oss-security - libupnp write files via POST

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Mon, 18 Jul 2016 20:53:51 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: libupnp write files via POST

Hi,

Wanted to point out this report by Matthew Garret (not sure if there's
anything else than a couple of tweets public):
https://twitter.com/mjg59/status/755062278513319936

Notable:
"Reported this to upstream 8 months ago without response, so: libupnp's
default behaviour allows anyone to write to your filesystem"
"Seriously. Find a device running a libupnp based server (Shodan says
there's rather a lot), and POST a file to /testfile. Then GET /testfile"
"…and yeah if the server is running as root (it is) and is using / as
the web root (probably not, but maybe) this gives full host fs access"

And later on:
"Emailed the Debian security team a couple of months ago, no response"

Not good...

Patch:
https://github.com/mjg59/pupnp-code/commit/be0a01bdb83395d9f3a5ea09c1308a4f1a972cbd

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.