In 2015 Talos identified and reported a buffer overflow vulnerability in client side code of the popular MiniUPnP library. The vulnerability was promptly fixed by the vendor and was assigned TALOS-CAN-0035 as well as CVE 2015-6031. Martin Zeiser and Aleksandar Nikolic subsequently gave a talk at PacSec 2015 ("Universal Pwn n Play") about the client side attack surface of UPnP and this vulnerability was part of it.
Talos has developed a working exploit against Bitcoin-qt wallet which utilizes this library. The exploit developed by Talos includes a novel Stack Smashing Protection (SSP) bypass. As the bypass technique lies in the way pthreads work it perfectly illustrates how a seemingly hard to exploit issue can still be exploited due to unforeseen consequences arising from the complexity present in modern process execution chain.
In this talk, we will introduce the details of stack smashing protection implementation, discuss the relevant libc and pthread mechanisms, introduce the steps required for the successful bypass and conclude with a demonstration.