The Internet of Things security challenge is twofold: finding bugs, and more urgent—fixing them.
Cisco’s Talos security intelligence and research group found and privately disclosed a serious and trivially exploitable client-side bug in MiniUPnP that was patched in September of last year.
The problem is: How many patches were applied by vendors in their products and how many admins knew about the patch and deployed it on networks worldwide?
The vulnerability in the library (CVE-2015-6031)—MiniUPnP facilitates local communication between devices behind a firewall—is a buffer overflow. A successful exploit gives an attacker remote-code execution capabilities on a device, and quite likely further access inside the local network.
“MiniUPnP is the second most used UPnP SDK behind Intel’s. It’s hard to judge raw numbers, but it has a very large market share,” said Craig Williams, security outreach manager for Cisco Talos. “There’s no way to tell how many have patched this, but we know a lot of [devices] are vulnerable and we’re fairly concerned about it. Hopefully people will realize this and patch their devices or contact their vendor for a patch.”
Software implementations of MiniUPnP live in popular peer-to-peer applications such as Tor or Bitcoin mining applications. On the hardware side, home, small office and big network routers often deploy the library.
Cisco Talos explains in a report published this morning that the MiniUPnP vulnerability lies in the XML parser code in the IGDstartelt function.
From Cisco’s report:
“The buffer overflow is triggered by a call to memcpy function with an unchecked length parameter “l”. Since datas>cureltname is a fixed size buffer inside the IGDdatas structure, supplying a large length will result in a buffer overflow on the stack. … A potential attacker has full control over the length and contents of the memcpy source argument that is being copied into a destination buffer of size MINIUPNPC_URL_MAXSIZE”
Cisco published technical details of the vulnerability and demonstrated an attack against the Bitcoin-qt Wallet, the default Bitcoin client. An attacker would need to set up a phony UPnP server on the local network that would serve up an XML file with “overly long element names,” Cisco said.
Cisco’s exploit bypasses a mitigation in place called Stack Smashing Protection (SSP), which protects vulnerable buffers in a stack with a stack cookie, or canary. The cookie is a fixture in UNIX and Linux builds; Microsoft also deploys a similar mitigation. The Cisco attack bypasses the stack cookie on Linux systems.
“The cookie is supposed to prevent the exploitation of stack-based buffer overflows,” said Rich Johnson, Cisco Talos research manager. When a buffer overflow attack is successful, an attacker can learn where code should next execute on a stack and drop their attack in that spot instead. “SSP puts a cookie there and encrypts it so that an attacker can’t get it. They would have no idea what the next value is.”
Johnson said that Cisco’s attack against Bitcoin-qt—specifically libc in Linux—takes advantage of the fact that SSP doesn’t entire terminate processes right away, instead it executes some code first to notify users and log a crash. Other researchers have done previous work in bypassing SSP as well.
“We reference previous research on these bypasses. This is a new one specific to multithreaded apps,” Johnson said. “A lot of apps like OpenOffice, browsers, Bitcoin clients are multithreaded. Our research found a new approach that applies multithreaded bypasses to this generic mitigation.”
Cisco said it hopes its proof-of-concept exploit raises awareness to the MiniUPnP vulnerability and availability of a fix, especially for those managing embedded devices such as routers where often there isn’t a means of automatically updating devices or communicating the presence of a serious vulnerability.
“Most people have no idea what their embedded devices are running,” Williams said. “It’s a matter of the vendors making sure patches are pushed to users. This is the big struggle with IoT.”