IMCAFS

Home

blog

Posted by punzalan at 2020-03-21
all

Libupnp is a portable and portable C language development package of UPnP. UPnP is a network protocol that allows devices to automatically search and set. The latest version of libupnp is 1.6.20, compiled on July 7, 2016, and the previous version is 1.6.19, compiled on November 15, 2013. The compilation interval is very long. The vulnerable version is 1.6.17 and below, compiled before December 2012.

Multiple buffer overflow vulnerabilities exist in 1.6.17 and the following versions. The vulnerability function appears in the unique_service_name of UPnP / SRC / SSDP / ssdp_server. C: there is no security detection for the input parameter CMD, resulting in a buffer overflow in strncpy.

As the vulnerability type is relatively old and the attack is not difficult, a constructed UDP packet can trigger the vulnerability. As early as the vulnerability appeared, rapid7 launched scannow, a scanning tool, which constructs data packets as follows:

[pastacode lang = "markup" manual = "m-search% 20 *% 20http% 2f1.1% 0ahost% 3a239.255.255.250% 3a1900% 0aman% 3A% 22ssdp% 3adiscover% 22% 0amx% 3a3% 0ast% 3auuid% 3arootdevice" message = "test SSDP package" highlight = "provider =" manual "/]

Check whether it is a vulnerable UPnP Library in the result returned by the packet. Here is a code for Python to send UDP:

[pastacode lang=”python” manual=”import%20socket%0A%C2%A0%0ASSDP_ADDR%20%3D%20’172.21.192.2’%C2%A0%0A%23SSDP_ADDR%20%3D%20’10.18.25.50’%C2%A0%0ASSDP_PORT%20%3D%201900%C2%A0%0A%C2%A0%0AMS%20%3D%20’M-SEARCH%20*%20HTTP%2F1.1%5Cr%5CnHost%3A239.255.255.250%3A1900%5Cr%5CnST%3Aupnp%3Arootdevice%5Cr%5CnMan%3A%5C%22ssdp%3Adiscover%5C%22%5Cr%5CnMX%3A3%5Cr%5Cn’%0A__s%2 _s.sendto (MS% 2C% 20 (SSDP \ addr% 2C% 20ssdp \ port)) "message =" send SSDP packet "highlight =" provider=”manual”/]

Determine the data size, prevent data from crossing the boundary, and use the normal buffer overflow repair method. The following is a picture of

360 critical mirror now supports libupnp vulnerability scanning. The scanning method is to determine the version of libupnp. Generally speaking, libupnp will compile the version number when compiling, and get the version number by scanning the string of so file. If it is less than 1.6.18, it will be judged as the version with vulnerability. The scanning code is as follows:

[pastacode lang=”python” manual=”def%20detect_so_upnp(apkinfo%2Cnative_dir%2Clogger%3Dlogger)%3A%0A%C2%A0%C2%A0%C2%A0%20r_rets%20%3D%20%7B’scan_version’%3Ascan_version%2C’scan_tag’%3Ascan_tag%7D%0A%C2%A0%C2%A0%C2%A0%20ret_%20%3D%20%5B%5D%C2%A0%C2%A0%C2%A0%0A%C2%A0%C2%A0%C2%A0%20rets%20%3D%20detect_so_strings(apkinfo%2Cnative_dir%2Clogger)%0A%C2%A0%C2%A0%C2%A0%20 if%20len(rets%5B’result’%5D)%20%3E%200%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20for%20r%20in%20rets%5B’result’%5D%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20if%20’data’%20not%20in%20r.keys()%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20continue %0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20rr%20%3D%20r%5B’data’%5D.split(‘%5Cn’)%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20for%20__r%20in%20rr%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20if%20’Portable%20SDK%20for%20UPnP’%20 in%20__r%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20vers%20%3D%20__r.split(%22%2F%22)%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20ver%20%3D%20vers%5B3%5D.split(%22.%22)%0A%C2%A0%C2%A0%C2%A0%C2%A0 %C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20real_ver%20%3D%20int(ver%5B2%5D)%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A 0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20sub_ver%20%3D%20int(ver%5B1%5D)%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20if%20sub_ver%3C%3D6%20and%20real_ver%20%3C%2018%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2 %A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20r_%20%3D%20%7B’vul_file’%3Ar%5B’vul_file’%5D%7D%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20r_.update(%7B’vul_id’%3Avul_id%7D)%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0% C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20r_.update(%7B’md5’%3Aapkinfo%5B’md5’%5D%7D)%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20if%20r_%20not%20in%20ret_%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0% C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20ret_.append(r_)%0A%C2%A0%C2%A0%C2%A0%20if%20len(ret_)%20%3D%3D%200%3A%0A%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%C2%A0%20r_rets.update(%7B’risk’%3A0%2C’result’%3A%5B%7B’vul_id’%3Avul_id%2C’md5’%3Aapkinfo%5B’ Urn% 20R \ rets% C2% A0% C2% A0 "message =" scan generation code "highlight =" provider = "manual" /]

It wasn't until December 2015 that QQ music fixed the vulnerability and replaced the vulnerable libupnp library, which was 1.6.17 at that time.

By scanning 13W apps in big data of appscan, it is found that the number of products affected by this vulnerability is 60.

Although the proportion is almost negligible, developers should still be reminded to pay attention to the security of the third-party library and use the latest official security version Library in time.