Microsoft Universal Plug and Play
Created 12/21/01
CVE 2001-0876
CVE 2001-0877
Impact
If a vulnerable version of UPnP is running, a remote attacker
could execute arbitrary commands with SYSTEM
privileges, cause the system to become unresponsive, or
create a distributed denial of service.
Background
The Microsoft Universal Plug and Play
(UPnP) service allows a computer to discover and use network
based devices. A UPnP device announces its availability by
sending a NOTIFY directive to the UPnP
service.
UPnP is enabled by default on Windows XP operating
systems. It is also installed (but not enabled) by default
on Windows ME, and can be installed on Windows 98.
The Problems
CVE 2001-0876
There are two unrelated problems in the processing of NOTIFY
directives. The first problem is a buffer overflow condition.
A remote attacker could execute arbitrary commands with
SYSTEM privileges by sending a specially
crafted directive to the UPnP service.
CVE 2001-0877
The second problem results from insufficient restriction of
the actions which the UPnP service will take to gather information
on a newly discovered device. The UPnP service contacts a URL (web address)
included in the NOTIFY directive to retrieve this
information. By supplying a URL pointing to a service which
automatically returns data, such as echo or chargen,
an attacker could cause the UPnP service to enter an endless loop
which consumes all available memory, thus causing the machine to
become unresponsive. Another possible attack would be to
send a NOTIFY directive to a broadcast address,
thus causing all UPnP servers on the destination network to contact
a victim of the attacker's choice, thus creating a distributed
denial of service attack.
Resolution
Apply the appropriate patch for your operating system. Patch
information can be found in
Microsoft Security Bulletin 01-059.
Where can I read more about this?
For more information, see
Microsoft
Security Bulletin 01-059, CERT
Advisory 2001-37, and
eEye advisory 20011220.