Shibby Tomato Uncontrolled Resource Consumption Vulnerability in MiniUPnPd

A resource exhaustion vulnerability has been identified in Shibby Tomato version 1.28, specifically within the MiniUPnPd daemon. This vulnerability allows for uncontrolled memory growth by exploiting the HTTP request buffering mechanism. The issue arises when the daemon processes incomplete HTTP headers or oversized POST requests with exaggerated Content-Length values, leading to excessive heap memory consumption. The vulnerability can be exploited remotely by an unauthenticated attacker who has access to the LAN-side UPnP HTTP control interface.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by consuming memory resources in the MiniUPnPd daemon, leading to service degradation. The memory consumption can be persistent or rapid, depending on the exploitation method used.

Reproduction

The vulnerability can be reproduced by sending incomplete HTTP headers or oversized POST requests to the UPnP HTTP control port. This can be done using a script that streams large amounts of data into headers or bodies of the request, without completing the HTTP protocol requirements. The MiniUPnPd daemon will then allocate more memory to handle the incoming data, which can be monitored and measured to confirm the vulnerability.

Remediation

It is recommended to enforce strict maximum sizes for HTTP request headers and bodies before processing them. Incomplete headers that exceed a small threshold should be rejected, and accepted Content-Length values should be clamped to a conservative maximum. Additionally, buffered request memory should be freed or reclaimed aggressively on abnormal connection teardowns. Rate-limiting and capping concurrent control connections can also help reduce the impact of this vulnerability.