| VID |
23019 |
| Severity |
40 |
| Port |
1900 |
| Protocol |
UDP |
| Class |
UPNP |
| Detailed Description |
The vulnerable UPnP service is running.
UPnP(Universal Plug and Play) is an architecture of pervasive peer-to-peer network connectivity of intelligent appliances, wireless devices, and PCs of all form factors. It is more than just a simple extension of the Plug and Play peripheral model, which is easily setup, configure, add peripherals to a PC. With UPnP, a device can dynamically join a network, obtain an IP address, convey its capabilities, and learn about the presence and capabilities of other device-all automatically. This UPnP service is installed and running in all versions of Windows XP by default and is installed via the Internet Connection Sharing client on the Windows 98, 98SE, ME. Under Windows XP, the UPnP service is supported by two service processes, the "SSDPDS(SSDP Discovery Service)" and the "UPNPDH(Universal Plug and Play Device Host)". The SSDPDS service is used for discovering devices on the network and the UPNPDH is used for hosting device. Although both service are started upon demand, the SSDP service is started when Windows XP is booted. The UPNPDH service is only started when needed and its operation is dependent upon SSDPDS. This service listens for TCP connections on port 5000 and for UDP 'datagram' packets arriving on port 1900. This allows a remote attacker(or high-speed internet worms) located anywhere in the world to scan for, and locate, individual Windows UPnP-equipped machines. Now, the vulnerabilities is reported available by a remote attacker or internet worms. The first vulnerability is a buffer overrun vulnerability due to an unchecked in one of the components that handle NOTIFY directives - messages that advertise the availability of UPnP-capable device on the network. The second vulnerability is a denial of service attack against a third-party server due to the insufficient limitation of the steps that obtain information on using a newly discovered device. It causes the third-party server(victim server) to enter into a infinite loop and causes the CPU usage to increase to 100%.
* Note : To check whether UPnP service is running on the target system, we let target system to sends the HTTP request to us, if running. When we listen to the TCP 80 port, this HTTP connection is established completely. Also, To check the status of UPnP service on the local system, you can use the "UnPlug n' Pray" program available from the following web site: http://grc.com/UnPnP/UnPnP.htm
* References:
http://www.iss.net/security_center/static/7428.php
http://www.iss.net/security_center/static/7721.php
http://www.iss.net/security_center/static/7318.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0721
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp
http://cert-nl.surfnet.nl/s/2001/S-01-119.htm
* Platforms Affected:
Windows XP
Windows 98, 98SE
Windows ME |
| Recommendation |
Apply the latest Windows XP Service Pack from the Microsoft web site:
http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=D17CBEB5-7478-4147-B4BA-E6CF686A352B
-- OR --
If the service isn't used, disable to the service completely. Actually, after the SSDP Discovery Service has been stopped, TCP 5000 and UDP 1900 port is closed. Thus, disable and stop both "SSDP Discovery Service" and "UPNP Device Host" to disable the UPnP service completely.
1. open the "services.msc(Service Management Console)" using [Run] of the [Start] menu.
2. Select the "SSDP Discovery Service" from the Service list and open the Properties.
3. Click the "Stop" button and change "Startup Type:" field to "Disabled".
4. Select the "Universal Plug and Play Device Host" from the Service list and open the Properties.
5. Click the "Stop" button and change "Startup Type:" field to "Disabled". |
| Related URL |
CVE-2001-0721,CVE-2001-0877 (CVE) |
| Related URL |
1548 (SecurityFocus) |
| Related URL |
7318,7428,7721,7722 (ISS) |
|
