CVE-2023-33476

Vulnerability

ReadyMedia (MiniDLNA) versions 1.1.15 up to 1.3.2 are vulnerable to a heap-based buffer overflow caused by incorrect validation logic in the HTTP chunked transfer encoding parser [1]. The flaw resides in the ParseHttpHeaders() function in upnphttp.c, where the return value of a comparison expression is incorrectly stored as the parsed chunk size instead of the return value of strtol() [1]. This allows attacker-supplied chunk size values larger than the total request buffer to pass validation, leading to subsequent out-of-bounds reads/writes via memmove() calls [1].

Exploitation

An unauthenticated attacker with network access to the MiniDLNA server can send a specially crafted HTTP request using chunked transfer encoding [1]. The request includes a chunk size that is maliciously large, which bypasses the flawed validation but is later used as the size argument in memmove(), causing heap memory corruption [1]. No prior authentication or user interaction is required, and the attack can be performed remotely [1].

Impact

Successful exploitation results in out-of-bounds read/write on the heap, which can be leveraged to achieve remote code execution in the context of the user running the MiniDLNA server process [1]. This could allow an attacker to fully compromise the affected system, including theft of sensitive data, installation of malware, or further lateral movement within the network [1].

Mitigation

The vulnerability is fixed in MiniDLNA version 1.3.3, which was released on 2023-05-31 [3]. Users should upgrade to version 1.3.3 or later. Gentoo Linux users can update via >=net-misc/minidlna-1.3.3 (GLSA 202311-12) [4]. If upgrading is not immediately possible, restricting network access to the MiniDLNA service and using firewall rules to limit exposure can reduce risk until a patch is applied [4]. No other workaround is known.