Three Windows XP UPNP DOS attacks

From: 'ken'@FTU
Date: Thu Nov 01 2001 - 19:07:03 PST

Next message: Tamer Sahin: "Microsoft ISA Server Fragmented Udp Flood Vulnerability"

Previous message: CDE Francis: "Re: MacOS 9.x, Internet Explorer, Local Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Below you will find a quick recap of a few denial of service exploits I
discovered against Windows XP and selected versions of WinME. Microsoft
confirmed my findings: bulletin MS01-54. The paper is a narrative and
the author hopes it will be useful for newbies and an enjoyable paper
for the experts.

Do not hesitate to contact me at the following email address:
franklin_tech_unlimitedat_private . It is also listed in the paper.

- 'ken'

----------------------------------------------

Just a side note: this paper really should be named 'I still haven't
found what I'm looking for': I expected a buffer overflow.

We are attacking a server named SSDPSRV bound to port 5000 running on XP
or selected versions of WinME. This is Microsoft's UPNP server that is
installed and runs by default on WindowsXP.

In two of the three hacks we are interested in a .dll named MSVCRT.dll.
This library has a page fault that can be used to crash the application.

The first DOS is simply due to bad code. We can send the application a
specific header and it will crash the server. There is a page fault at
0197:78004a16 in MSCVRT.dll.

The second DOS is due to the way the SSDPSRV handles input. We can chew
up memory by opening a connection, sending the proper header, and then
just strings and strings of 'A's (or whatever else you like). If one
connection is made and such strings are sent we will receive a page
fault in MSVCRT.dll again. This time it is at 0197:010083fe. But, if we
open approximately 200 connections and send the proper header followed
by a string of 'A's we can deplete the system resources. Using a Pentium
II 336Mhz machine I tested a Pentium IV 1.4Ghz with 128M of memory and
took the system resources from 65% to 48% in 20 minutes. The only
problem with this method is that it takes a substantial amount of time
to send these strings over the network.

The third and final DOS is the cool one. SSDPSRV cannot handle multiple
connections well. If one opens up 1018 simultaneous connections one can
temporarily freeze the machine.  The user's keyboard and mouse input are
held in the buffer but do not appear to register. With this attack one
can sink the system resources under 4% in about a second. In a minute or
two the system corrects itself.

application/octet-stream attachment: MicrosoftXP.upnp.doc

Next message: Tamer Sahin: "Microsoft ISA Server Fragmented Udp Flood Vulnerability"
Previous message: CDE Francis: "Re: MacOS 9.x, Internet Explorer, Local Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 21:22:29 PST