AusCERT - AL-2001.20 -- Microsoft Security Notification Bulletin MS01-059 Unchecked Buffer in Universal Plug and Play can Lead to System Compromise

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2001.20 -- Microsoft Security Notification Bulletin MS01-059 Unchecked Buffer in Universal Plug and Play can Lead to System Compromise
Date: 21 December 2001

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.20 -- AUSCERT ALERT
             Microsoft Security Notification Bulletin MS01-059
 Unchecked Buffer in Universal Plug and Play can Lead to System Compromise
                             21 December 2001

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:                UPnP Service
Vendor:                 Microsoft
Operating System:       Windows XP
                        Windows ME
                        Windows 98SE
                        Windows 98
Impact:                 System Compromise
                        Execute Arbitrary Code/Commands
                        Distributed Denial of Service
Access Required:        Remote

AusCERT is issuing this external security bulletin as an AUSCERT ALERT
to emphasize the significance of these vulnerabilities.

AusCERT advises sites running Windows XP, Windows ME with the Universal
Plug and Play service running, or Windows 98/98SE with the Windows XP
Internet Connection Sharing Client installed to confirm, from information
contained in this advisory, their exposure to these vulnerabilities and to
apply the vendor patches.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

- - ----------------------------------------------------------------------
Title:      Unchecked Buffer in Universal Plug and Play can Lead
            to System Compromise
Date:       20 December 2001
Software:   Windows 98, Windows 98SE, Windows ME, Windows XP
Impact:     Run code of attacker's choice
Max Risk:   Critical
Bulletin:   MS01-059

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp.
- - ----------------------------------------------------------------------

Issue:
======
The Universal Plug and Play (UPnP) service allows computers to
discover and use network-based devices. Windows ME and XP 
include native UPnP services; Windows 98 and 98SE do not include a
native UPnP service, but one can be installed via the 
Internet Connection Sharing client that ships with Windows XP. This
bulletin discusses two vulnerabilities affecting these 
UPnP implementations. Although the vulnerabilities are unrelated,
both involve how UPnP-capable computers handle the 
discovery of new devices on the network. 

The first vulnerability is a buffer overrun vulnerability. There is
an unchecked buffer in one of the components that handle 
NOTIFY directives - messages that advertise the availability of
UPnP-capable devices on the network. By sending a specially 
malformed NOTIFY directive, it would be possible for an attacker to
cause code to run in the context of the UPnP service, 
which runs with System privileges on Windows XP. (On Windows 98 and
Windows ME, all code executes as part of the operating 
system). This would enable the attacker to gain complete control over
the system. 

The second vulnerability results because the UPnP doesn't
sufficiently limit the steps to which the UPnP service will go to 
obtain information on using a newly discovered device. Within the
NOTIFY directive that a new UPnP device sends is 
information telling interested computers where to obtain its device
description, which lists the services the device offers 
and instructions for using them. By design, the device description
may reside on a third-party server rather than on the 
device itself. However, the UPnP implementations don't adequately
regulate how it performs this operation, and this gives 
rise to two different denial of service scenarios. 

In the first scenario, the attacker could send a NOTIFY directive to
a UPnP-capable computer, specifying that the device 
description should be downloaded from a particular port on a
particular server. If the server was configured to simply echo 
the download requests back to the UPnP service (e.g., by having the
echo service running on the port that the computer was 
directed to), the computer could be made to enter an endless download
cycle that could consume some or all of the system's 
availability. An attacker could craft and send this directive to a
victim's machine directly, by using the machine's IP 
address. Or, he could send this same directive to a broadcast and
multicast domain and attack all affected machines within 
earshot, consuming some or all of those systems' availability. 

In the second scenario, an attacker could specify a third-party
server as the host for the device description in the NOTIFY 
directive. If enough machines responded to the directive, it could
have the effect of flooding the third-party server with 
bogus requests, in a distributed denial of service attack. As with
the first scenario, an attacker could either send the 
directives to the victim directly, or to a broadcast or multicast
domain.

Mitigating Factors:
====================
General: 
 - Standard firewalling practices (specifically, blocking ports
   1900 and 5000) could be used to protect corporate networks
   from Internet-based attacks. 

Windows 98 and 98SE: 
 - There is no native UPnP support for these systems. Windows 98
   and 98SE systems would only be affected if the Internet Connection
   Sharing Client from Windows XP had been installed on the system. 
 - Windows 98 and 98SE machines that have installed the Internet 
   Connection Sharing client from a Windows XP system that has 
   already applied this patch are not vulnerable. 

Windows ME: 
 - Windows ME provides native UPnP support, but it is neither 
   installed nor running by default. (However, some OEMs do 
   configure pre-built systems with the service installed and
   running). 

Windows XP: 
 - Internet Connection Firewall, which runs by default, would make it
   significantly more difficult for an attacker to determine the IP
   address of an affected machine. This could impede an attacker's
   ability to attack a machine via unicast messages. However, attacks
   via multicast or broadcast would still be possible.

Risk Rating:
============
Buffer Overrun:
 - Internet servers: None
 - Intranet servers: None
 - Client systems: Critical for Windows XP, moderate for Windows 98, 
   Windows 98SE and Windows ME

Denial of service:
 - Internet servers: None
 - Intranet servers: None
 - Client systems: Moderate

Aggregate risk:
 - Internet servers: None
 - Intranet servers: None
 - Client systems: Critical for Windows XP, moderate for Windows 98, 
   Windows 98SE and Windows ME

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms01-059.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - eEye Digital Security (http://www.eeye.com)

- - ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING 
LIMITATION MAY NOT APPLY.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPCIq2o0ZSRQxA/UrAQH+xAgAphhsTCZolsfklKINVM/tEl7H+8bHUC9b
zB7xrj1Ml39Rt/TQLN643OOaLLB0oaXOKs61KTcWN2DMNZfp5Zl06pVUk71IQfEW
p1t1oXoDCoxV0V5hz3t3BzxQwqRXCxIuRQ4KxNxJ07H+OJALE9mxC9mW045PQ6os
EHKt9i/+ODDATp4nX8bjm/BKHslYTdzhtl2WJ4rqrkrHwSLFAe0oxFkVrUter2ta
JdTYQ9yovGIgit60wmnwTL4oS9u5sizxjzUVWH8BOND1A7pA3OmmGXPyZb8u1FF2
K3h1oCywckF0bf/vlqrQo5jsb3HGWIAR243pW3XCZgOMmSPa2ZYEnA==
=O6Fg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This alert is provided as a service to AusCERT's members.  As AusCERT did
not write the document quoted above, AusCERT has had no control over its
content.  The decision to use any or all of this information is the
responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the alert.  It may not be
updated when updates to the original are made.  If downloading at a later
date, it is recommended that the bulletin is retrieved directly from the
original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories alerts, and external security bulletins can be
retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for member emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPCL+pCh9+71yA2DNAQEUpgP/c3hQwLGSTUNLPyjD+bbnLroNdPXkiz8e
UbE0k3ma1pvPVJEzGH5CcFbgiD5eCOBBT2yq7IJQJGWraYjy0A/bYMhw0YRIhE+u
xD8mtpvzGiPMm+RRp8frYVau3n7zNGUradJx9wSfa+Frt8JCYv5l9sWfBhFbVdsW
b4Lt6zVgvK8=
=rTgm
-----END PGP SIGNATURE-----