Talos Vulnerability Report


MiniUPnP Internet Gateway Device Protocol XML Parser Buffer Overflow

Sep 15, 2015


An exploitable buffer overflow vulnerability exists in the XML parser functionality of the MiniUPnP library. A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.

Tested Versions

MiniUPnP repository master branch

Product URLs



Buffer overflow is present in client-side, miniupnpc, part of the library. Vulnerable part of the code is triggered when applications using miniupnpc library are doing initial network discovery upon startup, while parsing the replies from UPNP servers on the local network. Buffer overflow is triggered by an oversized XML element name.

When parsing the UPNP replies, the XML parser is initialized and parsexml() function is called:

  parser.xmlstart = buffer;
  parser.xmlsize = bufsize;
  parser.data = data;
  parser.starteltfunc = IGDstartelt;
  parser.endeltfunc = IGDendelt;
  parser.datafunc = IGDdata;
  parser.attfunc = 0;

Start element function callback is initialized to `IGDStartelt` function and parser `data` variable is of `struct IGDdatas` type:

  struct IGDdatas {
  char cureltname[MINIUPNPC_URL_MAXSIZE];
  char urlbase[MINIUPNPC_URL_MAXSIZE];
  char presentationurl[MINIUPNPC_URL_MAXSIZE];

Structure member `cureltname` is initialized to a static maximum value.

Buffer overflow occurs in `IGDstartelt` function when parsing new XML element:

  void IGDstartelt(void * d, const char * name, int l)
  struct IGDdatas * datas = (struct IGDdatas *)d;
  memcpy( datas->cureltname, name, l);
  datas->cureltname[l] = '\0';
  if( (l==7) && !memcmp(name, "service", l) ) {
  datas->tmp.controlurl[0] = '\0';
  datas->tmp.eventsuburl[0] = '\0';
  datas->tmp.scpdurl[0] = '\0';
  datas->tmp.servicetype[0] = '\0';

An unsafe call to `memcpy` is made with both source and length arguments under external control.


Discovered by Aleksandar Nikolic of Cisco Talos.