Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1384 |
Message | MISC UPnP malformed advertisement |
Summary | This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server. |
Impact | Attempted administrator access or denial of service. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges. |
Detailed Information | The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP. Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges. |
Affected Systems | Microsoft Windows 98, 98SE, ME, XP |
Attack Scenarios | An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host. |
Ease of Attack | Simple. Exploit code is freely available. |
Corrective Action | Block inbound UPnP traffic. |
Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877 |
Rule References | bugtraq: 3723 cve: 2001-0876 cve: 2001-0877 nessus: 10829 url: www.microsoft.com/technet/security/bulletin/MS01-059.mspx |
--
DID:727181
--
http://www.aanval.com/