GEN:SID 1:1384
Message MISC UPnP malformed advertisement
Summary This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server.
Impact Attempted administrator access or denial of service.  A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
Detailed Information The UPnP is used to find network-based devices.  Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network.  A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP.  Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP.  The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
Affected Systems Microsoft Windows 98, 98SE, ME, XP
Attack Scenarios An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host.
Ease of Attack Simple. Exploit code is freely available.
Corrective Action Block inbound UPnP traffic.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877
Rule References bugtraq: 3723
cve: 2001-0876
cve: 2001-0877
url: www.microsoft.com/technet/security/bulletin/MS01-059.mspx