Snort mailing list archives
UPnP unchecked buffer vulnerability in WinXP
From: John Sage <jsage () finchhaven com>
Date: Thu, 20 Dec 2001 21:58:49 -0800
Regarding the just-announced "Buffer Overflow in UPnP Service On Microsoft Windows" vulnerability, see:
http://www.eeye.com/html/Research/Advisories/AD20011220.html http://www.cert.org/advisories/CA-2001-37.html After a *very* quick reading of MS Security Bulletin MS01-059, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp specifically: "..Mitigating factors: General:Standard firewalling practices (specifically, blocking ports 1900 and 5000) could be used to protect corporate networks from Internet-based attacks."
and a scan of the ports list at: http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html specifically: ssdp 1900/tcp #SSDP ssdp 1900/udp #SSDP("Simple Service Discovery Protocol" see: http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt)
and: upnp 5000/tcp #Universal Plug and PlayI'm going to put these *very* quick-n-dirty snort rules up on my firewall and see if anyone knocks...
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"TCP to 1900 SSDP-UPnP";)alert tcp $EXTERNAL_NET 1900 -> $HOME_NET any (msg:"TCP from 1900 SSDP-UPnp";)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"TCP to 5000 UPnP";) alert tcp $EXTERNAL_NET 5000 -> $HOME_NET any (msg:"TCP from 5000 UPnP";) # and # alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"TCP to 1900 SSDP-UPnP";)alert udp $EXTERNAL_NET 1900 -> $HOME_NET any (msg:"UDP from 1900 SSDP-UPnP";)
# alert udp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"UDP to 5000 UPnP";) alert udp $EXTERNAL_NET 5000 -> $HOME_NET any (msg:"UDP from 5000 UPnP";) # - John -- Computers: they're really nothing but l's and O's _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPnP unchecked buffer vulnerability in WinXP John Sage (Dec 20)