Multiple Vulnerabilities in Microsoft Universal Plug and Play

Reported December 20, 2001, byeEye Digital Security.

VERSIONS AFFECTED

DESCRIPTION
Multiplevulnerabilities exist in Microsoft's implementation of Universal Plug and Play(UPnP). The first vulnerability is a remotely exploitable buffer overflow thatcan result in system-level access to the vulnerable host. This vulnerabilityresults from an unchecked buffer in one of the service’s components thathandles notify directives. By sending malformed UPnP notify directives generatedat various intervals, a attacker can cause access violations on the vulnerablesystem, which results in pointers being overwritten. Because the UPnP serviceruns with SYSTEM privileges, a hacker can gain complete control of the systemremotely.

The second vulnerability involves a variant of thisfirst vulnerability in that the UPnP service doesn't take sufficient steps tolimit how far the service goes to obtain information about a discovered service.Two Denial of Service (DoS) scenarios exist for exploiting this vulnerability.The first is that a potential attacker could send a notify directive to avulnerable host and loop the request. This loop would eventually consume allsystem resources on the vulnerable system. The second scenario involvesspecifying a third system in the notify directive for the vulnerable system(s)to respond to. As the UPnP service responds to both multicast and broadcast UDPrequests, the potential for Distributed Denial of Service (DDoS) attacks exist.You can find specific details about these vulnerabilities at the discoverer’s Website.

VENDOR RESPONSE

Thevendor, Microsoft, has released securitybulletin MS01-059to address these vulnerabilities and recommends that affected users immediatelyapply the patch provided at this URL. The company further recommends thataffected users follow the common practice of placing a firewall on ports 1900and 5000 to further mitigate this risk.

CREDIT
Discovered by RileyHassell of eEyeDigital Security.