The Rootshell Security team have discovered a bug within miniDLNA; an open-source server software for exchanging media files, such as videos, between devices on a network.

The team identified that a remotely exploitable heap corruption issue exists within the miniDLNA software. Heap corruption occurs when memory allocation for data is handled incorrectly.

The bug is triggered when Universal Plug and Play (UPnP), a set of networking protocols that enable devices to exchange data, attempts to process requests for data transfer.

The root cause of the issue is due to miniDLNA inadvertently allowing a remote attacker to manipulate the length of data ‘chunks’; this is a method for transferring data (also known as ‘chunked transfer encoding’). An attacker could specify a large, and therefore negative, length for a chunk, which leads to memory corruption (due to an ‘out–of–bounds’ error in calls to the memory copy functions ‘memcpy’ and ‘memmove’).

As well as memory corruption, the bug could be exploited to cause an infinite loop. Both would result in a denial–of–service (DoS) attack.

Rootshell’s Head of Research and Development, Dr Neil Kettle, led the research. Below, he demonstrates how the issue can be found in the software’s ‘upnphttp.c’ file:

mini dlna 1

miniDLNA’s code fails to validate the return value of ‘strtol’. Therefore, the remainder of the code can be made to utilise negative values for ‘h->req_chunklen‘.

An example exploitation attempt is given below:

mini dlna 2

Following the discovery of the bug, the Rootshell team have developed a proof of concept for an exploit, which uses memory corruption and an infinite loop to cause a DDoS attack. The issue has since been remediated by the vendor in versions 1.3.0 and later.

Dr Kettle said: “Our continued commitment to identifying and addressing vulnerabilities within software means we can encourage vendors to implement best practices for cybersecurity and help keep users safe”.

The bug has been catalogued as ‘miniDLNA Remote Heap Corruption (CVE-2020-28926)’. You can read our Bug Disclosure Policy here.

Read more of our bug releases here:

Rootshell Discover KeyScrambler Security Flaw That Enables Encryption To Be Bypassed

Rootshell Discover a Denial of Service Flaw in Dekart Private Disk Encryption Software

Subscribe So You Never Miss an Update

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Rootshell Discover Remote Heap Corruption Bug within miniDLNA and Develop Proof of Concept Exploit

Related Posts