Shibby Tomato SUBSCRIBE Call Handler Server-Side Request Forgery Vulnerability

A server-side request forgery vulnerability has been identified in Shibby Tomato version 1.28. The issue arises in the SUBSCRIBE call handler of the miniupnpd component, specifically in the function that processes incoming subscription requests. The vulnerability allows an attacker to manipulate the callback URI, leading to unintended disclosure of heap memory and adjacent message data to the subscribing client. This issue is present in products that are no longer supported by the maintainer.

Impact

Exploitation of this vulnerability allows for unauthorized information disclosure. A LAN-side attacker can exfiltrate unintended heap and adjacent message data from the miniupnpd process, with the leaked information sent to a subscriber-controlled callback listener. The disclosed data includes bytes beyond the intended first NOTIFY request, potentially exposing unrelated in-memory message content.

Reproduction

The vulnerability can be reproduced by sending a SUBSCRIBE request with a callback URI that exceeds 400 bytes. This can be done using a Python script that interacts with the UPnP event subscription interface. The miniupnpd service must be running with UPnP enabled, and the callback host must be the attacker's own IPv4 address.

Remediation

To address this vulnerability, it is recommended to reject callback URIs that would cause the formatted NOTIFY request to exceed the allocated buffer size. Additionally, the use of snprintf's full return value as the transmit length should be avoided unless it has been checked against the allocated buffer size. The NOTIFY buffer size could be dynamically adjusted based on the callback URI length or the callback length could be clamped before being saved.