[VulnWatch] iDefense Security Advisory 04.10.07: Microsoft Windows Universal Plug and Play Memory Corruption Vulnerability

From: iDefense Labs (labs-no-reply@private)
Date: Tue Apr 10 2007 - 11:59:50 PDT


Microsoft Windows Universal Plug and Play Memory Corruption Vulnerability

iDefense Security Advisory 04.10.07
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 10, 2007

I. BACKGROUND

Universal Plug and Play (UPnP) is a group of network protocols that work
together to enable devices to interact. UPnP lets a device announce
itself and look for other devices on the network, gives a mechanism to
control it and receive updates on the device's state. For more
information about UPnP, visit the following URL.

http://www.upnp.org/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in the Universal
Plug-and-Play (UPnP) component of Microsoft Windows could allow an
attacker to execute code in the context of the vulnerable service.

The vulnerability specifically exists in the handling of HTTP headers
sent to the UPnP control point as part of a request or notification.
Because it processes certain fields without checking if there is enough
storage space, a malicious request may cause a stack-based buffer
overflow, potentially resulting in code execution.

III. ANALYSIS

Exploitation of this vulnerability would allow an attacker to execute
arbitrary code in the context of the affected service, typically 'Local
Service' or 'Network Service'.

In order to exploit this vulnerability an attacker would need either
wired or wireless access to the local network. Additionally, they must
be able to connect to a port used for UPnP services. As UPnP is
designed to allow use without special configuration, Windows XP SP2 has
firewall exceptions active for ports which could be used in an attack.

Due to various security mechanisms implemented in Windows XP SP2 and a
variety of design choices, code execution may not be trivial even
though this is a stack based buffer overflow. A combination of factors
including a restriction on the total input size to the process and the
HTTP interface's restriction of input to characters allowed by the
protocol specification work together with system libraries compiled
with the "/SAFESEH" option and stack cookies to make exploitation more
difficult.

The UPnP service relies on the Simple Service Discovery Protocol (SSDP)
service to locate new devices. The SSDP service listens on UDP port
1900. Exploitation does not require the attacker to communicate with
UDP port 1900. However if the UPnP TCP port for the service is not yet
active, they may be able to activate it by sending a SSDP search
request or notification.

IV. DETECTION

This vulnerability has been confirmed to affect Windows XP SP2. As the
affected component is a library and not an application itself, other
applications and services may also be affected.

V. WORKAROUND

The follow actions will mitigate exposure to this vulnerability.

  * Disable the SSDP and UPnP services.
  * Disable the Media Sharing functionality of Windows Media Player 11.
  * Delete firewall exceptions for the following ports.
    * 1900/UDP (SSDP)
    * 2869/TCP (UPnP Host Device)
    * 10243/TCP (Windows Media Connect and Windows Media Player Network
Sharing Service)

These operations may affect the ability to detect and access some
UPnP-based resources.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within MS07-019. For more
information, consult their bulletin at the following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-1204 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/06/2006  Initial vendor notification
12/06/2006  Initial vendor response
04/10/2007  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus of iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@private for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.



This archive was generated by hypermail 2.1.3 : Tue Apr 10 2007 - 17:25:59 PDT