minissdpd: CVE-2016-3178 CVE-2016-3179

Debian Bug report logs - #816759
minissdpd: CVE-2016-3178 CVE-2016-3179

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salva Peiró <speirofr@gmail.com>

To: submit@bugs.debian.org

Subject: minissdpd: The minissdpd daemon is affected by an improper validation of array index vulnerability

Date: Fri, 4 Mar 2016 23:21:21 +0100

[Message part 1 (text/plain, inline)]

Package: minissdpd
Version: 1.2.20130907-3
Justification: renders package unusable
Severity: grave
Tags: security patch

Dear Maintainer,

The following bug report provides the technical description and bug fixes
and has been extracted from the detailed security advisory
at http://speirofr.appspot.com/files/advisory/SPADV-2016-02.md

Best,

Vulnerability details
=====================

The minissdpd daemon (version: 1.2.20130907-3) contains a
improper validation of array index vulnerability (CWE-129)
when processing requests sent to the Unix socket at /var/run/minissdpd.sock
the Unix socket can be accessed by an unprivileged user to send invalid
request causes an out-of-bounds memory access that crashes the minissdpd
daemon.

Technical Details
=================

The vulnerability can be triggered by a local unprivileged user performs
the following request:

$ echo -en '\x04\x01\x60\x8f\xff\xff\xff\x7f\x0a' | nc.openbsd -U
/var/run/minissdpd.sock

The request is processed by the processRequest() function at minissdpd.c
which identifies the request of type=4, and performs the parsing of the
"new service" request, the decoding of the length of the usn field
performed at
line 663, sets l = 0xffffffff, with p = buf+4, and n = 9, the negative
length
l=-1 passes the check at line 664 with (buf+4-1) < (buf + 9), continuing
with
the allocation of the usn field at line 673, that initialises newserv->usn =
malloc(0), where in the case of Linux malloc(3) the allocator returns a
pointer
that can be later passed to free().  The line 668 attempts to copy
0xffffffff
bytes from the message pointer p to newserv->usn, that causes the daemon to
perform an out-of-bound memory access writing outside the allocated buffer.

~~~
663         DECODELENGTH_CHECKLIMIT(l, p, buf + n);
664         if(p+l > buf+n) {
665             syslog(LOG_WARNING, "bad request (length encoding)");
666             goto error;
667         }
...
673         newserv->usn = malloc(l + 1);
674         if(!newserv->usn) {
675             syslog(LOG_ERR, "cannot allocate memory");
676             goto error;
677         }
668         memcpy(newserv->usn, p, l);
~~~

The problem is the incorrect validation on the length returned by the
DECODELENGTH_CHECKLIMIT macro at line 664, that does not consider negative
length values. The fix of the length has already been applied to the
upstream
minissdpd repository see [2], the bug happens at multiple locations after
the
DECODELENGTH_CHECKLIMIT macro that also need to be fixed:

~~~
          DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-         if(p+l > buf+n) {
+         if(l > (unsigned)(buf+n-p)) {
             syslog(LOG_ERR, "cannot allocate memory");
             goto error;
          }
~~~

After performing the corrections of the length check the minissdpd daemon
properly detects the invalid negative values and performs error handling.
However, the error handling code at line 753 attempts to free the undefined
memory contents that newserv = malloc() allocated at line 642.

~~~
753     if(newserv) {
754         free(newserv->st);
755         free(newserv->usn);
756         free(newserv->server);
757         free(newserv->location);
758         free(newserv);
759         newserv = NULL;
760     }
~~~

The issue is corrected by applying initialising the contents of the newserv
to zero [3].
That causes free() to correctly operate when freeing the uninitialised
struct fields.

~~~
642         newserv = malloc(sizeof(struct service));
643         if(!newserv) {
644             syslog(LOG_ERR, "cannot allocate memory");
645             goto error;
646         }
+               memset(newserv, 0, sizeof(struct service));
~~~

