RE: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft Windows

[InfoSec News <isn () c4i org>]

Forwarded from: "Marc Maiffret" <marc () eeye com>
CC: <mrs_aida_capistrano () hushmail com>

we found the DoS and reported it to MS the day after XP shipped. they
started working on that patch. then not to long after (forget exactly
how long) we found the DDoS and reported it. then not to long after we
found and reported the overflow.

the overflow is trivial to fix cause its a programming mistake. the
dos is a bit harder to fix and kind of sticky because it has to do
with design flaws in UPNP.

the ddos is a pain to fix. the guys that wrote the specs for the UPNP
protocol designed a flawed protocol. anyone that follows the protocol
specs will create a flawed system, as happened with XP.

fixing the DDoS attack is a sticky situation. you have to go against
how the protocol was designed which means you potentially are going to
break third party systems that were designed to use UPNP. microsoft
did a good job fixing the ddos in their UPNP implementation. they were
able to fix it and hopefully not completely break a lot of peoples
ability to use UPNP. however i am sure there are (i know there are) a
lot of third party hardware device makers (wireless ethernet, home
hub/firewalls, toasters (hah) etc...) which are probably also
vulnerable to a lot of UPNP protocol level flaws.

people need to hold off on using UPNP until the protocol has been
written (rewritten) with security in mind. I am not sure how someone
was able to spec the UPNP protocol and not see the glaring theortical
(yet proven once the spec is written as code) flaws in how UPNP is
suppose to communicate. hopefully the UPNP protocol does not catch on
in its current form otherwise we'll see a lot of devices being
exploited because they'll make the same mistakes that were in XP.

oh well how do you stop a technology thats already being shoved
everywhere as the next greatest thing? this will be one of those cases
where everyone has to be bitten before they pull back their shoddy
technology, rework it, then re-release it. its hard though for the
engineers at some companies to explain to management why they need to
delay shipping their product for a few months until they fix design
flaw problems. :-o my nipple just got shocked. must be my new
christmas gift that zaps me when i start rambling. i'll shutup now.

all in all MS took 2 months for 3 vulnerability and we dont think they
were trying to stall or something of that nature.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities


| -----Original Message-----
| From: mrs_aida_capistrano () hushmail com
| [mailto:mrs_aida_capistrano () hushmail com]
| Sent: Thursday, December 27, 2001 2:41 PM
| To: isn () attrition org
| Cc: marc () eeye com
| Subject: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft
| Windows
|
|
|
| -----BEGIN PGP SIGNED MESSAGE-----
|
| Hi there,
|
| I posted this to the main security lists today, but no one seems
| interested. Chris at vulnwatch.org suggest I send it to attrition
| and I am copying Marc, in case he wishes to verify this chain of
| events or not. One can never tell if Microsoft is telling the
| truth or not :-(
|
|
|
| Dear Ladies and Gentlemen,
|
| The following official statement was published in a Microsoft
| news group on the 26th of December 2001 when many participants
| queried why it took nearly two months for a patch to be developed
| to address the Buffer Overflow in UPnP Service On Microsoft Windows
|
| http://www.eeye.com/html/Research/Advisories/AD20011220.html
| http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
|
| It does not explain why these defective goods continued to ship
| for the Christmas sales season but might be of interest to people
| on these security mailing lists:
|
| direct link to news article on the server:
|
| news://news.microsoft.com/#qAgniljBHA.2260@tkmsftngp07
|
| <squirt>

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.