| GEN:SID | 1:1384 |
| Message | MISC UPnP malformed advertisement |
| Summary | This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server.
|
| Impact | Attempted administrator access or denial of service. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges.
|
| Detailed Information | The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP. Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges.
|
| Affected Systems | Microsoft Windows 98, 98SE, ME, XP
|
| Attack Scenarios | An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host.
|
| Ease of Attack | Simple. Exploit code is freely available.
|
| Corrective Action | Block inbound UPnP traffic.
|
| Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877
|
| Rule References | bugtraq: 3723
cve: 2001-0876
cve: 2001-0877
url: www.microsoft.com/technet/security/bulletin/MS01-059.mspx
|