Vulnerability Details : CVE-2012-5958
Public exploit exists!
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.
Vulnerability category: OverflowExecute code
Exploit prediction scoring system (EPSS) score for CVE-2012-5958
Probability of exploitation activity in the next 30 days: 97.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2012-5958
-
UPnP SSDP M-SEARCH Information Discovery
First seen: 2020-04-26auxiliary/scanner/upnp/ssdp_msearchDiscover information from UPnP-enabled systems Authors: - todb <todb@metasploit.com> - hdm <x@hdm.io> -
Portable UPnP SDK unique_service_name() Remote Code Execution
Disclosure Date: 2013-01-29First seen: 2020-04-26exploit/multi/upnp/libupnp_ssdp_overflowThis module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due
CVSS scores for CVE-2012-5958
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2012-5958
-
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5958
-
https://www.tenable.com/security/research/tra-2017-10
[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities - Research Advisory | Tenable®
-
http://www.debian.org/security/2013/dsa-2615
Debian -- Security Information -- DSA-2615-1 libupnp4
-
http://www.debian.org/security/2013/dsa-2614
Debian -- Security Information -- DSA-2614-1 libupnp
-
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:098
mandriva.com
-
http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf
404 - 找不到檔案或目錄。
-
https://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFb
Help @ Rapid7
-
http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf
404 - 找不到檔案或目錄。
-
http://packetstormsecurity.com/files/160242/libupnp-1.6.18-Denial-Of-Service.html
libupnp 1.6.18 Denial Of Service ≈ Packet Storm
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037
Support/Advisories/MGASA-2013-0037 - Mageia wiki
-
http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf
404 - 找不到檔案或目錄。
- http://pupnp.sourceforge.net/ChangeLog
-
http://www.kb.cert.org/vuls/id/922681
VU#922681 - Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDPPatch;US Government Resource
-
http://www.securityfocus.com/bid/57602
libupnp Multiple Buffer Overflow VulnerabilitiesExploit
-
https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
Help @ Rapid7
-
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
Security Flaws in Universal Plug and Play: Unplug, Don't Play
-
http://lists.opensuse.org/opensuse-updates/2013-02/msg00013.html
openSUSE-SU-2013:0255-1: moderate: update for libupnp
-
http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf
404 - 找不到檔案或目錄。
Products affected by CVE-2012-5958
- cpe:2.3:a:libupnp_project:libupnp:*:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.16:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.15:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.14:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.0:*:*:*:*:*:*:*