what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

iDEFENSE Security Advisory 2007-04-10.1

iDEFENSE Security Advisory 2007-04-10.1
Posted Apr 11, 2007
Authored by iDefense Labs, Greg MacManus | Site idefense.com

iDefense Security Advisory 04.10.07 - Remote exploitation of a buffer overflow vulnerability in the Universal Plug-and-Play (UPnP) component of Microsoft Windows could allow an attacker to execute code in the context of the vulnerable service. The vulnerability specifically exists in the handling of HTTP headers sent to the UPnP control point as part of a request or notification. Because it processes certain fields without checking if there is enough storage space, a malicious request may cause a stack-based buffer overflow, potentially resulting in code execution.

tags | advisory, remote, web, overflow, code execution
systems | windows
advisories | CVE-2007-1204
SHA-256 | ab4897dd132f3ada926ed5cc95e25ce1257277131f313e19bec3542fc3a1c865

iDEFENSE Security Advisory 2007-04-10.1

Change Mirror Download
Microsoft Windows Universal Plug and Play Memory Corruption Vulnerability

iDefense Security Advisory 04.10.07
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 10, 2007

I. BACKGROUND

Universal Plug and Play (UPnP) is a group of network protocols that work
together to enable devices to interact. UPnP lets a device announce
itself and look for other devices on the network, gives a mechanism to
control it and receive updates on the device's state. For more
information about UPnP, visit the following URL.

http://www.upnp.org/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in the Universal
Plug-and-Play (UPnP) component of Microsoft Windows could allow an
attacker to execute code in the context of the vulnerable service.

The vulnerability specifically exists in the handling of HTTP headers
sent to the UPnP control point as part of a request or notification.
Because it processes certain fields without checking if there is enough
storage space, a malicious request may cause a stack-based buffer
overflow, potentially resulting in code execution.

III. ANALYSIS

Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the affected service, typically 'Local
Service' or 'Network Service'.

In order to exploit this vulnerability an attacker would need either
wired or wireless access to the local network. Additionally, they must
be able to connect to a port used for UPnP services. As UPnP is
designed to allow use without special configuration, Windows XP SP2 has
firewall exceptions active for ports which could be used in an attack.

Due to various security mechanisms implemented in Windows XP SP2 and a
variety of design choices, code execution may not be trivial even
though this is a stack based buffer overflow. A combination of factors
including a restriction on the total input size to the process and the
HTTP interface's restriction of input to characters allowed by the
protocol specification work together with system libraries compiled
with the "/SAFESEH" option and stack cookies to make exploitation more
difficult.

The UPnP service relies on the Simple Service Discovery Protocol (SSDP)
service to locate new devices. The SSDP service listens on UDP port
1900. Exploitation does not require the attacker to communicate with
UDP port 1900. However if the UPnP TCP port for the service is not yet
active, they may be able to activate it by sending a SSDP search
request or notification.

IV. DETECTION

This vulnerability has been confirmed to affect Windows XP SP2. As the
affected component is a library and not an application itself, other
applications and services may also be affected.

V. WORKAROUND

The follow actions will mitigate exposure to this vulnerability.

* Disable the SSDP and UPnP services.
* Disable the Media Sharing functionality of Windows Media Player 11.
* Delete firewall exceptions for the following ports.
* 1900/UDP (SSDP)
* 2869/TCP (UPnP Host Device)
* 10243/TCP (Windows Media Connect and Windows Media Player Network
Sharing Service)

These operations may affect the ability to detect and access some
UPnP-based resources.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within MS07-019. For more
information, consult their bulletin at the following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-1204 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/06/2006 Initial vendor notification
12/06/2006 Initial vendor response
04/10/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus of iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close