Solution
========

Apply the proposed fixes, contained in the patch below.

~~~
From 2f6746a0c00872b977cc81452d77463aa39609e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
Date: Fri, 4 Mar 2016 12:38:18 +0100
Subject: [PATCH] Fix minissdpd.c handling of request with negative length

---
 minissdpd.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/minissdpd.c b/minissdpd.c
index 520a6c5..1cd079e 100644
--- a/minissdpd.c
+++ b/minissdpd.c
@@ -555,7 +555,7 @@ void processRequest(struct reqelem * req)
    type = buf[0];
    p = buf + 1;
    DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-       if(p+l > buf+n) {
+       if(l > (unsigned)(buf+n-p)) {
        syslog(LOG_WARNING, "bad request (length encoding)");
        goto error;
    }
@@ -644,6 +644,7 @@ void processRequest(struct reqelem * req)
            syslog(LOG_ERR, "cannot allocate memory");
            goto error;
        }
+               memset(newserv, 0, sizeof(struct service));
        if(containsForbiddenChars(p, l)) {
            syslog(LOG_ERR, "bad request (st contains forbidden chars)");
            goto error;
@@ -661,7 +662,7 @@ void processRequest(struct reqelem * req)
            goto error;
        }
        DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-               if(p+l > buf+n) {
+               if(l > (unsigned)(buf+n-p)) {
            syslog(LOG_WARNING, "bad request (length encoding)");
            goto error;
        }
@@ -679,7 +680,7 @@ void processRequest(struct reqelem * req)
        newserv->usn[l] = '\0';
        p += l;
        DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-               if(p+l > buf+n) {
+               if(l > (unsigned)(buf+n-p)) {
            syslog(LOG_WARNING, "bad request (length encoding)");
            goto error;
        }
@@ -697,7 +698,7 @@ void processRequest(struct reqelem * req)
        newserv->server[l] = '\0';
        p += l;
        DECODELENGTH_CHECKLIMIT(l, p, buf + n);
-               if(p+l > buf+n) {
+               if(l > (unsigned)(buf+n-p)) {
            syslog(LOG_WARNING, "bad request (length encoding)");
            goto error;
        }
--
2.1.4
~~~

Affected versions
=================

Debian: https://packages.debian.org/jessie/minissdpd
minissdpd version 1.2.20130907-3

Ubuntu: https://launchpad.net/ubuntu/+source/minissdpd
minissdpd version 1.2.20130907-3


History
=======

  2016/03/04 - Vendor notified


Credits
=======

  Vulnerability found and advisory written by Salva Peiró.


References
==========

 [1] https://speirofr.appspot.com/files/advisory/SPADV-2016-02.md
 [2]
https://github.com/miniupnp/miniupnp/commit/b238cade9a173c6f751a34acf8ccff838a62aa47
 [3]
https://github.com/miniupnp/miniupnp/commit/140ee8d2204b383279f854802b27bdb41c1d5d1a




-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages minissdpd depends on:
ii  libc6  2.19-18+deb8u1

minissdpd recommends no packages.

minissdpd suggests no packages.

-- no debconf information

[Message part 2 (text/html, inline)]

Message #16 received at 816759@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 816759@bugs.debian.org

Subject: Bug#816759: minissdpd: CVE-2016-3178 CVE-2016-3179

Date: Mon, 24 Oct 2016 22:42:33 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 pending

Hi,

I have uploaded the attached NMU to fix this bug. It was mostly based on
the fix already present in wheezy-lts (the CVE patches are identical).
I've done some basic testing of the patches and it fixes the buffer
overflow which can be triggered as described earlier in the bugreport.

I'll see what I can do about fixing this in jessie as well.

