J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Microsoft UPnP NOTIFY Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. It should be noted that UPnP services are enabled on Windows XP by default.

The UPnP service can be access by communicating via TCP port 5000 or UDP port 1900.

When a new device is installed, it will broadcast a UDP NOTIFY packet to all devices on the UPnP network specifying the address and port for all other devices to download its description from. This information is stored in the location field, one of several comprising the NOTIFY message.

When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet.

This condition may be exploitable in a number of different ways, depending on what is overwritten by attackers. An attacker may be able to overwrite a function pointer with a pointer to shellcode also supplied in the request. An attacker may also be able to replace a pointer that is written to, and the value that is written. This could allow for code execution through replacement of return addresses, function pointers, etc.

It should be noted that the service listens on broadcast and multicast interfaces. This could permit an attacker to exploit a number of systems without knowing their individual IP addresses, if they employed an exploitation method targeting a UDP port. It is however possible to exploit this condition using either the TCP or UDP protocols.

The UPnP service runs in the LOCAL SERVICE security context. An attacker who successfully exploits this vulnerability could gain control over the target host.

** Note: It has been reported that a worm might be propagating via this vulnerability.

It should be noted that Windows 98 and 98SE are not affected unless XP's Internet Connection Sharing client is installed.

Affected Products:

  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows XP Home
  • Microsoft Windows XP Professional

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.