Snort mailing list archives

Previous By Date Next
Previous By Thread Next

UPnP unchecked buffer vulnerability in WinXP

From: John Sage <jsage () finchhaven com>
Date: Thu, 20 Dec 2001 21:58:49 -0800
Regarding the just-announced "Buffer Overflow in UPnP Service On Microsoft Windows" vulnerability, see: 

http://www.eeye.com/html/Research/Advisories/AD20011220.html

http://www.cert.org/advisories/CA-2001-37.html



After a *very* quick reading of MS Security Bulletin MS01-059, see:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

specifically:

"..Mitigating factors:

General:
Standard firewalling practices (specifically, blocking ports 1900 and 5000) could be used to protect corporate networks from Internet-based attacks." 


and a scan of the ports list at:

http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

specifically:

ssdp            1900/tcp        #SSDP
ssdp            1900/udp        #SSDP
("Simple Service Discovery Protocol" see: http://www.upnp.org/download/draft_cai_ssdp_v1_03.txt) 


and:

upnp            5000/tcp        #Universal Plug and Play
I'm going to put these *very* quick-n-dirty snort rules up on my firewall and see if anyone knocks... 

#
alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"TCP to 1900 SSDP-UPnP";)
alert tcp $EXTERNAL_NET 1900 -> $HOME_NET any (msg:"TCP from 1900 SSDP-UPnp";) 
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"TCP to 5000 UPnP";)
alert tcp $EXTERNAL_NET 5000 -> $HOME_NET any (msg:"TCP from 5000 UPnP";)
#

and

#
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"TCP to 1900 SSDP-UPnP";)
alert udp $EXTERNAL_NET 1900 -> $HOME_NET any (msg:"UDP from 1900 SSDP-UPnP";) 
#
alert udp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"UDP to 5000 UPnP";)
alert udp $EXTERNAL_NET 5000 -> $HOME_NET any (msg:"UDP from 5000 UPnP";)
#



- John

--
Computers: they're really nothing but l's and O's


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: