CRIME FW: Advisory 01-030 "Universal Plug and Play Vulnerabilities"

From: George Heuston (GeorgeH@private)
Date: Thu Dec 20 2001 - 18:37:03 PST

  • Next message: George Heuston: "CRIME FW: NIPC Daily Report 21 December 2001"

    -----Original Message-----
    From: NIPC Watch
    Sent: 12/20/01 5:12 PM
    Subject: Advisory 01-030 "Universal Plug and Play Vulnerabilities"
    National Infrastructure Protection Center
    "Universal Plug and Play Vulnerabilities"
    Advisory 01-030
    20 December 2001
    The NIPC is tracking what Microsoft refers to as a critical
    vulnerability in the universal plug and play (UPnP) service in Windows
    XP, Millennium Edition (ME), and Windows 98 or 98SE systems.  This
    vulnerability could lead to denial of service attacks and system
    compromise.  Microsoft has released a patch for this vulnerability at
    the following site:
    Systems Affected:
    Windows XP installs and runs UPnP by default.
    Windows ME provides native support for UPnP, but it is neither installed
    nor running by default.  
    Windows 98 and 98SE only use UPnP when specifically installed by the
    Internet Connection Sharing program.
    UPnP is a service that identifies and uses network-based devices.  There
    are two known vulnerabilities in the UPnP service.  The first
    vulnerability involves a buffer overflow in the UPnP service that could
    give an attacker system or root level access.  With this level of
    access, an attacker could execute any commands and take any actions they
    choose on the victim's computer.
    The second vulnerability is in the Simple Service Discovery Protocol
    (SSDP) that allows new devices on a network to be recognized by
    computers running UPnP by sending out a broadcast UDP packet.  Attackers
    can use this feature to send false UDP packets to a broadcast address
    hosting vulnerable Windows systems.  Once a vulnerable system receives
    this message, it will respond to the spoofed originating IP address.
    This can be exploited to cause a distributed denial of service attack.
    Another example of this vulnerability is if an attacker spoofed an
    address that had the character generator (chargen) service running.  If
    a vulnerable machine were to connect to the chargen service on a system,
    it could become stuck in a loop that would quickly consume system
    The NIPC encourages recipients of this alert to report computer
    intrusions to their local FBI office
    <>  or the NIPC, and to other
    appropriate authorities.  Recipients may report incidents online at
    <> , and can reach the NIPC Watch
    and Warning Unit at (202) 323-3205, 1-888-585-9078 or
    <> .

    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:37:50 PDT