GEN:SID | 1:1384 |
Message | MISC UPnP malformed advertisement |
Summary | This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server.
|
Impact | Attempted administrator access or denial of service. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
|
Detailed Information | The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP. Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
|
Affected Systems | Microsoft Windows 98, 98SE, ME, XP
|
Attack Scenarios | An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host.
|
Ease of Attack | Simple. Exploit code is freely available.
|
Corrective Action | Block inbound UPnP traffic.
|
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877
|
Rule References | bugtraq: 3723
cve: 2001-0876
cve: 2001-0877
url: www.microsoft.com/technet/security/bulletin/MS01-059.mspx
|