Public Vulnerability Reports

Microsoft Windows Universal Plug and Play Memory Corruption Vulnerability

04.10.07

BACKGROUND

Universal Plug and Play (UPnP) is a group of network protocols that work together to enable devices to interact. UPnP lets a device announce itself and look for other devices on the network, gives a mechanism to control it and receive updates on the device's state. For more information about UPnP, visit the following URL.

http://www.upnp.org/

DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in the Universal Plug-and-Play (UPnP) component of Microsoft Windows could allow an attacker to execute code in the context of the vulnerable service.

The vulnerability specifically exists in the handling of HTTP headers sent to the UPnP control point as part of a request or notification. Because it processes certain fields without checking if there is enough storage space, a malicious request may cause a stack-based buffer overflow, potentially resulting in code execution.

ANALYSIS

Exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the affected service, typically 'Local Service' or 'Network Service'.

In order to exploit this vulnerability an attacker would need either wired or wireless access to the local network. Additionally, they must be able to connect to a port used for UPnP services. As UPnP is designed to allow use without special configuration, Windows XP SP2 has firewall exceptions active for ports which could be used in an attack.

Due to various security mechanisms implemented in Windows XP SP2 and a variety of design choices, code execution may not be trivial even though this is a stack based buffer overflow. A combination of factors including a restriction on the total input size to the process and the HTTP interface's restriction of input to characters allowed by the protocol specification work together with system libraries compiled with the "/SAFESEH" option and stack cookies to make exploitation more difficult.

The UPnP service relies on the Simple Service Discovery Protocol (SSDP) service to locate new devices. The SSDP service listens on UDP port 1900. Exploitation does not require the attacker to communicate with UDP port 1900. However if the UPnP TCP port for the service is not yet active, they may be able to activate it by sending a SSDP search request or notification.

DETECTION

This vulnerability has been confirmed to affect Windows XP SP2. As the affected component is a library and not an application itself, other applications and services may also be affected.

WORKAROUND

The follow actions will mitigate exposure to this vulnerability.

  • Disable the SSDP and UPnP services.
  • Disable the Media Sharing functionality of Windows Media Player 11.
  • Delete firewall exceptions for the following ports
    • 1900/UDP (SSDP)
    • 2869/TCP (UPnP Host Device)
    • 10243/TCP (Windows Media Connect and Windows Media Player Network Sharing Service)

These operations may affect the ability to detect and access some UPnP-based resources.

VENDOR RESPONSE

Microsoft has addressed this vulnerability within MS07-019. For more information, consult their bulletin at the following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-019.mspx

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-1204 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

12/06/2006 Initial vendor notification
12/06/2006 Initial vendor response
04/10/2007 Coordinated public disclosure

CREDIT

This vulnerability was discovered by Greg MacManus of iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2007 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.