GEN:SID 1:1388
Message MISC UPnP Location overflow
Summary This event is generated when a remote user attempts to send a NOTIFY directive with an overly long Location URL to an internal host's Universal Plug and Play (UPnP) server.
Impact Attempted administrator access.  A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
Detailed Information The UPnP is used to find network-based devices.  Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network.  A vulnerability exists that permits a malformed NOTIFY directive with an overly long Location URL to cause a buffer overflow on the remote host listening on UPnP.  The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
Affected Systems Microsoft Windows 98, 98SE, ME, XP
Attack Scenarios An attacker may obtain craft a malformed NOTIFY directive to execute arbitrary code on the victim host.
Ease of Attack Simple. Exploit code is freely available.
Corrective Action Block inbound UPnP traffic.
Additional References CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
Rule References bugtraq: 3723
cve: 2001-0876