Reference:
Microsoft Security Bulletin MS01-059, 20 December 2001
Unchecked Buffer in Universal Plug and Play can lead to System Compromise
EEye Digital Security Advisory, AD20011220, 20 December 2001
Multiple Remote Windows XP/ME/98 Vulnerabilities
Risk Impact:
Medium to High depending on system configuration
Affected:
Microsoft Windows 98 running XP Internet Connection Sharing Client
Microsoft Windows 98SE running XP Internet Connection Sharing Client
Microsoft Windows ME
Microsoft Windows XP
Overview:
Symantec Corporation advises its customers to be aware of multiple vulnerabilities in the Universal Plug and Play (UPNP) service that have recently been discovered in Microsoft Windows XP and ME and in Microsoft Widows 98 and 98SE running the XP Internet Connection Sharing Client. The more critical of the vulnerabilities is a buffer overflow existing in the UPnP protocol that can allow an attacker to run arbitrary code on the targeted system with SYSTEM-level privileges, potentially gaining complete control over the targeted system. Additional vulnerabilities can result in either a Denial of Service (DoS) against the targeted system or a possible Distributed Denial of Service (DDoS) attack against a network. These vulnerabilities were initially discovered by the eEye Digital Security Team and acknowledged by Microsoft.
Details:
Per Microsoft, The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP.
In the case of the buffer overflow vulnerability, improper bounds checking is done by a component that handles the NOTIFY directives. NOTIFY directives advertise the availability of UPnP-capable devices on the network. An attacker can send a specially configured NOTIFY directive which can code to run with the privileges of the UPnP service. The UPnP service runs with System privileges on Windows XP and executes as part of the operating system on affected Windows 98, 98SE and Windows ME.
Properly configured code would enable the attacker to gain complete control on the targeted system.
The Denial of Service vulnerabilities are due to the UPnP not limiting the procedures used by the UPnP service to gather information on using a newly discovered device. According to Microsoft, The NOTIFY directive that a new UPnP device sends contains information telling interested computers where to obtain its device description. This description lists the services the device offers and instructions for using them. By design, this description could reside on a third-party server rather than on the actual UPnP device itself. In the Denial of Service attacks, an attacker spoofs a NOTIFY directive to an UPnP-capable computer, directing the specific port and server from which the UPnP device description can be downloaded. If the port on the specified server is configured to echo requests back to the UPnP service, port 7 the echo port for example, the targeted system could be made to enter an endless cycle consuming most or all of the targeted system's CPU resources. The malformed NOTIFY directive could be sent a single targeted system using the IP address of the target. Or, the attacker could pass the malformed directive to a broadcast and multicast domain, and attack all affected machines listening on the network, consuming most or all of those systems' availability.
In the Distributed Denial of Service attack, the attack specifies a third-party server as the host for the device description in the malformed NOTIFY directive. With sufficient machines responding to the directive the third-party server could potentially be flooded with bogus UPnP description download requests. Again, the malformed directives could be sent directly to the target machine, or to a broadcast or multicast domain.
Symantec Response:
Microsoft has developed security patches for these vulnerabilities. Download and apply the appropriate patch for individual systems:
These security patches are available from the respective Microsoft TechNet Security pages.
If you are running one of the vulnerable systems, you should immediately download and apply the appropriate security hotfix.
Follow best practice procedures for firewalls in blocking external network access to ports 1900 and 5000 to further protect network systems.
NOTE:
According to Microsoft, Windows 98 and 98SE have no native UPnP support. Therefore Windows 98 and 98SE systems would only be affected if the Internet Connection Sharing Client from Windows XP had been installed on the system.
Windows 98 and 98SE machines that have installed the Internet Connection Sharing client from a Windows XP system that has already applied this patch are not vulnerable.
Windows ME provides native UPnP support, but it is neither installed nor running by default. (However, some OEMs do configure pre-built systems with the service installed and running).
Windows XP's Internet Connection Firewall, which runs by default, would make it significantly more difficult for an attacker to determine the IP address of an affected machine. This could impede an attacker's ability to attack a machine via unicast messages. However, attacks via multicast or broadcast would still be possible.
However, applying the appropriate security patch for your system remains the best security solution against these vulnerabilities.
Symantec Enterprise Solutions:
Enterprise Security Manager (ESM), Symantec's policy compliance and vulnerability management system, helps manage security patch update functions for you through the ESM patch module.
A new patch, Response_Windows XP_Universal PnP_20011220.exe, has been released and is available here. This patch installs a new ESM response policy on the ESM manager. Symantec ESM users should then run the policy against their domain of ESM Windows XP agents. This new policy will report any agent that does not have the latest patch from Microsoft fixing this problem.
CVE:
The Common Vulnerabilities and Exposures (CVE) initiative has assigned the names CAN-2001-0876 to the buffer overflow issue.
CAN-2001-0877 to the denial of service issue.
These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Credit:
Originally posted by eEye Digital Security in AD20011220. Acknowledgement and security patches posted by Microsoft in MS01-059.
Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Alert in medium other than electronically requires permission from SymSecurity@symantec.com.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.
Symantec, Enterprise Security Manager (ESM), Symantec Security Response, and SymSecurity are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
