Thread-topic: iDefense Security Advisory 04.10.07: Microsoft Windows UniversalPlug and Play Memory Corruption Vulnerability
> -----Original Message-----
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, April 10, 2007 11:00 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 04.10.07: Microsoft
> Windows UniversalPlug and Play Memory Corruption Vulnerability
> Microsoft Windows Universal Plug and Play Memory Corruption
> iDefense Security Advisory 04.10.07
> Apr 10, 2007
> I. BACKGROUND
> Universal Plug and Play (UPnP) is a group of network
> protocols that work
> together to enable devices to interact. UPnP lets a device announce
> itself and look for other devices on the network, gives a mechanism to
> control it and receive updates on the device's state. For more
> information about UPnP, visit the following URL.
> II. DESCRIPTION
> Remote exploitation of a buffer overflow vulnerability in the
> Plug-and-Play (UPnP) component of Microsoft Windows could allow an
> attacker to execute code in the context of the vulnerable service.
> The vulnerability specifically exists in the handling of HTTP headers
> sent to the UPnP control point as part of a request or notification.
> Because it processes certain fields without checking if there
> is enough
> storage space, a malicious request may cause a stack-based buffer
> overflow, potentially resulting in code execution.
> III. ANALYSIS
> Exploitation of this vulnerability would allow an attacker to execute
> arbitrary code in the context of the affected service,
> typically 'Local
> Service' or 'Network Service'.
> In order to exploit this vulnerability an attacker would need either
> wired or wireless access to the local network. Additionally, they must
> be able to connect to a port used for UPnP services. As UPnP is
> designed to allow use without special configuration, Windows
> XP SP2 has
> firewall exceptions active for ports which could be used in an attack.
> Due to various security mechanisms implemented in Windows XP SP2 and a
> variety of design choices, code execution may not be trivial even
> though this is a stack based buffer overflow. A combination of factors
> including a restriction on the total input size to the process and the
> HTTP interface's restriction of input to characters allowed by the
> protocol specification work together with system libraries compiled
> with the "/SAFESEH" option and stack cookies to make exploitation more
> The UPnP service relies on the Simple Service Discovery
> Protocol (SSDP)
> service to locate new devices. The SSDP service listens on UDP port
> 1900. Exploitation does not require the attacker to communicate with
> UDP port 1900. However if the UPnP TCP port for the service is not yet
> active, they may be able to activate it by sending a SSDP search
> request or notification.
> IV. DETECTION
> This vulnerability has been confirmed to affect Windows XP SP2. As the
> affected component is a library and not an application itself, other
> applications and services may also be affected.
> V. WORKAROUND
> The follow actions will mitigate exposure to this vulnerability.
> * Disable the SSDP and UPnP services.
> * Disable the Media Sharing functionality of Windows Media
> Player 11.
> * Delete firewall exceptions for the following ports.
> * 1900/UDP (SSDP)
> * 2869/TCP (UPnP Host Device)
> * 10243/TCP (Windows Media Connect and Windows Media
> Player Network
> Sharing Service)
> These operations may affect the ability to detect and access some
> UPnP-based resources.
> VI. VENDOR RESPONSE
> Microsoft has addressed this vulnerability within MS07-019. For more
> information, consult their bulletin at the following URL.
> VII. CVE INFORMATION
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-1204 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
> VIII. DISCLOSURE TIMELINE
> 12/06/2006 Initial vendor notification
> 12/06/2006 Initial vendor response
> 04/10/2007 Coordinated public disclosure
> IX. CREDIT
> This vulnerability was discovered by Greg MacManus of iDefense Labs.
> Get paid for vulnerability research
> Free tools, research and upcoming events
> X. LEGAL NOTICES
> Copyright (c) 2007 iDefense, Inc.
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> To unsubscribe, go here: