Users login

Create an account »


Users login

Home » Hacking News » Microsoft Windows UPnP buffer overflow

Microsoft Windows UPnP buffer overflow

by Nikola Strahija on December 21st, 2001 Vulnerabilities in software included by default on Microsoft Windows XP, and optionally on Windows ME and Windows 98, may allow an intruder to execute arbitrary code on vulnerable systems, to launch denial-of-service attacks against vulnerable systems, or to use vulnerable systems to launch denial-of-service attacks against third-party systems.

There is a vulnerability in the Universal Plug and Play (UPnP) service on Microsoft Windows XP and Microsoft Windows ME that could permit an intruder to execute arbitrary code with dministrative privileges on a vulnerable system. The UPnP service is enabled by default on XP. Microsoft does not ship Windows ME with UPnP enabled by default, but some PC manufacturers do. UPnP may be optionally installed on Windows 98 and Windows 98SE. This vulnerability was discovered by Eeye Digital Security. For more information, see:

Universal Plug and Play (UPnP) is a set of protocols that allow computer systems and network devices to work together with little or no prior configuration.

One vulnerability is a buffer overflow in the code that handles UPnP NOTIFY directives. This vulnerability permits an intruder to send a malicious NOTIFY directive to a vulnerable computer and cause the computer to run code of the intruder's choice. The code will run with full privileges on all vulnerable systems, including Windows XP. This can permit an attacker to take complete control of the system.

A second vulnerability in the Microsoft Windows implementation of UPnP could allow an intruder to consume memory and processor time on vulnerable systems, resulting in performance degradation. Variations on this problem can allow an intruder to use a vulnerable system to launch a denial-of-service attack against a third-party.

For more information about these vulnerabilities, see:

These vulnerabilities have been assigned the CVE identifiers CAN-2001-0876 and CAN-2001-0877, respectively.

Intruder can gain complete control of vulnerable systems, or interrupt the normal operation of vulnerable systems.

Apply a patch from Microsoft:

Until a patch can be applied, you can block all ports from 1900 to 5000.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »