CVE-2012-5961

libupnp 1.3.1 - Remote Code Execution via SSDP UDN Field Buffer Overflow

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-5961.

AI-analyzed exploit summary This Metasploit module exploits a buffer overflow in the `unique_service_name()` function of libupnp's SSDP processor, allowing remote code execution. It targets specific devices like Supermicro IPMI and stages the payload over a secondary TCP connection due to size limitations.

Description

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka device) field in a UDP packet.

Exploits (1)

exploitdb WORKING POC

rubyremoteunix

https://www.exploit-db.com/exploits/24455

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow in the `unique_service_name()` function of libupnp's SSDP processor, allowing remote code execution. It targets specific devices like Supermicro IPMI and stages the payload over a secondary TCP connection due to size limitations.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Portable UPnP SDK (libupnp) versions including Intel SDK for UPnP Devices 1.3.1

No auth needed

Prerequisites: Network access to the target device on port 1900 (SSDP) · Target device running vulnerable libupnp version

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (15)

Core 15

Core References

Various Sources vendor-advisory x_refsource_cisco

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130129-upnp

Various Sources x_refsource_confirm

http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Release_Notes_FW_v1.05B64_WW.pdf

Various Sources x_refsource_confirm

http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_1000N_A1_Release_Notes_FW_v1.08B77_WW.pdf

Various Sources x_refsource_confirm

http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Release_Notes_FW_v1.08B44_WW.pdf

Various Sources x_refsource_confirm

http://tsd.dlink.com.tw/temp/PMD/13039/DSR-250_250N_A1_A2_Release_Notes_FW_v1.08B44_WW_RU.pdf

Vendor Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2013:098

Third Party Advisory x_refsource_misc

https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2013/dsa-2615

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2013/dsa-2614

Exploit vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/57602

Third Party Advisory x_refsource_misc

https://community.rapid7.com/servlet/servlet.FileDownload?file=00P1400000cCaFb

Product x_refsource_confirm

http://pupnp.sourceforge.net/ChangeLog

Third Party Advisory x_refsource_misc

https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play

Patch, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/922681

Third Party Advisory x_refsource_confirm

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0037

Scores

EPSS 0.7233

EPSS Percentile 98.8%

Details

CWE

CWE-119

Status published

Products (1)

libupnp_project/libupnp 1.3.1

Published Jan 31, 2013

Tracked Since Feb 18, 2026