- Sent: Thursday, December 20, 2001 6:11 PM
Subject: Road Runner Security Alert
Dear List member I read this on another list.
This is an urgent notification for our customers using Microsoft Windows
XP or who have installed the Windows XP Internet Connection Sharing client
Windows 98 or 98SE. You are strongly urged to take immediate action
regarding a critical Microsoft security flaw. This security flaw does not
effect Macintosh users.
At the end of this notification is a broad technical summary. Here's the
Multiple flaws in XP allows a malicious user to exploit a security hole
allows complete access to any default installation of Windows XP. With
access this security flaw gives, the cracker would be able to launch
of Service (DoS) attacks or numerous other illegal activities. This can
be done remotely and any complaints about these activities would lead back
your modem if your system was vulnerable to this attack.
This is, according to Microsoft, an "unprecedented" risk to consumers due
this flaw in the Windows operating system. The official Microsoft
can be reached by clicking below.
Fox News is reporting on it,
and CNN's coverage can be found by clicking
Road Runner has also provided a link on it's Help and Member Services page
http://help.rr.com for your convenience.
All Windows XP customers are urged to install the patches available at the
above Microsoft link as soon as possible. Windows 98, 98SE or ME
are strongly urged to patch their computers as soon as possible if they
installed and are running the Universal Plug and Play service or who have
installed the Windows XP Internet Connection Sharing client on Windows 98
This has the potential to be much worse than the Code Red or Nimda
because the payload can be whatever the attacker chooses. It might be a
portscanning of other computer users, it might be spam email sent from
computer, it could be something much worse such as re-formatting your hard
drive which would cause you to need to re-install everything on your
Regional Security and Abuse Coordinator
Microsoft Windows XP (All default systems)
Microsoft Windows 98 (Certain configurations)
Microsoft Windows 98SE (Certain configurations)
Microsoft Windows ME (Certain configurations)
Windows XP ships by default with a UPNP (Universal Plug and Play) Service
which can be used to detect and integrate with UPNP aware devices. Windows
ME does not ship by default with the UPNP service, however some OEM
do provide the UPNP service by default. Also its possible to install the
Windows XP Internet Connection Sharing on top of Windows 98, therefore
making it vulnerable.
"UPNP architecture offers pervasive peer-to-peer network connectivity of
of all form factors, intelligent appliances, and wireless devices. UPNP
architecture leverages TCP/IP and the Web to enable seamless proximity
networking in addition to control and data transfer among networked
in the home, office, and everywhere in between." as described on upnp.org.
This advisory covers three vulnerabilities within Microsoft's UPNP
implementation. A remotely exploitable buffer overflow to gain SYSTEM
access to any default installation of Windows XP, a Denial of Service
attack, and a Distributed Denial of Service (DDoS) attack.
The SYSTEM Remote exploit
The first vulnerability, within Microsoft's implementation of the UPNP
protocol, can result in an attacker gaining remote SYSTEM level access to
any default installation of Windows XP. SYSTEM is the highest level of
access within Windows XP.
The DoS and DDoS
UPNP consists of multiple protocols, one of which being the Simple Service
Discovery Protocol (SSDP). When a UPNP enabled device is installed on a
network, whether it be a computer, network device, or even a household
appliance, it sends out an advertisement to notify control points of its
existence. On a default XP installation, no support is added for device
control as it would be the case in an installation of UPNP from "Network
Although Microsoft added default support for an "InternetGatewayDevice."
a sniffer is run on a network with XP, XP can be observed searching for
device as XP is loading. This support was added to aid leading network
hardware manufactures in making UPnP enabled "gateway devices".
By sending a malicious spoofed UDP packet containing an SSDP
an attacker can force the XP/ME client to connect back to a specified IP
address and pass on a specified HTTP/HTTPS request.
A malicious attacker could specify a chargen service on a remote machine
causing the XP client to connect and get caught in a tight read/malloc
loop. Doing this will throw the machine into an unstable state where CPU
utilization is at %100 and memory is being allocated to the point that it
totally consumed. This basically makes the remote XP system completely
unusable and requires a physical power off shutdown.
Attackers could also use this exploit to control other XP machine's,
such machines to perform Unicode attacks, double decode, or random CGI
exploiting. Due to the insecure nature of UDP an attacker can exploit
security holes on a web server using UPNP with almost total anonymity.
One of the bigger problems, and why this can become a DDoS attack, is that
this SSDP announcement can be sent to broadcast addresses and multicast.
is therefore possible to send one UDP packet causing all XP machines on
target network to be navigated to the URL of choice, performing an attack
Also since parts of the UPNP service are implemented as UDP, it makes all
> of these attacks ***completely untraceable***.