ISS Security Alert: Multiple Vulnerabilities in Universal Plug and Play Service

Type securityvulns
Reporter Securityvulns
Modified 2001-12-21T00:00:00


Internet Security Systems Security Alert December 20, 2001

Multiple Vulnerabilities in Universal Plug and Play Service


ISS X-Force is aware of multiple vulnerabilities with the Universal Plug and Play Service (UPnP) included with several Microsoft Windows operating systems. UPnP is a protocol that allows network devices to broadcast self-describing messages for peer-to-peer integration into a network. Two vulnerabilities are present in UPnP. A buffer overflow exists in the Windows XP implementation of the Simple Service Discovery Protocol (SSDP) component of UPnP. Another more generic Distributed Denial of Service (DDoS) or Denial of Service (DOS) risk exists within SSDP as well and affects multiple versions of the operating system.

Affected Versions:

Windows XP Windows ME Windows 98SE Windows 98


A remotely exploitable buffer overflow exists in the UPnP service of Windows XP. A malicious user can transmit a malformed NOTIFY request to a vulnerable machine and overflow an unchecked buffer in the UPnP service. This service runs in the SYSTEM context under Windows XP and can result in a full system compromise, allowing the attacker to gain control of the affected machine.

A condition also exists in the implementation of SSDP that could lead to a DOS or DDoS attack by transmitting a malformed NOTIFY directive at a targeted machine or group of machines. The targets can be forced to endlessly transmit HTTP requests to a final target.


Internet firewalls should be configured to block ports 1900 and 5000.

ISS RealSecure intrusion detection customers may use the following connection event to detect access attempts by the UPnP Overflow. Follow the instructions below to apply the connection event to your policy.

  1. Choose a policy you want to use, and click 'Customize'.
  2. Select the 'Connection Events' tab.
  3. Click 'Add' on the right hand side of the dialog box.
  4. Create a Connection Event
  5. Type in a name of the event, such as 'UPnP Overflow'.
  6. In the 'Response' field for the event, select the responses you want to use. In the 'Protocol' field, select UDP In the 'Dest Port/Type' field click the pull down box and create an entry for UDP port 1900: a. Click 'Add' b. Select UDP Protocol c. Name the service 'UPnP Overflow' d. Use 1900 for the port number e. Click 'OK' f. Select the entry just created
  7. Save changes and close the window.
  8. Click 'Apply to Sensor' or 'Apply to Engine' depending on the version of RealSecure you are using.

A connection event is now created with any address/port and any destination address looking for a UDP request on port 1900. Every network is different so it is possible to make entries for each vulnerable host on your network instead of using the above c onnection event.

Contact ISS Technical Support for more specific help on this matter.

Users of ISS BlackICE products in Trusting or Cautious mode can configure themselves to protect themselves from this attack: 1. Select 'Tools' and click 'Advanced Firewall Settings' 2. Click 'Add' to add a new rule. 3. Name the rule 'UPnP Overflow' 4. Select 'All Addresses' 5. Type in Port 1900 into the Ports field 6. Select Type UDP 7. Select Mode Reject 8. Select Duration Forever 9. Click 'Add'

BlackICE users in Nervous or Paranoid mode will be protected against the attack and do not need to add a rule.

An Internet Scanner FlexCheck will be available soon to detect this vulnerability. The FlexCheck will be available at the following URL:

Patches from Microsoft Corporation are available at the following locations:

Microsoft Windows 98/98SE:

Microsoft Windows ME:

Microsoft Windows XP:

Additional Information:

eEye Digital Security Advisory:

Microsoft Security Bulletin:


This vulnerability was discovered and researched by eEye Digital Security.

About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 9,000 customers worldwide including 21 of the 25 largest U.S. commercial banks, the top 10 U.S. telecommunications companies, and all major branches of the U.S. Federal Government. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at or call 888-901-7477.

Copyright (c) 2001 Internet Security Systems, Inc. All rights reserved worldwide.

Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail for permission.


The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

X-Force PGP Key available at: as well as on MIT's PGP key server and's key server.

Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc.