pupnp SRRF Port Confusion Vulnerability Allowing SSRF Port Redirection

A port confusion vulnerability allowing Server-Side Request Forgery (SSRF) via port redirection has been identified in pupnp versions prior to 1.18.5. The issue arises from improper port validation in the 'parse_uri()' function, where the 'atoi()' function truncates out-of-range port values. This flaw can be exploited by a rogue UPnP device to redirect connections to arbitrary internal ports, potentially bypassing port-based access controls and allowing service fingerprinting.

Impact

Exploitation of this vulnerability could lead to SSRF port confusion, allowing attackers to redirect client connections to arbitrary internal ports, bypass port-based access controls, and conduct service fingerprinting by connecting to unexpected ports.

Reproduction

The vulnerability can be reproduced by sending a malformed device description from a rogue UPnP device that includes an out-of-range port in the 'controlURL' element. The UPnP control point will silently connect to an incorrect port, bypassing intended access controls.

Remediation

Users should upgrade to pupnp version 1.18.5, where this vulnerability has been patched.