Reported this to upstream 8 months ago without response, so: libupnp's default behaviour allows anyone to write to your filesystem
Conversation
Seriously. Find a device running a libupnp based server (Shodan says there's rather a lot), and POST a file to /testfile. Then GET /testfile
4
69
82
…and yeah if the server is running as root (it is) and is using / as the web root (probably not, but maybe) this gives full host fs access
3
11
20
Show replies
One especially fun thing is that you can usually overwrite the device descriptor XML which means you can trigger client bugs as well
2
5
10
Summary: It's Monday, everything's fucked, no change here
1
9
31
Show replies
Anyway, patch is here:
1
6
15
Show replies
Emailed the Debian security team a couple of months ago, no response
1
7