Thanks,
James

[minissdpd-1.2.20130907-3.2-nmu.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #23 received at 816759-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 816759-close@bugs.debian.org

Subject: Bug#816759: fixed in minissdpd 1.2.20130907-3.2

Date: Mon, 24 Oct 2016 23:01:32 +0000

Source: minissdpd
Source-Version: 1.2.20130907-3.2

We believe that the bug you reported is fixed in the latest version of
minissdpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 816759@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated minissdpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 24 Oct 2016 08:54:59 +0100
Source: minissdpd
Binary: minissdpd
Architecture: source
Version: 1.2.20130907-3.2
Distribution: unstable
Urgency: high
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 minissdpd  - keep memory of all UPnP devices that announced themselves
Closes: 816759
Changes:
 minissdpd (1.2.20130907-3.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
     The minissdpd daemon contains a improper validation of array index
     vulnerability (CWE-129) when processing requests sent to the Unix
     socket at /var/run/minissdpd.sock the Unix socket can be accessed
     by an unprivileged user to send invalid request causes an
     out-of-bounds memory access that crashes the minissdpd daemon.
Checksums-Sha1:
 9faacd5cfd6b605f095608acdf190ae5aaff15cd 1901 minissdpd_1.2.20130907-3.2.dsc
 238e91135a0b6902087220567550aaf5ee1b3538 6612 minissdpd_1.2.20130907-3.2.debian.tar.xz
Checksums-Sha256:
 38985689119f7463b9f0715efc14e2a04752be7c34ecf0af0974f7b172cbc619 1901 minissdpd_1.2.20130907-3.2.dsc
 95a6d6c9265d0b67acd5dc97d4512195a846ec93da58de2ad66f0bb429bf3ab9 6612 minissdpd_1.2.20130907-3.2.debian.tar.xz
Files:
 fdba319ce4396886e263c5523a24c239 1901 net optional minissdpd_1.2.20130907-3.2.dsc
 4b3a6c7ee7ce6b9f740de05014cdc642 6612 net optional minissdpd_1.2.20130907-3.2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYDn7lAAoJEMfxZ23qLQHvX/wQAKpXbyzD2ywgl5ZeAarEwJYx
y2WHvChFhdAypNqQ11o4FS3WsIyxAYTg0fVKoAcQ44JEbBDSpAPitUIWf7u9nyow
X6KhKF4/msdD/RiwpLePAxmOFL+spsy7nBdFwbXUe2fjCv56hsZcK+dD+pbUtzmj
vXeAtYc3JZ711li6HRno2lZcA/fZkOg9jDIJ60ncz87LlR0TeQpOwmKhbsHa0egf
21uHZoBZvTxIFGe3CVIC74r3eKW1vbAznF7uvQyy3QjXK1HM/yqverE+F35HYywi
ii4rSE2FbTTSJYkFoZI1N3u1x4fVFB3Qpkp8Ti//YoARUZsCOBORHdyiW7VFIyRV
AIrGVUTU3bCGm66bYMYXa/4lsBNmkv7zp05S8kpRgDs/BkoXmehNUwuueDhFCNR7
LVHAIcF8mai3N3sg/2i7vVBDsl+GczvA+sCR2f3YkF53gcFQDC0mLsxO86K74DmV
qeZ/LXJFIWhHqFab+5vvYRE9kwdMtQmMUfxEn5SKX4uvjFnDGtBODgeM5gFL89pm
p2n7JfpAgRFgb3JoZqhBXCn4DC+/aOF1tW27whzqPdjjX836BMcL01IqTNRTgfzU
yaKSMPHy9zPzzh4JN6hhXwURouk5HRLNlMujTwu0Dww3P79NcPH4pgwo5HADT4/c
Bi3tCA9555QTKtm092Js
=pda3
-----END PGP SIGNATURE-----

Message #28 received at 816759-close@bugs.debian.org (full text, mbox, reply):

