[Secure-testing-team] Bug#772644: MiniUPnPd is vulnerable to DNS rebinding attacks
Thomas Goirand
zigo at debian.org
Tue Dec 9 14:20:32 UTC 2014
Package: miniupnpd
Version: 1.8.20140523-3
Severity: grave
Tags: security patch
Stephen Röttger from Google did a security audit of MiniUPnPd, and found a few
issues, all now fixed upstream.
Extract from private messages who were forwarded to me (but which is fine to
disclose since there's already some public commits.
> MiniUPnP is vulnerable to DNS rebinding attacks which allows an attacker to
> trigger upnp actions through a malicious website. Wikipedia describes the
> attack quite well: http://en.wikipedia.org/wiki/DNS_rebinding.
> To mitigate this attack, MiniUPnP should check if the request's host header
> either contains an IP address or the hostname of the device.
>
> Besides that, I found a few memory corruption vulnerabilities in the code.
Fixes:
https://github.com/miniupnp/miniupnp/commit/d00b75782e7d73e78d0b935cee6f4873bc48c9e8
https://github.com/miniupnp/miniupnp/commit/7c91c4e933e96b913b72685d093126d282b87db6
Some memory corruption fix:
https://github.com/miniupnp/miniupnp/commit/e6bc04aa06341fa4df3ccae87a167e9adf816911
A buffer overrun in ParseHttpHeaders() fix:
https://github.com/miniupnp/miniupnp/commit/dd39ecaa935a9c23176416b38a3b80d577f21048
Added check if BuildHeader_upnphttp() failed to allocate memory:
https://github.com/miniupnp/miniupnp/commit/ec94c5663fe80dd6ceea895c73e2be66b1ef6bf4
I'm following-up with an upload in a few minutes.
Cheers,
Thomas Goirand (zigo)
More information about the Secure-testing-team
mailing list