Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2290
HistoryDec 21, 2001 - 12:00 a.m.

ISS Security Alert: Multiple Vulnerabilities in Universal Plug and Play Service

2001-12-2100:00:00
vulners.com
43
JSON

Internet Security Systems Security Alert
December 20, 2001

Multiple Vulnerabilities in Universal Plug and Play Service

Synopsis:

ISS X-Force is aware of multiple vulnerabilities with the Universal Plug and
Play Service (UPnP) included with several Microsoft Windows operating systems.
UPnP is a protocol that allows network devices to broadcast self-describing
messages for peer-to-peer integration into a network. Two vulnerabilities are
present in UPnP. A buffer overflow exists in the Windows XP implementation of
the Simple Service Discovery Protocol (SSDP) component of UPnP. Another more
generic Distributed Denial of Service (DDoS) or Denial of Service (DOS) risk
exists within SSDP as well and affects multiple versions of the operating
system.

Affected Versions:

Windows XP
Windows ME
Windows 98SE
Windows 98

Description:

A remotely exploitable buffer overflow exists in the UPnP service of Windows
XP. A malicious user can transmit a malformed NOTIFY request to a vulnerable
machine and overflow an unchecked buffer in the UPnP service. This service
runs in the SYSTEM context under Windows XP and can result in a full system
compromise, allowing the attacker to gain control of the affected machine.

A condition also exists in the implementation of SSDP that could lead to a
DOS or DDoS attack by transmitting a malformed NOTIFY directive at a targeted
machine or group of machines. The targets can be forced to endlessly transmit
HTTP requests to a final target.

Recommendations:

Internet firewalls should be configured to block ports 1900 and 5000.

ISS RealSecure intrusion detection customers may use the following connection
event to detect access attempts by the UPnP Overflow. Follow the instructions
below to apply the connection event to your policy.

  1. Choose a policy you want to use, and click 'Customize'.
  2. Select the 'Connection Events' tab.
  3. Click 'Add' on the right hand side of the dialog box.
  4. Create a Connection Event
  5. Type in a name of the event, such as 'UPnP Overflow'.
  6. In the 'Response' field for the event, select the responses you want to
    use.
    In the 'Protocol' field, select UDP
    In the 'Dest Port/Type' field click the pull down box and create an entry
    for UDP port 1900:
    a. Click 'Add'
    b. Select UDP Protocol
    c. Name the service 'UPnP Overflow'
    d. Use 1900 for the port number
    e. Click 'OK'
    f. Select the entry just created
  7. Save changes and close the window.
  8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version of
    RealSecure you are using.

A connection event is now created with any address/port and any destination address
looking for a UDP request on port 1900. Every network is different so it is possible
to make entries for each vulnerable host on your network instead of using the above c
onnection event.

Contact ISS Technical Support for more specific help on this matter.

Users of ISS BlackICE products in Trusting or Cautious mode can configure
themselves to protect themselves from this attack:

  1. Select 'Tools' and click 'Advanced Firewall Settings'
  2. Click 'Add' to add a new rule.
  3. Name the rule 'UPnP Overflow'
  4. Select 'All Addresses'
  5. Type in Port 1900 into the Ports field
  6. Select Type UDP
  7. Select Mode Reject
  8. Select Duration Forever
  9. Click 'Add'

BlackICE users in Nervous or Paranoid mode will be protected against the
attack and do not need to add a rule.

An Internet Scanner FlexCheck will be available soon to detect this
vulnerability. The FlexCheck will be available at the following URL:
https://www.iss.net/cgi-bin/download/customer/download_product.cgi

Patches from Microsoft Corporation are available at the following locations:

Microsoft Windows 98/98SE:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34991

Microsoft Windows ME:
http://download.microsoft.com/download/winme/Update/22940/WinMe/EN-US/314757USAM.EXE

Microsoft Windows XP:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34951

Additional Information:

eEye Digital Security Advisory:
http://www.eeye.com/html/Research/Advisories/AD20011220.html

Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

Credits:

This vulnerability was discovered and researched by eEye Digital Security.

About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS
is a trusted security provider to more than 9,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks, the top 10 U.S.
telecommunications companies, and all major branches of the U.S. Federal
Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with
additional offices throughout North America and international operations
in Asia, Australia, Europe, Latin America and the Middle East. For more
information, visit the Internet Security Systems web site at www.iss.net
or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved
worldwide.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail [email protected] for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.

JSON