Thread-topic: iDefense Security Advisory 04.10.07: Microsoft Windows UniversalPlug and Play Memory Corruption Vulnerability
> -----Original Message-----
> From:
> idlabs-advisories-bounces+vladimir.kazennov=billing.ru@idefens
> e.com
> [mailto:idlabs-advisories-bounces+vladimir.kazennov=billing.ru
> @idefense.com] On Behalf Of iDefense Labs Security Advisories
> Sent: Tuesday, April 10, 2007 11:00 PM
> To: iDefense Labs Security Advisories
> Subject: iDefense Security Advisory 04.10.07: Microsoft
> Windows UniversalPlug and Play Memory Corruption Vulnerability
>
> Microsoft Windows Universal Plug and Play Memory Corruption
> Vulnerability
>
> iDefense Security Advisory 04.10.07
>
> Apr 10, 2007
>
> I. BACKGROUND
>
> Universal Plug and Play (UPnP) is a group of network
> protocols that work
> together to enable devices to interact. UPnP lets a device announce
> itself and look for other devices on the network, gives a mechanism to
> control it and receive updates on the device's state. For more
> information about UPnP, visit the following URL.
>
>
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow vulnerability in the
> Universal
> Plug-and-Play (UPnP) component of Microsoft Windows could allow an
> attacker to execute code in the context of the vulnerable service.
>
> The vulnerability specifically exists in the handling of HTTP headers
> sent to the UPnP control point as part of a request or notification.
> Because it processes certain fields without checking if there
> is enough
> storage space, a malicious request may cause a stack-based buffer
> overflow, potentially resulting in code execution.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability would allow an attacker to execute
> arbitrary code in the context of the affected service,
> typically 'Local
> Service' or 'Network Service'.
>
> In order to exploit this vulnerability an attacker would need either
> wired or wireless access to the local network. Additionally, they must
> be able to connect to a port used for UPnP services. As UPnP is
> designed to allow use without special configuration, Windows
> XP SP2 has
> firewall exceptions active for ports which could be used in an attack.
>
> Due to various security mechanisms implemented in Windows XP SP2 and a
> variety of design choices, code execution may not be trivial even
> though this is a stack based buffer overflow. A combination of factors
> including a restriction on the total input size to the process and the
> HTTP interface's restriction of input to characters allowed by the
> protocol specification work together with system libraries compiled
> with the "/SAFESEH" option and stack cookies to make exploitation more
> difficult.
>
> The UPnP service relies on the Simple Service Discovery
> Protocol (SSDP)
> service to locate new devices. The SSDP service listens on UDP port
> 1900. Exploitation does not require the attacker to communicate with
> UDP port 1900. However if the UPnP TCP port for the service is not yet
> active, they may be able to activate it by sending a SSDP search
> request or notification.
>
> IV. DETECTION
>
> This vulnerability has been confirmed to affect Windows XP SP2. As the
> affected component is a library and not an application itself, other
> applications and services may also be affected.
>
> V. WORKAROUND
>
> The follow actions will mitigate exposure to this vulnerability.
>
> * Disable the SSDP and UPnP services.
> * Disable the Media Sharing functionality of Windows Media
> Player 11.
> * Delete firewall exceptions for the following ports.
> * 1900/UDP (SSDP)
> * 2869/TCP (UPnP Host Device)
> * 10243/TCP (Windows Media Connect and Windows Media
> Player Network
> Sharing Service)
>
> These operations may affect the ability to detect and access some
> UPnP-based resources.
>
> VI. VENDOR RESPONSE
>
> Microsoft has addressed this vulnerability within MS07-019. For more
> information, consult their bulletin at the following URL.
>
>
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CVE-2007-1204 to this issue. This is a candidate for inclusion in
> the CVE list (), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 12/06/2006 Initial vendor notification
> 12/06/2006 Initial vendor response
> 04/10/2007 Coordinated public disclosure
>
> IX. CREDIT
>
> This vulnerability was discovered by Greg MacManus of iDefense Labs.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2007 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> _______________________________________________
> To unsubscribe, go here:
>
>
