FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

upnp -- multiple vulnerabilities

Affected packages
upnp < 1.6.21


VuXML ID 244c8288-cc4a-11e6-a475-bcaec524bf84
Discovery 2016-02-23
Entry 2016-12-27

Matthew Garett reports:

Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem. Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile ... and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access.

Scott Tenaglia reports:

There is a heap buffer overflow vulnerability in the create_url_list function in upnp/src/gena/gena_device.c.


CVE Name CVE-2016-6255
CVE Name CVE-2016-8863