Unchecked Buffer in Universal Plug and Play Can Lead to System Compromise for Windows XP

Article translations Article translations
Article ID: 315000 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

On This Page

Symptoms

Computers can use the Universal Plug and Play (UPnP) service to discover and use network-based devices. Microsoft Windows Millennium Edition (Me) and Windows XP include UPnP services, but Microsoft Windows 98 and Microsoft Windows 98 Second Edition do not. However, the UPnP service can be installed on a Windows 98-based or Windows 98 Second Edition-based computer by installing the Internet Connection Sharing (ICS) client that is included with Windows XP.

This article describes two vulnerabilities that affect the implementation of UPnP in various products. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers process the discovery of new devices on the network.

The first vulnerability is a buffer-overrun vulnerability. There is an unchecked buffer in one of the Windows XP components that process NOTIFY directives (messages that advertise the availability of UPnP-capable devices on the network). By sending a specially-malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with system privileges on Windows XP. On Windows 98 and Windows Me, there are no security contexts, and all code runs as part of the operating system. This would enable the attacker to gain complete control over the computer.

The second vulnerability occurs because the UPnP service does not sufficiently limit the steps to which the UPnP service will go to obtain information about using a newly-discovered device. In the NOTIFY directive that a new UPnP device sends is information that tells interested computers where to obtain its device description, which lists the services the device offers, and provides instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations do not adequately regulate how it performs this operation, and this gives rise to two different denial-of-service scenarios.

In the first denial-of-service scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (such as, by having the Echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system's availability. An attacker could craft and send this directive to a victim's computer directly, by using the computer's IP address. Or, the attacker could send this same directive to a broadcast and multicast domain and attack all Windows XP-based computers in that broadcast or multicast domain, consuming some or all of those system's availability.

In the second denial-of-service scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough computers responded to the directive, it could have the effect of flooding the third-party server with invalid requests, in a distributed denial-of-service attack. As with the first denial-of-service scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.

Mitigating Factors

General

Standard firewall practices (specifically, blocking ports 1900 and 5000) could be used to protect corporate networks from Internet-based attacks.

Windows 98 and Windows 98 Second Edition

  • There is no built-in UPnP support for these operating systems. Windows 98-based or Windows 98 Second Edition-based computers would only be affected if the ICS client from Windows XP had been installed on the computer.
  • Windows 98-based or Windows 98 Second Edition-based computers that have installed the ICS client from a Windows XP-based computer that has already applied this patch are not vulnerable.

Windows Me

Windows Me provides built-in UPnP support, but by default, it is not installed or running. However, some OEMs configure computers so that the UPnP service is installed and running.

Windows XP

Internet Connection Firewall (ICF), which runs by default, would impede an attacker's ability to mount a successful directed attack. However, because the ICF does not block incoming broadcast or multicast traffic, it would not protect against those attacks.

Resolution

To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack
The following files are available for download from the Microsoft Download Center:
English (US):
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_enu.exe now

Arabic:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_ara.exe now

Chinese (Simplified):
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_chs.exe now

Chinese (Traditional):
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_cht.exe now

Czech:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_csy.exe now

Danish:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_dan.exe now

Dutch:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_nld.exe now

Finnish:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_fin.exe now

French:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_fra.exe now

German:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_deu.exe now

Greek:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_ell.exe now

Hebrew:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_heb.exe now

Hungarian:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_hun.exe now

Italian:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_ita.exe now

Japanese:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_jpn.exe now

Korean:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_kor.exe now

Norwegian:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_nor.exe now

Polish:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_plk.exe now

Portuguese:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_ptg.exe now

Portuguese (Brazil):
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_ptb.exe now

Russian:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_rus.exe now

Spanish:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_esn.exe now

Swedish:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_sve.exe now

Turkish:
Collapse this imageExpand this image
Download
Download Q315000_WXP_SP1_x86_trk.exe now
Release Date: December 20, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:
   Date         Time   Version      Size     File name
   ------------------------------------------------------
   18-Dec-2001  15:12  6.0.2448.0   324,608  Netsetup.exe
   17-Dec-2001  18:02  5.1.2600.23   26,624  Ssdpapi.dll
   17-Dec-2001  18:02  5.1.2600.23   41,472  Ssdpsrv.dll
   17-Dec-2001  18:02  5.1.2600.23  119,808  Upnp.dll
   06-Dec-2001  10:58  5.1.2600.22  245,248  Update.exe
   18-Dec-2001  15:53                32,573  Update.inf
   18-Dec-2001  17:27                   294  Update.ver
				

Status

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows XP. This problem was first corrected in Windows XP Service Pack 1.

More information

314941 Unchecked Buffer in Universal Plug and Play can Lead to System Compromise for Windows 98
For more information about these vulnerabilities, see the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

Properties

Article ID: 315000 - Last Review: December 24, 2014 - Revision: 4.0
Applies to
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
Keywords: 
kbnosurvey kbarchive atdownload kbqfe kbbug kbenv kbfix kbnetwork kbsecurity kbwinxpsp1fix KB315000

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com