Vulnerability Details : CVE-2012-5958
Public exploit exists!
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.
Vulnerability category: OverflowExecute code
Products affected by CVE-2012-5958
- cpe:2.3:a:libupnp_project:libupnp:*:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.12:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.11:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.16:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.15:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.14:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.13:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.10:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.9:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:libupnp_project:libupnp:1.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-5958
97.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2012-5958
-
UPnP SSDP M-SEARCH Information Discovery
First seen: 2020-04-26auxiliary/scanner/upnp/ssdp_msearchDiscover information from UPnP-enabled systems Authors: - todb <todb@metasploit.com> - hdm <x@hdm.io> -
Portable UPnP SDK unique_service_name() Remote Code Execution
Disclosure Date: 2013-01-29First seen: 2020-04-26exploit/multi/upnp/libupnp_ssdp_overflowThis module exploits a buffer overflow in the unique_service_name() function of libupnp's SSDP processor. The libupnp library is used across thousands of devices and is referred to as the Intel SDK for UPnP Devices or the Portable SDK for UPnP Devices. Due
CVSS scores for CVE-2012-5958
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2012-5958
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5958
-
https://www.tenable.com/security/research/tra-2017-10
[R1] Debian MediaTomb (fork) Multiple Remote Vulnerabilities - Research Advisory | Tenable®
-
http://www.debian.org/security/2013/dsa-2615
Debian -- Security Information -- DSA-2615-1 libupnp4
-
http://www.debian.org/security/2013/dsa-2614
Debian -- Security Information -- DSA-2614-1 libupnp
-
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp
Portable SDK for UPnP Devices Contains Buffer Overflow Vulnerabilities
-
http://www.mandriva.com/security/advisories?name=MDVSA-2013:098
mandriva.com
-
http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf
404 - 找不到檔案或目錄。
-
https://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFb
Help @ Rapid7
-
http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf
404 - 找不到檔案或目錄。
-
http://packetstormsecurity.com/files/160242/libupnp-1.6.18-Denial-Of-Service.html
libupnp 1.6.18 Denial Of Service ≈ Packet Storm
-
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037
Support/Advisories/MGASA-2013-0037 - Mageia wiki
-
http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf
404 - 找不到檔案或目錄。
-
http://pupnp.sourceforge.net/ChangeLog
-
http://www.kb.cert.org/vuls/id/922681
VU#922681 - Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDPPatch;US Government Resource
-
http://www.securityfocus.com/bid/57602
libupnp Multiple Buffer Overflow VulnerabilitiesExploit
-
https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf
Help @ Rapid7
-
https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play
Security Flaws in Universal Plug and Play: Unplug, Don't Play
-
http://lists.opensuse.org/opensuse-updates/2013-02/msg00013.html
openSUSE-SU-2013:0255-1: moderate: update for libupnp
-
http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf
404 - 找不到檔案或目錄。
Jump to