From: James Cowgill <jcowgill@debian.org>

To: 816759-close@bugs.debian.org

Subject: Bug#816759: fixed in minissdpd 1.2.20130907-3+deb8u1

Date: Sat, 05 Nov 2016 18:17:09 +0000

Source: minissdpd
Source-Version: 1.2.20130907-3+deb8u1

We believe that the bug you reported is fixed in the latest version of
minissdpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 816759@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Cowgill <jcowgill@debian.org> (supplier of updated minissdpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 24 Oct 2016 22:46:46 +0100
Source: minissdpd
Binary: minissdpd
Architecture: source
Version: 1.2.20130907-3+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Thomas Goirand <zigo@debian.org>
Changed-By: James Cowgill <jcowgill@debian.org>
Description:
 minissdpd  - keep memory of all UPnP devices that announced themselves
Closes: 816759
Changes:
 minissdpd (1.2.20130907-3+deb8u1) jessie; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2016-3178 and CVE-2016-3179. (Closes: #816759)
     The minissdpd daemon contains a improper validation of array index
     vulnerability (CWE-129) when processing requests sent to the Unix
     socket at /var/run/minissdpd.sock the Unix socket can be accessed
     by an unprivileged user to send invalid request causes an
     out-of-bounds memory access that crashes the minissdpd daemon.
Checksums-Sha1:
 1d4e123c34c7e3d23a1d61ead86f4be2dcfd4ecd 1912 minissdpd_1.2.20130907-3+deb8u1.dsc
 515c45758c0e8220012c8687a60fefd1526ae7eb 6440 minissdpd_1.2.20130907-3+deb8u1.debian.tar.xz
Checksums-Sha256:
 2104bb177beee002212ea9fac5eafb848b666bdcda10b1cf6833e30dba395b41 1912 minissdpd_1.2.20130907-3+deb8u1.dsc
 7fb1982fcb81b2d4eb62b1fff2ad43bdc24e52a59a5e8d743d966630d00e61db 6440 minissdpd_1.2.20130907-3+deb8u1.debian.tar.xz
Files:
 bafcb48b4c6d0f6bc69716a2aabc7ee0 1912 net optional minissdpd_1.2.20130907-3+deb8u1.dsc
 134860e3a3a12933aa9f2198ab666098 6440 net optional minissdpd_1.2.20130907-3+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYGK9vAAoJEMfxZ23qLQHvw50QAIJOvs9LdZJnXS4scrWyxQft
Lc8EO1M6OszA6GVB1GuQdZb0YQNFBIB5Pi2Lnqw6TI3Rv40SFrSfRy876fPGk+TS
5aR1ChzksDcDWsuFje2QYVdxhkZ4w5j6v9iIYrUpmXwuY7oa5+5f6VF1O4gxGVVT
oWwJGw0HRAKyY2M8qwa0tZIcE7JeNBrv7/qjM+2IJDdwclMPGGjy/RE8yKGz7DyK
YfQ11Z0uIELwT7tnHZq9LF61w1BpUIV3Iibs3TgLdmtJTJdjoxqcBf2yAO6T8aCa
yA/P8uPNNmgFvxaC2tn3cfwzmmnep+15Gl6aBcDAdEw/R0kZ4CAAyfxl9ScLuVg6
fhsVGcH48AcdLQDod0XRQKFMKQMj1mnSe2b2P3eqIZHWw9r4cpe3MmMc0RGACSVF
oGfvX5ANF6xylg+23mnvF6PhOkjEkQ6NVTS39j7ycBajwTnXyUA0AYtAq2vBfHJH
hsRiC7ZiEmmlvKDKexySUlPu9YmfwGeewDBNCJXTnDDMlUOqtiPPEClvtQYaSDCk
s/csE+7ceIXIH0lAb9yh8usA/d3XX4NzFamw4TSeyPXXctFYgDz+HhvjM4HF9Tak
OT131qfyKIaLPwFMkDk6c7T0GwxIduLd/RKRPwt3oQXBqaKEmKDBagEjVRkO78OO
T4ZVSaD34S+C9Tlfedch
=nQVr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.