngine switches split stacking

What is Cisco ISR?

What is the Cisco SD-WAN?

What is Cisco licenses?

What is Cisco Catalyst 3750?

Huawei S6700 Backup Configuration File to FTP Server or Client

Restoring Factory Settings on Huawei CloudEngine Series Switches

What is Catalyst 9500?

Difference between Huawei HC & HCS & HCSO

What is the difference between Catalyst 9200 and 9200L?

Is the Cisco 3850 a switch or a router?

HUAWEI Switches S6700 - Example: Configuring the Device as an SCP Client

​What does the Cisco company do?

What is Cisco ISR 4331 router?

Public Cloud Hardware Integration Implementation

Bypassing MiniUPnP Stack Smashing Protection

Summary

The Vulnerability

Tags quentes : Cisco Talos Talos Threat Research Vulnerability Research miniupnp

Ordering Guide

Recursos

Quem somos

What is Cisco Partner Program? How to join Cisco partner?

What does the Cisco company do?