troglobit/ssdp-responder

Stack-based buffer overflow in ssdp_recv

cve-reporting opened this issue · 0 comments

cve-reporting commented

SSDP responder (from version 1.0 up to latest 1.5) incorrectly handles incoming network messages leading to a stack-based buffer overwrite by 1 byte.
This will result in crash of the server, but only when strict stack checking is enabled.

Error message WITH Address Sanitizer:

sudo ./ssdpd -d
ssdpd[19693]: URN: uuid:4010435a-cc9d-43cf-9d09-ab12fd9d127
ssdpd[19693]: Server: ........ UPnP/1.0 ssdpd/1.5
ssdpd[19693]: Updating interfaces ...
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: Adding new interface ___ with address _____________
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: No interfaces to filter, using all with an IP address.
ssdpd[19693]: Sending SSDP NOTIFY new:1 ...
ssdpd[19693]: Sending notify from ___________ ...
ssdpd[19693]: M-SEARCH * ST: upnp:rootdevice from ___.___.___.___ port _____
ssdpd[19693]: Sending reply from ___.___.___.___ ...
=================================================================
==19693==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5146a7d0 at pc 0x000000404828 bp 0x7ffc5146a510 sp 0x7ffc5146a500
WRITE of size 1 at 0x7ffc5146a7d0 thread T0
    #0 0x404827 in ssdp_recv ssdp-responder-master/ssdpd.c:440
    #1 0x403ad9 in handle_message ssdp-responder-master/ssdpd.c:644
    #2 0x403ad9 in wait_message ssdp-responder-master/ssdpd.c:684
    #3 0x402655 in main ssdp-responder-master/ssdpd.c:891
    #4 0x7fd45054782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x403748 in _start (ssdp-responder-master/ssdpd+0x403748)

Address 0x7ffc5146a7d0 is located in stack of thread T0 at offset 672 in frame
    #0 0x4043af in ssdp_recv ssdp-responder-master/ssdpd.c:431

  This frame has 3 object(s):
    [32, 36) 'salen'
    [96, 112) 'sa'
    [160, 672) 'buf' <== Memory access at offset 672 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ssdp-responder-master/ssdpd.c:440 ssdp_recv
Shadow bytes around the buggy address:
  0x10000a2854a0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2
  0x10000a2854b0: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
  0x10000a2854c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a2854d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a2854e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000a2854f0: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3
  0x10000a285500: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10000a285510: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a285520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a285530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000a285540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==19693==ABORTING

Reproduction:

  1. Download and compile ssdp-responder with Address Sanitizer
    by adding -fsanitize=address to ssdpd_CFLAGS

  2. Run ssdp-responder:
    ./ssdpd -d

  3. Unzip and send attached crafted message e.g. using netcat (to the same network segment where responder is listening):
    netcat -u 239.255.255.250 1900 < payload_ssdp-resp_000.raw

payload_ssdp-resp_000.raw.zip