Twenty Year Anniversary

ms01-059

ms01-059
Posted Dec 21, 2001

Microsoft Security Advisory MS01-059 - Two unrelated buffer overflows have been found in the Microsoft UPnP service. A overflow in the NOTIFY directive allows remote attackers to execute arbitrary code. The second vulnerability crashes the machine. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed. Microsoft FAQ on this issue available here.

tags | remote, overflow, arbitrary
systems | windows, 9x, me
MD5 | ebf378945d3daf074db1ccefccfb9f77

ms01-059

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Unchecked Buffer in Universal Plug and Play can Lead
to System Compromise
Date: 20 December 2001
Software: Windows 98, Windows 98SE, Windows ME, Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS01-059

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp.
- ----------------------------------------------------------------------

Issue:
======
The Universal Plug and Play (UPnP) service allows computers to
discover and use network-based devices. Windows ME and XP
include native UPnP services; Windows 98 and 98SE do not include a
native UPnP service, but one can be installed via the
Internet Connection Sharing client that ships with Windows XP. This
bulletin discusses two vulnerabilities affecting these
UPnP implementations. Although the vulnerabilities are unrelated,
both involve how UPnP-capable computers handle the
discovery of new devices on the network.

The first vulnerability is a buffer overrun vulnerability. There is
an unchecked buffer in one of the components that handle
NOTIFY directives - messages that advertise the availability of
UPnP-capable devices on the network. By sending a specially
malformed NOTIFY directive, it would be possible for an attacker to
cause code to run in the context of the UPnP service,
which runs with System privileges on Windows XP. (On Windows 98 and
Windows ME, all code executes as part of the operating
system). This would enable the attacker to gain complete control over
the system.

The second vulnerability results because the UPnP doesn't
sufficiently limit the steps to which the UPnP service will go to
obtain information on using a newly discovered device. Within the
NOTIFY directive that a new UPnP device sends is
information telling interested computers where to obtain its device
description, which lists the services the device offers
and instructions for using them. By design, the device description
may reside on a third-party server rather than on the
device itself. However, the UPnP implementations don't adequately
regulate how it performs this operation, and this gives
rise to two different denial of service scenarios.

In the first scenario, the attacker could send a NOTIFY directive to
a UPnP-capable computer, specifying that the device
description should be downloaded from a particular port on a
particular server. If the server was configured to simply echo
the download requests back to the UPnP service (e.g., by having the
echo service running on the port that the computer was
directed to), the computer could be made to enter an endless download
cycle that could consume some or all of the system's
availability. An attacker could craft and send this directive to a
victim's machine directly, by using the machine's IP
address. Or, he could send this same directive to a broadcast and
multicast domain and attack all affected machines within
earshot, consuming some or all of those systems' availability.

In the second scenario, an attacker could specify a third-party
server as the host for the device description in the NOTIFY
directive. If enough machines responded to the directive, it could
have the effect of flooding the third-party server with
bogus requests, in a distributed denial of service attack. As with
the first scenario, an attacker could either send the
directives to the victim directly, or to a broadcast or multicast
domain.

Mitigating Factors:
====================
General:
- Standard firewalling practices (specifically, blocking ports
1900 and 5000) could be used to protect corporate networks
from Internet-based attacks.

Windows 98 and 98SE:
- There is no native UPnP support for these systems. Windows 98
and 98SE systems would only be affected if the Internet Connection
Sharing Client from Windows XP had been installed on the system.
- Windows 98 and 98SE machines that have installed the Internet
Connection Sharing client from a Windows XP system that has
already applied this patch are not vulnerable.

Windows ME:
- Windows ME provides native UPnP support, but it is neither
installed nor running by default. (However, some OEMs do
configure pre-built systems with the service installed and
running).

Windows XP:
- Internet Connection Firewall, which runs by default, would make it
significantly more difficult for an attacker to determine the IP
address of an affected machine. This could impede an attacker's
ability to attack a machine via unicast messages. However, attacks
via multicast or broadcast would still be possible.

Risk Rating:
============
Buffer Overrun:
- Internet servers: None
- Intranet servers: None
- Client systems: Critical for Windows XP, moderate for Windows 98,
Windows 98SE and Windows ME

Denial of service:
- Internet servers: None
- Intranet servers: None
- Client systems: Moderate

Aggregate risk:
- Internet servers: None
- Intranet servers: None
- Client systems: Critical for Windows XP, moderate for Windows 98,
Windows 98SE and Windows ME

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-059.asp
for information on obtaining this patch.

Acknowledgment:
===============
- eEye Digital Security (http://www.eeye.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPCIq2o0ZSRQxA/UrAQH+xAgAphhsTCZolsfklKINVM/tEl7H+8bHUC9b
zB7xrj1Ml39Rt/TQLN643OOaLLB0oaXOKs61KTcWN2DMNZfp5Zl06pVUk71IQfEW
p1t1oXoDCoxV0V5hz3t3BzxQwqRXCxIuRQ4KxNxJ07H+OJALE9mxC9mW045PQ6os
EHKt9i/+ODDATp4nX8bjm/BKHslYTdzhtl2WJ4rqrkrHwSLFAe0oxFkVrUter2ta
JdTYQ9yovGIgit60wmnwTL4oS9u5sizxjzUVWH8BOND1A7pA3OmmGXPyZb8u1FF2
K3h1oCywckF0bf/vlqrQo5jsb3HGWIAR243pW3XCZgOMmSPa2ZYEnA==
=O6Fg
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close