Vulnerabilities > CVE-2001-0876 - Buffer Overflow vulnerability in Microsoft UPnP NOTIFY

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

microsoft

nessus

exploit available

NVD

Published: 2001-12-20

Updated: 2018-10-12

Summary

Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 98 * Microsoft Windows 98Se * Microsoft Windows ME * Microsoft Windows XP *	4

Exploit-Db

description	Windows 98/XP/ME UPnP NOTIFY Buffer Overflow Vulnerability (2). CVE-2001-0876. Remote exploit for windows platform
id	EDB-ID:21189
last seen	2016-02-02
modified	2001-12-20
published	2001-12-20
reporter	JOCANOR
source	https://www.exploit-db.com/download/21189/
title	Windows 98/XP/ME UPnP NOTIFY Buffer Overflow Vulnerability 2

description	Windows 98/XP/ME UPnP NOTIFY Buffer Overflow Vulnerability (1). CVE-2001-0876. Remote exploit for windows platform
id	EDB-ID:21188
last seen	2016-02-02
modified	2001-12-20
published	2001-12-20
reporter	Gabriel Maggiotti
source	https://www.exploit-db.com/download/21188/
title	Windows 98/XP/ME UPnP NOTIFY Buffer Overflow Vulnerability 1

Nessus

NASL family	Service detection
NASL id	UPNP_XP.NASL
description	This machine answered to a unicast UPnP NOTIFY packet by trying to fetch the XML description that Nessus advertised.
last seen	2020-06-01
modified	2020-06-02
plugin id	10829
published	2001-12-29
reporter	This script is Copyright (C) 2001-2019 by John Lampe & Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10829
title	UPnP Client Detection
code	# # This script was written by John [email protected] # # Changes by Tenable: # - Revised plugin title (9/8/09) include("compat.inc"); if(description) { script_id(10829); script_version("1.26"); script_cvs_date("Date: 2019/03/06 18:38:55"); # script_cve_id("CVE-2001-0876"); # script_bugtraq_id(3723); script_name(english: "UPnP Client Detection"); script_set_attribute(attribute:"synopsis", value: "This machine is a UPnP client." ); script_set_attribute(attribute:"description", value: "This machine answered to a unicast UPnP NOTIFY packet by trying to fetch the XML description that Nessus advertised." ); script_set_attribute(attribute:"risk_factor", value:"None" ); script_set_attribute(attribute:"solution", value:"n/a" ); script_set_attribute(attribute:"plugin_publication_date", value: "2001/12/29"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english: "UPnP scan"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2001-2019 by John Lampe & Tenable Network Security, Inc."); script_family(english: "Service detection"); exit(0); } include('global_settings.inc'); include('misc_func.inc'); if ( TARGET_IS_IPV6 ) exit(0); if (islocalhost())exit(0); if (! get_udp_port_state(1900)) exit(0); #script based on eeye advisory Multiple Remote Windows XP/ME/98 Vulnerabilities myaddr = compat::this_host(); dstaddr = get_host_ip(); returnport = rand() % 32768 + 32768; mystring = string("NOTIFY * HTTP/1.1\r\n"); mystring = mystring + string("HOST: ", "239.255.255.250" , ":1900\r\n"); mystring = mystring + string("CACHE-CONTROL: max-age=10\r\n"); mystring = mystring + string("LOCATION: http://" , myaddr, ":" , returnport , "/foo.xms\r\n"); mystring = mystring + string("NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n"); mystring = mystring + string("NTS: ssdp:alive\r\n"); mystring = mystring + string("SERVER: NESSUS/2001 UPnP/1.0 product/1.1\r\n"); mystring = mystring + string("USN: uuid:NESSUS\r\n\r\n"); len = strlen(mystring); ippkt = forge_ip_packet( ip_hl :5, ip_v :4, ip_tos :0, ip_len :20, ip_id :31337, ip_off :0, ip_ttl :64, ip_p :IPPROTO_UDP, ip_src :myaddr ); udppacket = forge_udp_packet( ip :ippkt, uh_sport: rand() % 32768 + 32768, uh_dport:1900, uh_ulen :8 + len, data :mystring ); for (i = 0; i < 3; i ++) { filter = strcat("src " , dstaddr , " and (icmp or (tcp and dst port ", returnport, " ))"); r = send_packet(udppacket, pcap_active:TRUE, pcap_filter:filter, pcap_timeout: 5); if (strlen(r) > 20) { if (ord(r[9]) == 6) { flags = get_tcp_element(tcp:r, element:"th_flags"); if (flags & TH_SYN) { security_note(port:1900,protocol:"udp"); register_service(port: 1900, proto: "upnp-client", ipproto: "udp"); } exit(0); } else if (ord(r[9]) == 1) { hl = ord(r[0]) & 0xF; hl *= 4; if (strlen(r) >= hl + 8) { type = ord(r[hl + 0]); code = ord(r[hl + 1]); if (type == 3) { if (code == 3) set_kb_item(name: "/tmp/UDP/1900/closed", value: TRUE); exit(0); } } } } }

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_XP_MS01-059.NASL
description	Using a specially crafted NOTIFY directive, a remote attacker can cause code to run in the context of the Universal Plug and Play (UPnP) subsystem or possibly launch a denial of service attack against the affected host. Note that, under Windows XP, the UPnP subsystem operates with SYSTEM privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	10835
published	2002-01-25
reporter	This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/10835
title	MS01-059: Unchecked Buffer in Universal Plug and Play can Lead to System Compromise (315000)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(10835); script_version("1.35"); script_cve_id("CVE-2001-0876", "CVE-2001-0877"); script_bugtraq_id(3723); script_xref(name:"MSKB", value:"315000"); script_xref(name:"MSFT", value:"MS01-059"); script_name(english:"MS01-059: Unchecked Buffer in Universal Plug and Play can Lead to System Compromise (315000)"); script_summary(english:"Determines the presence of hotfix Q315000"); script_set_attribute( attribute:"synopsis", value: "The Universal Plug and Play service on the remote host is prone to denial of service and buffer overflow attacks." ); script_set_attribute( attribute:"description", value: "Using a specially crafted NOTIFY directive, a remote attacker can cause code to run in the context of the Universal Plug and Play (UPnP) subsystem or possibly launch a denial of service attack against the affected host. Note that, under Windows XP, the UPnP subsystem operates with SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-059"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows 98, 98SE, ME, and XP."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2002/01/25"); script_set_attribute(attribute:"patch_publication_date", value: "2001/12/20"); script_set_attribute(attribute:"vuln_publication_date", value: "2001/12/20"); script_cvs_date("Date: 2018/11/15 20:50:32"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc."); family["english"] = "Windows : Microsoft Bulletins"; script_family(english:family["english"]); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("smb_func.inc"); include("smb_hotfixes.inc"); if ( hotfix_check_sp(xp:1) <= 0 ) exit(0); if ( hotfix_missing(name:"315000") > 0 ) security_hole(kb_smb_transport());

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References