Microsoft Windows Universal Plug and Play (UPNP) vulnerable to buffer overflow via malformed advertisement packets

2001-12-20T00:00:00
ID VU:951555
Type cert
Reporter CERT
Modified 2001-12-20T00:00:00

Description

Overview

A buffer overflow in Universal Plug and Play (UPnP) service on Microsoft Windows XP, Microsoft Windows ME, and Microsoft Windows 98 permits an intruder to run arbitrary code on vulnerable systems.

Description

Universal Plug and Play (UPnP) is a system to allow network devices to operate together. A vulnerability in the Microsoft Windows XP and Windows ME implementation of UPnP may permit an intruder to execute arbitrary code with SYSTEM privileges. Additionally, Windows 98 and Windows 98SE may be affected if you have installed the Windows XP Internet Connection Sharing client. These vulnerabilities were discovered by Eeye Digital Security. For more information, see

<http://www.eeye.com/html/Research/Advisories/AD20011220.html>
<http://www.microsoft.com/technet/security/bulletin/MS01-059.asp>


Impact

An intruder can run arbitrary code in the local SYSTEM security context.


Solution

Apply a patch as described in MS01-059.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Microsoft| | -| 20 Dec 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.eeye.com/html/Research/Advisories/AD20011220.html>
  • <http://www.microsoft.com/technet/security/bulletin/MS01-059.asp>
  • <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34991>
  • <http://download.microsoft.com/download/winme/Update/22940/WinMe/EN-US/314757USAM.EXE>
  • <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34951>
  • <http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt>
  • <http://www.upnp.org/download/UPnP_Vendor_Implementation_Guide_Jan2001.htm>

Credit

Our thanks to Eeye Digital Security, who discovered the problem, and Microsoft for the information contained in their bulletins.

This document was written by Shawn Hernan.

Other Information

  • CVE IDs: CAN-2001-0876
  • Date Public: 20 Dec 2001
  • Date First Published: 20 Dec 2001
  • Date Last Updated: 20 Dec 2001
  • Severity Metric: 51.64
  • Document Revision: 7