Microsoft

New Plug and Play vulnerability in Windows <br>poses critical threat

This edition of The Locksmith takes an in-depth look at the recently revealed vulnerability in the Universal Plug and Play feature of Windows 98/Me/XP. The results are quite shocking. See why security experts are so concerned about this OS flaw.


One of the best things about Windows has been the way that newer versions seamlessly recognize hardware devices attached to the computer. Unfortunately, this Universal Plug and Play (UPnP) feature in XP has been found to have a flaw that makes Windows XP vulnerable to a denial of service attack and could also trigger a distributed denial of service attack on other systems. The vulnerability also applies to Windows 98 and Windows Me if UPnP has been installed.

Threat level: Critical
This threat is extremely dangerous because the operating system is put at risk merely through connecting to the Internet. No particular action is required to trigger an attack. In the words of the flaw’s discoverers, “eEye would like to stress the extreme seriousness of this vulnerability.”

Microsoft also describes the threat as “critical,” and the FBI’s National Infrastructure Protection Center has taken the extreme step of recommending that system administrators not merely apply the Microsoft patch but disable the Plug and Play feature altogether. According to a CNET report, Gartner Group says that this vulnerability could lead to a number of attacks by the “end of the first quarter of 2002.”

Since exploits for earlier UPnP vulnerabilities have already been published, I doubt that it will take three months for crackers to take advantage of these major new vulnerabilities, and I recommend that everyone with XP immediately install the appropriate patches and perhaps even disable the services entirely, as recommended by the NIPC.

Steve Gibson, at UnPlug n’ Pray, has posted a 22-KB utility that can remove plug and play features from all versions of Windows and will bring the software into compliance with the NIPC recommendations.

Applicability
Windows XP and Me include native UPnP support, so all releases of these operating systems are vulnerable, especially XP, which activates UPnP by default.

Some administrators who have started installing XP may have added UPnP support to Windows 98 and Windows 98 SE without realizing it. According to the relevant Microsoft security bulletin, MS01-059, this is done “via the Internet Connection Sharing client that ships with Windows XP.” Thus, if Windows 98/Me machines are connecting to a Windows XP machine running ICS, they are vulnerable to this threat.

Vulnerability
Windows XP’s UPnP actually poses two threats. The first is a buffer overrun vulnerability resulting from an unchecked buffer in a component that handles NOTIFY directives, which are messages that announce the availability of UPnP devices to other systems on the network. A malformed NOTIFY directive could allow an attacker to run arbitrary code through the UPnP subsystem, which has system privileges on XP. Microsoft goes on to report that “On Windows 98 and Windows Me, all code executes as part of the operating system. This would enable the attacker to gain complete control over the system.”

As if that weren’t bad enough, according to Microsoft: "The second vulnerability results because the UPnP implementations don’t sufficiently limit the steps to which they will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself."

Since UPnP doesn’t place enough limits on this process, the vulnerability creates two possible paths to causing a denial of service event. First, a NOTIFY directive could specify a server port on a remote system that was set to echo requests. This would cause the attacked system to enter a loop. Second, an attacker could direct UPnP to a targeted third-party server and, if the attack could be launched from enough unsuspecting users’ systems, this would generate a distributed denial of service attack.

Fix: Microsoft's advice
Microsoft has released patches addressing this vulnerability, as described in Microsoft Security Bulletin MS01-059, Unchecked Buffer in Universal Plug and Play can Lead to System Compromise. If you can’t install the patch for any reason, you can disable the subsystems following the directions in MS01-059’s FAQ:

Windows XP:

  1. Log on using an account that has administrative privileges.
  2. Click Start, then right-click on My Computer and select Manage.
  3. In the left-hand pane, click the “+” next to Services and Applications, then click on Services.
    In the right-hand pane, right-click on SSDP Discovery Service and select Properties.
  4. In the pull-down list titled Startup Type, select Disabled.
  5. In the Service Status section of the dialogue, click on Stop.
  6. Click OK to exit the dialogue, then close the Computer Management window.

Windows Me:

  1. Click Start, Settings, then select Control Panel.
  2. Select Add/Remove Programs.
  3. Select the tab titled Windows Set-up.
  4. In the Components field, select Communications, then Details.
  5. Uncheck the box for Universal Plug and Play.
  6. Click OK to exit the dialogue, then close the Windows Set-up dialogue.
  7. Reboot the machine.

Windows 98 or 98SE:

  1. Click Start, Settings, then select Control Panel.
  2. Select Add/Remove Programs.
  3. Select the tab titled Windows Set-up.
  4. In the Components field, select Communications, then Details.
  5. Uncheck the box for Universal Plug and Play.
  6. Click OK to exit the dialogue, then close the Windows Set-up dialogue.
  7. Reboot the machine.“

Author’s note
The XP service UPnP Device Host is not vulnerable to this flaw and doesn’t need to be disabled, according to Microsoft.

Locksmith comments
This is an incredibly dangerous vulnerability, which calls into question whether an organization currently considering an upgrade to XP (or buying new systems with XP loaded) should proceed with the XP deployment until a few more upgrades are published and integrated into a stronger version.

In case you missed it, this latest vulnerability (actually three in one) isn’t even the first plug and play problem. MS01-054, Invalid Universal Plug and Play Request can Disrupt System Operation, covered an earlier, less dangerous denial of service vulnerability due to yet another flaw in the UPnP subsystems.

Have a comment or a question?
We look forward to getting your input and hearing your experiences regarding this topic. Post a comment or a question about this article.

 

Editor's Picks