[ISN] RE: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft Windows

From: InfoSec News (isnat_private)
Date: Thu Dec 27 2001 - 23:14:41 PST

  • Next message: InfoSec News: "[ISN] Escape from data Alcatraz"

    Forwarded from: "Marc Maiffret" <marcat_private>
    CC: <mrs_aida_capistranoat_private>
    we found the DoS and reported it to MS the day after XP shipped. they
    started working on that patch. then not to long after (forget exactly
    how long) we found the DDoS and reported it. then not to long after we
    found and reported the overflow.
    the overflow is trivial to fix cause its a programming mistake. the
    dos is a bit harder to fix and kind of sticky because it has to do
    with design flaws in UPNP.
    the ddos is a pain to fix. the guys that wrote the specs for the UPNP
    protocol designed a flawed protocol. anyone that follows the protocol
    specs will create a flawed system, as happened with XP.
    fixing the DDoS attack is a sticky situation. you have to go against
    how the protocol was designed which means you potentially are going to
    break third party systems that were designed to use UPNP. microsoft
    did a good job fixing the ddos in their UPNP implementation. they were
    able to fix it and hopefully not completely break a lot of peoples
    ability to use UPNP. however i am sure there are (i know there are) a
    lot of third party hardware device makers (wireless ethernet, home
    hub/firewalls, toasters (hah) etc...) which are probably also
    vulnerable to a lot of UPNP protocol level flaws.
    people need to hold off on using UPNP until the protocol has been
    written (rewritten) with security in mind. I am not sure how someone
    was able to spec the UPNP protocol and not see the glaring theortical
    (yet proven once the spec is written as code) flaws in how UPNP is
    suppose to communicate. hopefully the UPNP protocol does not catch on
    in its current form otherwise we'll see a lot of devices being
    exploited because they'll make the same mistakes that were in XP.
    oh well how do you stop a technology thats already being shoved
    everywhere as the next greatest thing? this will be one of those cases
    where everyone has to be bitten before they pull back their shoddy
    technology, rework it, then re-release it. its hard though for the
    engineers at some companies to explain to management why they need to
    delay shipping their product for a few months until they fix design
    flaw problems. :-o my nipple just got shocked. must be my new
    christmas gift that zaps me when i start rambling. i'll shutup now.
    all in all MS took 2 months for 3 vulnerability and we dont think they
    were trying to stall or something of that nature.
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities
    | -----Original Message-----
    | From: mrs_aida_capistranoat_private
    | [mailto:mrs_aida_capistranoat_private]
    | Sent: Thursday, December 27, 2001 2:41 PM
    | To: isnat_private
    | Cc: marcat_private
    | Subject: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft
    | Windows
    | Hi there,
    | I posted this to the main security lists today, but no one seems
    | interested. Chris at vulnwatch.org suggest I send it to attrition
    | and I am copying Marc, in case he wishes to verify this chain of
    | events or not. One can never tell if Microsoft is telling the
    | truth or not :-(
    | Dear Ladies and Gentlemen,
    | The following official statement was published in a Microsoft
    | news group on the 26th of December 2001 when many participants
    | queried why it took nearly two months for a patch to be developed
    | to address the Buffer Overflow in UPnP Service On Microsoft Windows
    | http://www.eeye.com/html/Research/Advisories/AD20011220.html
    | http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
    | It does not explain why these defective goods continued to ship
    | for the Christmas sales season but might be of interest to people
    | on these security mailing lists:
    | direct link to news article on the server:
    | news://news.microsoft.com/#qAgniljBHA.2260@tkmsftngp07
    | <squirt>
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 06:04:02 PST