Signature Detail

UPNP: NOTIFY Request Denial of Service

This signature detects attempts to exploit a known vulnerability against the UPNP service for Microsoft Windows XP. Attackers can send a malicious NOTIFY request that forces the UPNP daemon to connect to a malicious CHARGEN-like service on the sending host (the attacker's machine); thereby causing a denial-of-service condition by allowing the UPNP daemon to consume all available memory and CPU resources.

Extended Description

Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. The Simple Service Discovery Protocol (SSDP) is a component of UPnP that allows a system to enumerate the resources of a newly installed network device on a UPnP network. This service is vulnerable to a denial of service condition by constructing a UDP packet directed at a UPnP-enabled system which directs the system to an echoed port, the system would enter into an endless download cycle. This vulnerability could possibly be used to launch a distributed denial of service attack by directing several UPnP-enabled systems at a third party.

Affected Products

• Microsoft Windows 98
• Microsoft Windows 98SE
• Microsoft Windows ME
• Microsoft Windows XP
• Microsoft Windows XP Gold
• Microsoft Windows XP Home
• Microsoft Windows XP Professional

References

• BugTraq: 3724
• CERT: CA-2001-37
• CVE: CVE-2001-0877
• URL: http://research.eeye.com/html/advisories/published/AD20011220.html
• URL: http://www.kb.cert.org/vuls/id/951555