Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: iDefense Security Advisory 04.10.07: Microsoft Windows UniversalPlug and Play Memory Corruption Vulnerability



> -----Original Message-----
> From: 
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com 
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, April 10, 2007 11:00 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 04.10.07: Microsoft 
> Windows UniversalPlug and Play Memory Corruption Vulnerability
> 
> Microsoft Windows Universal Plug and Play Memory Corruption 
> Vulnerability
> 
> iDefense Security Advisory 04.10.07
> http://labs.idefense.com/intelligence/vulnerabilities/
> Apr 10, 2007
> 
> I. BACKGROUND
> 
> Universal Plug and Play (UPnP) is a group of network 
> protocols that work
> together to enable devices to interact. UPnP lets a device announce
> itself and look for other devices on the network, gives a mechanism to
> control it and receive updates on the device's state. For more
> information about UPnP, visit the following URL.
> 
> http://www.upnp.org/
> 
> II. DESCRIPTION
> 
> Remote exploitation of a buffer overflow vulnerability in the 
> Universal
> Plug-and-Play (UPnP) component of Microsoft Windows could allow an
> attacker to execute code in the context of the vulnerable service.
> 
> The vulnerability specifically exists in the handling of HTTP headers
> sent to the UPnP control point as part of a request or notification.
> Because it processes certain fields without checking if there 
> is enough
> storage space, a malicious request may cause a stack-based buffer
> overflow, potentially resulting in code execution.
> 
> III. ANALYSIS
> 
> Exploitation of this vulnerability would allow an attacker to execute
> arbitrary code in the context of the affected service, 
> typically 'Local
> Service' or 'Network Service'.
> 
> In order to exploit this vulnerability an attacker would need either
> wired or wireless access to the local network. Additionally, they must
> be able to connect to a port used for UPnP services. As UPnP is
> designed to allow use without special configuration, Windows 
> XP SP2 has
> firewall exceptions active for ports which could be used in an attack.
> 
> Due to various security mechanisms implemented in Windows XP SP2 and a
> variety of design choices, code execution may not be trivial even
> though this is a stack based buffer overflow. A combination of factors
> including a restriction on the total input size to the process and the
> HTTP interface's restriction of input to characters allowed by the
> protocol specification work together with system libraries compiled
> with the "/SAFESEH" option and stack cookies to make exploitation more
> difficult.
> 
> The UPnP service relies on the Simple Service Discovery 
> Protocol (SSDP)
> service to locate new devices. The SSDP service listens on UDP port
> 1900. Exploitation does not require the attacker to communicate with
> UDP port 1900. However if the UPnP TCP port for the service is not yet
> active, they may be able to activate it by sending a SSDP search
> request or notification.
> 
> IV. DETECTION
> 
> This vulnerability has been confirmed to affect Windows XP SP2. As the
> affected component is a library and not an application itself, other
> applications and services may also be affected.
> 
> V. WORKAROUND
> 
> The follow actions will mitigate exposure to this vulnerability.
> 
>   * Disable the SSDP and UPnP services.
>   * Disable the Media Sharing functionality of Windows Media 
> Player 11.
>   * Delete firewall exceptions for the following ports.
>     * 1900/UDP (SSDP)
>     * 2869/TCP (UPnP Host Device)
>     * 10243/TCP (Windows Media Connect and Windows Media 
> Player Network
> Sharing Service)
> 
> These operations may affect the ability to detect and access some
> UPnP-based resources.
> 
> VI. VENDOR RESPONSE
> 
> Microsoft has addressed this vulnerability within MS07-019. For more
> information, consult their bulletin at the following URL.
> 
> http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx
> 
> VII. CVE INFORMATION
> 
> The Common Vulnerabilities and Exposures (CVE) project has 
> assigned the
> name CVE-2007-1204 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> 
> VIII. DISCLOSURE TIMELINE
> 
> 12/06/2006  Initial vendor notification
> 12/06/2006  Initial vendor response
> 04/10/2007  Coordinated public disclosure
> 
> IX. CREDIT
> 
> This vulnerability was discovered by Greg MacManus of iDefense Labs.
> 
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
> 
> Free tools, research and upcoming events
> http://labs.idefense.com/
> 
> X. LEGAL NOTICES
> 
> Copyright (c) 2007 iDefense, Inc.
> 
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> 
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available 
> information. Use
> of the information constitutes acceptance for use in an AS IS 
> condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
> http://www.idefense.com/mailman/listinfo/idlabs-advisories
> 



 




Copyright © Lexa Software, 1996-2009.