Trend Micro reports that 6.1 million devices are affected.A 3-year-old bug in the Portable SDK for UPnP Devices, also called libupnp, is present in millions of modern-day smart TVs, Internet routers, and smartphones, security research firm Trend Micro reports.
Ironically, the bug itself was patched in December 2012, but developers of various mobile applications, smart TV apps, and router firmware have included an older version of thelibupnp library in their code.
Trend Micro estimates the vulnerability is present in about 6.1 million devices. The firm also scanned different smart apps and found the vulnerability in 547 apps, 326 of which were listed on the Google Play Store.
High-profile apps like Tencent QQMusic and Netflix included the older version of the SDK in their code. These and the other apps use libupnp to play media files or connect to other devices within a local network.
Attackers can exploit the bug to trigger a buffer overflow on affected devices, which in turn would lead to remote code execution.
Attackers can take control of affected devices
A buffer overflow is a state used by most attackers to facilitate more dangerous intrusions. A buffer overflow occurs when an overwhelming amount of data is delivered to a computer function that uses a fixed-sized buffer to handle dynamic input.
If the computer function is properly configured, overflowing data will be dropped. If it’s not, the device crashes and/or part of the overflowing data is written to memory.
The libupnp library is vulnerable to a buffer overflow via its data handler on port 1900. Attackers can send oversized Simple Service Discovery Protocol (SSDP) packets to this port, overflow the buffer and crash the device.
“With further research an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device,” says Veo Zhang, Trend Micro Mobile Threat Analyst. “The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC.”
Trend Micro said that they detected attacks in the wild where this vulnerability was used to compromise devices.