Loading ...
Sorry, an error occurred while loading the content.


Expand Messages
  • Yolanda Phelan
    Sent: Thursday, December 20, 2001 6:11 PM Subject: Road Runner Security Alert 12/20/01 Dear List member I read this on another list. Landa This is an urgent
    Message 1 of 1 , Dec 20, 2001
      Sent: Thursday, December 20, 2001 6:11 PM
      Subject: Road Runner Security Alert


      Dear List member I read this on another list.


      This is an urgent notification for our customers using Microsoft Windows
      XP or who have installed the Windows XP Internet Connection Sharing client
      Windows 98 or 98SE. You are strongly urged to take immediate action
      regarding a critical Microsoft security flaw. This security flaw does not
      effect Macintosh users.

      At the end of this notification is a broad technical summary. Here's the
      short one:

      Multiple flaws in XP allows a malicious user to exploit a security hole
      allows complete access to any default installation of Windows XP. With
      access this security flaw gives, the cracker would be able to launch
      of Service (DoS) attacks or numerous other illegal activities. This can
      be done remotely and any complaints about these activities would lead back
      your modem if your system was vulnerable to this attack.

      This is, according to Microsoft, an "unprecedented" risk to consumers due
      this flaw in the Windows operating system. The official Microsoft
      can be reached by clicking below.


      Fox News is reporting on it,
      and CNN's coverage can be found by clicking


      Road Runner has also provided a link on it's Help and Member Services page
      http://help.rr.com for your convenience.

      All Windows XP customers are urged to install the patches available at the
      above Microsoft link as soon as possible. Windows 98, 98SE or ME
      are strongly urged to patch their computers as soon as possible if they
      installed and are running the Universal Plug and Play service or who have
      installed the Windows XP Internet Connection Sharing client on Windows 98

      This has the potential to be much worse than the Code Red or Nimda
      because the payload can be whatever the attacker chooses. It might be a
      portscanning of other computer users, it might be spam email sent from
      computer, it could be something much worse such as re-formatting your hard
      drive which would cause you to need to re-install everything on your


      Anthony Olson
      Regional Security and Abuse Coordinator
      Road Runner

      Technical Summary

      Systems Affected:
      Microsoft Windows XP (All default systems)
      Microsoft Windows 98 (Certain configurations)
      Microsoft Windows 98SE (Certain configurations)
      Microsoft Windows ME (Certain configurations)

      Windows XP ships by default with a UPNP (Universal Plug and Play) Service
      which can be used to detect and integrate with UPNP aware devices. Windows
      ME does not ship by default with the UPNP service, however some OEM
      do provide the UPNP service by default. Also its possible to install the
      Windows XP Internet Connection Sharing on top of Windows 98, therefore
      making it vulnerable.

      "UPNP architecture offers pervasive peer-to-peer network connectivity of
      of all form factors, intelligent appliances, and wireless devices. UPNP
      architecture leverages TCP/IP and the Web to enable seamless proximity
      networking in addition to control and data transfer among networked
      in the home, office, and everywhere in between." as described on upnp.org.

      This advisory covers three vulnerabilities within Microsoft's UPNP
      implementation. A remotely exploitable buffer overflow to gain SYSTEM
      access to any default installation of Windows XP, a Denial of Service
      attack, and a Distributed Denial of Service (DDoS) attack.
      The SYSTEM Remote exploit

      The first vulnerability, within Microsoft's implementation of the UPNP
      protocol, can result in an attacker gaining remote SYSTEM level access to
      any default installation of Windows XP. SYSTEM is the highest level of
      access within Windows XP.

      The DoS and DDoS

      UPNP consists of multiple protocols, one of which being the Simple Service
      Discovery Protocol (SSDP). When a UPNP enabled device is installed on a
      network, whether it be a computer, network device, or even a household
      appliance, it sends out an advertisement to notify control points of its
      existence. On a default XP installation, no support is added for device
      control as it would be the case in an installation of UPNP from "Network

      Although Microsoft added default support for an "InternetGatewayDevice."
      a sniffer is run on a network with XP, XP can be observed searching for
      device as XP is loading. This support was added to aid leading network
      hardware manufactures in making UPnP enabled "gateway devices".
      By sending a malicious spoofed UDP packet containing an SSDP
      an attacker can force the XP/ME client to connect back to a specified IP
      address and pass on a specified HTTP/HTTPS request.

      A malicious attacker could specify a chargen service on a remote machine
      causing the XP client to connect and get caught in a tight read/malloc
      loop. Doing this will throw the machine into an unstable state where CPU
      utilization is at %100 and memory is being allocated to the point that it
      totally consumed. This basically makes the remote XP system completely
      unusable and requires a physical power off shutdown.

      Attackers could also use this exploit to control other XP machine's,
      such machines to perform Unicode attacks, double decode, or random CGI
      exploiting. Due to the insecure nature of UDP an attacker can exploit
      security holes on a web server using UPNP with almost total anonymity.
      One of the bigger problems, and why this can become a DDoS attack, is that
      this SSDP announcement can be sent to broadcast addresses and multicast.
      is therefore possible to send one UDP packet causing all XP machines on
      target network to be navigated to the URL of choice, performing an attack
      of choice.

      Also since parts of the UPNP service are implemented as UDP, it makes all
      > of these attacks ***completely untraceable***.
    Your message has been successfully submitted and would be delivered to recipients shortly.