GEN:SID | 1:1388 |
Message | MISC UPnP Location overflow |
Summary | This event is generated when a remote user attempts to send a NOTIFY directive with an overly long Location URL to an internal host's Universal Plug and Play (UPnP) server.
|
Impact | Attempted administrator access. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
|
Detailed Information | The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive with an overly long Location URL to cause a buffer overflow on the remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
|
Affected Systems | Microsoft Windows 98, 98SE, ME, XP
|
Attack Scenarios | An attacker may obtain craft a malformed NOTIFY directive to execute arbitrary code on the victim host.
|
Ease of Attack | Simple. Exploit code is freely available.
|
Corrective Action | Block inbound UPnP traffic.
|
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
|
Rule References | bugtraq: 3723
cve: 2001-0876
|