RE: SCAN UPnP service discover attempt

["Schmehl, Paul L" <pauls () utdallas edu>]

Unless you really use it, I would disable the UPnP service entirely (as
well as the SSDP service.)  I wrote an article for Securityfocus [0]
about the buffer overflow that eEye found in SSDP (announced right after
the launch of XP), and the potential for exploitation of this service is
scary.  Microsoft appears to have given very little thought to the
potential for hacking this service.

The UPnP service is not started by default, however the SSDP service is.
I would disable both and have on every machine I use.

[0] http://www.securityfocus.com/infocus/1548

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

-----Original Message-----
From: Joerg Weber [mailto:j.weber () infos de] 
Sent: Wednesday, June 04, 2003 9:34 AM
To: SnortUsers
Subject: Re: [Snort-users] SCAN UPnP service discover attempt


Hi Mark,

I'm not exactly a windows expert, but as far as I know, do Windows XP
clients by default look for what is called UPnP device descriptions via
UPnP. That's why you'r seeing these alerts IMO.

Have a look at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-059.asp
for some info about the UPnP service and bugs within it.


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users