Unchecked Buffer in Universal Plug and Play can Lead to System Compromise for Windows 98 (314941)


The information in this article applies to:

  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition
This article was previously published under Q314941

SYMPTOMS

Computers can use the Universal Plug and Play (UPnP) service to discover and use network-based devices. Microsoft Windows Millennium Edition (Me) and Microsoft Windows XP include UPnP services, but Windows 98 and Windows 98 Second Edition do not. However, the UPnP service can be installed on a Windows 98-based or Windows 98 Second Edition-based computer by installing the Internet Connection Sharing (ICS) client that is included with Windows XP.

This article describes two vulnerabilities that affect the implementation of UPnP in various products. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers process the discovery of new devices on the network.

The first vulnerability is a buffer-overrun vulnerability. There is an unchecked buffer in one of the Windows XP components that process NOTIFY directives (messages that advertise the availability of UPnP-capable devices on the network). By sending a specially-malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with system privileges on Windows XP. On Windows 98 and Windows Me, there are no security contexts, and all code runs as part of the operating system. This would enable the attacker to gain complete control over the computer.

The second vulnerability occurs because the UPnP service does not sufficiently limit the steps to which the UPnP service will go to obtain information about using a newly-discovered device. In the NOTIFY directive that a new UPnP device sends is information that tells interested computers where to obtain its device description, which lists the services the device offers, and provides instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations do not adequately regulate how it performs this operation, and this gives rise to two different denial-of-service scenarios.

In the first denial-of-service scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (such as, by having the Echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system's availability. An attacker could craft and send this directive to a victim's computer directly, by using the computer's IP address. Or, the attacker could send this same directive to a broadcast and multicast domain and attack all Windows XP-based computers in that broadcast or multicast domain, consuming some or all of those system's availability.

In the second denial-of-service scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough computers responded to the directive, it could have the effect of flooding the third-party server with invalid requests, in a distributed denial-of-service attack. As with the first denial-of-service scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.

Mitigating Factors

General

Standard firewall practices (specifically, blocking ports 1900 and 5000) could be used to protect corporate networks from Internet-based attacks.

Windows 98 and Windows 98 Second Edition

  • There is no built-in UPnP support for these operating systems. Windows 98-based or Windows 98 Second Edition-based computers would only be affected if the ICS client from Windows XP had been installed on the computer.
  • If you do not have the Windows XP ICS client installed on your Windows 98 or Windows 98 Second Edition computer, you receive the following error message when you attempt to apply this patch:
    This update is not designed for your version of Windows.
  • Windows 98-based or Windows 98 Second Edition-based computers that have installed the ICS client from a Windows XP-based computer that has already applied this patch are not vulnerable.

Windows Me

Windows Me provides built-in UPnP support, but by default, it is not installed or running. However, some OEMs configure computers so that the UPnP service is installed and running.

Windows XP

Internet Connection Firewall (ICF), which runs by default, would impede an attacker's ability to mount a successful directed attack. However, because the ICF does not block incoming broadcast or multicast traffic, it would not protect against those attacks.

RESOLUTION

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that you determine are at risk of attack. Evaluate the computer's physical accessibility, network and Internet connectivity, and other factors to determine the degree of risk to the computer. See the associated Microsoft Security Bulletin to help determine the degree of risk. This hotfix may receive additional testing. If the computer is sufficiently at risk, we recommend that you apply this hotfix now.

To resolve this problem immediately, download the hotfix by following the instructions later in this article or contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled, if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question. The following file is available for download from the Microsoft Download Center:

English (US): DownloadDownload 314941usa8.exe now

Arabic: DownloadDownload 314941lar8.exe now

Enabled Arabic: DownloadDownload 314941ear8.exe now

Chinese (Simplified): DownloadDownload 314941chs8.exe now

Chinese (Traditional): DownloadDownload 314941cht8.exe now

Czech: DownloadDownload 314941cze8.exe now

Danish: DownloadDownload 314941dan8.exe now

Dutch: DownloadDownload 314941dut8.exe now

Finnish: DownloadDownload 314941fin8.exe now

French: DownloadDownload 314941frn8.exe now

German: DownloadDownload 314941ger8.exe now

Greek: DownloadDownload 314941grk8.exe now

Hebrew: DownloadDownload 314941lhe8.exe now

Enabled Hebrew: DownloadDownload 314941ehe8.exe now

Hungarian: DownloadDownload 314941hun8.exe now

Italian: DownloadDownload 314941itn8.exe now

Japanese: DownloadDownload 314941jpn8.exe now

Korean: DownloadDownload 314941kor8.exe now

Norwegian: DownloadDownload 314941nor8.exe now

Polish: DownloadDownload 314941pol8.exe now

Portuguese: DownloadDownload 314941por8.exe now

Portuguese (Brazil): DownloadDownload 314941brz8.exe now

Russian: DownloadDownload 314941rus8.exe now

Slovak: DownloadDownload 314941svk8.exe now

Slovenian: DownloadDownload 314941slo8.exe now

Spanish: DownloadDownload 314941spa8.exe now

Swedish: DownloadDownload 314941swe8.exe now

Thai: DownloadDownload 314941tha8.exe now

Turkish: DownloadDownload 314941trk8.exe now

Release Date: December 20, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:
   Date         Time   Version      Size     File name
   ------------------------------------------------------
   17-Dec-2001  11:54                 2,221  314941up.inf
   11-Dec-1997  05:33  4.72.2811.0   80,864  Advpack.dll
   12-Aug-1998  20:32                16,896  Csetup.exe
   27-Jul-1998  14:48  4.10.0.1998   36,864  Qfecheck.exe
   09-Feb-1996  17:28                 8,042  Qfecheck.hlp
   13-Dec-2001  17:37  4.90.3003.0   39,184  Ssdpapi.dll
   13-Dec-2001  17:38  4.90.3003.0   57,104  Ssdpsrv.exe
   13-Dec-2001  17:39  4.90.3003.0  133,904  Upnp.dll
   04-Dec-1997  12:02  4.71.704.0     2,272  W95inf16.dll
   04-Dec-1997  12:02  4.71.16.0      4,608  W95inf32.dll

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 98 and Windows 98 Second Edition.

MORE INFORMATION

For additional information about how to correct this problem in other operating systems, click the article numbers below to view the articles in the Microsoft Knowledge Base:

315000 Unchecked Buffer in Universal Plug and Play can Lead to System Compromise for Windows XP

314757 Unchecked Buffer in Universal Plug and Play can Lead to System Compromise for Windows Me

For additional information about Windows 98 and Windows 98 Second Edition hotfixes, click the article number below to view the article in the Microsoft Knowledge Base:

206071 General Information About Windows 98 and Windows 98 Second Edition Hotfixes

For more information about these vulnerabilities, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx

Modification Type:MajorLast Reviewed:10/21/2005
Keywords:kbHotfixServer kbQFE ATdownload kbbug kbenv kbfix kbQFE kbSecurity KB314941
©2004 Microsoft Corporation. All rights reserved.