eEye Digital Security has discovered major security vulnerabilities in Microsoft’s UPNP (Universal Plug and Play) Service. Windows XP, by default, ships with a UPNP Service that can be used to detect and integrate with UPNP aware devices.
Windows ME does not come standard with the UPNP service, however, some OEM versions do provide the UPNP service by default. It is also possible to install the Windows XP Internet Connection Sharing on top of Windows 98, therefore making it vulnerable.
As described by UPNP.org, ‘UPNP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPNP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between.’
eEye has discovered three vulnerabilities within Microsoft’s UPNP implementation: a remotely exploitable buffer overflow that allows an attacker gain SYSTEM level access to any default installation of Windows XP, a Denial of Service (DoS) attack, and a Distributed Denial of Service (DDoS) attack.
Network administrators are urged to immediately install the patch released by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
The most serious of the three Windows XP vulnerabilities is the remotely exploitable buffer overflow. It is possible for an attacker to write custom exploit code that will allow them to execute commands with SYSTEM level access, the highest level of access within Windows XP.
The other two vulnerabilities are types of denial of service attacks. The first is a fairly straightforward denial of service attack, which allows an attacker to remotely crash any Windows XP system. The crash will require Windows XP users to physically power down their machines and start them up again before the system will function. The second denial of service attack is a distributed denial of service attack. This vulnerability allows attackers to remotely command many Windows XP systems at once in an effort to make them flood/attack a single host.
eEye alerted Microsoft’s security team immediately upon discovery of the vulnerability and has worked closely with Microsoft on the development of a patch and the expeditious alerting of administrators worldwide.