Can you believe that an estimated 6.1 million smart phones, routers, and smart TVs are vulnerable to remote code execution attacks due to security bugs that have been fixed back in 2012?
According to Trend Micro mobile threats analyst Veo Zhang, the problem lies in the fact that there are many apps out there – very popular apps, even – that use an older version, vulnerable of the portable Universal Plug and Play (UPnP) SDK library (aka libupnp). The library is used to implement media playback or NAT traversal.
The bugs allow stack overflow, and can be triggered to either crash the device or to run arbitrary code, i.e. code that will allow the attacker to take control of the device.
Zhang says they have found 547 apps that used older versions of libupnp, 326 of which are available on the Google Play store. These include popular apps like Tencent’s QQMusic, which has 100 million users in China, and others:
The researchers also initially believed that the Android Netflix app was vulnerable, but it turned out that they used a fork of libupnp that contained the fixes for the bugs in question.
“SDKs can also rely on other SDKs in order to run,” Zhang added. “The Linphone SDK provides voice over IP (VoIP) services to various applications. The libupnp SDK is one of several options used by the Linphone SDK to provide NAT traversal via UPnP; if this option is chosen the vulnerable service will be activated.”
Both Linphone and Tencent have been notified of the problem, and have since fixed it. Other developers might take advantage of this revelation to update their apps with newer versions of the library.
“We have seen exploits in the wild targeting devices that do not use [buffer overflow] mitigation protections such stack canaries, DEP, and ASLR. For well protected systems, we do not know of exploits that are currently capable of remote code execution,” Zhang concluded.