FBI Urges Consumers, Companies to Take Additional Steps to Safeguard Windows XP

Fox News ^ | Friday Dec 21, 2001 | AP

[webster]

WASHINGTON

[HAL9000]

How come whenever Microsoft has a catastrophe like this - you disappear for several days? Get in here and defend your operating system!

Remember your recent boast that you can 'lock down' your systems against any and all intruders? Did you have your WinXP computer secured against this security disaster?

I know how to make Windows safe from hackers - yank out the Internet cable.

[webster]

UPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities

Release Date:
December 20, 2001

Severity:
High

Systems Affected:
Microsoft Windows XP (All default systems)
Microsoft Windows 98 (Certain configurations)
Microsoft Windows 98SE (Certain configurations)
Microsoft Windows ME (Certain configurations)

Description:
Windows XP ships by default with a UPNP (Universal Plug and Play) service which can be used to detect and integrate with UPNP aware devices. Windows ME does not ship by default with the UPNP service; however, some OEM versions do provide the UPNP service by default. Also, it is possible to install the Windows XP Internet Connection Sharing on top of Windows 98, therefore making it vulnerable.

As described on upnp.org: "UPNP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPNP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between".

We at eEye believe that there are several security issues with the UPNP protocol itself; however, these more generic issues are out of the scope of this advisory. Expect a detailed paper to be released from eEye within the coming weeks.

This advisory covers three vulnerabilities within Microsoft's UPNP implementation. A remotely exploitable buffer overflow to gain SYSTEM level access to any default installation of Windows XP, a Denial-of-Service (DoS) attack, and a Distributed Denial-of-Service (DDoS) attack.

1. The SYSTEM Remote Exploit

The first vulnerability within Microsoft's implementation of the UPNP protocol can result in an attacker gaining remote SYSTEM level access to any default installation of Windows XP. SYSTEM is the highest level of access within Windows XP.

During testing of the UPNP service, we discovered that by sending malformed advertisements at various speeds we could cause access violations on the target machine. Most of these violations were due to pointers being overwritten. The following describes one instance of our testing:

Example Session:

NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=10
LOCATION: http://IPADDRESS:PORT/.xml
NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: EEYE/2001 UPnP/1.0 product/1.1
USN: uuid:EEYE

If a buffer is incremented in the protocol, port, and uri fields of the Location URL and send sessions with 10,000 microsecond intervals, access violations will begin to be observed. In one situation, The EAX and ECX registers will contain addresses that are pulled from the memory that was overwritten and the svchost.exe process will access an invalid memory address at a "mov" instruction. It throws an access violation due to the fact that the destination address is an overwritten pointer, but there is nothing interesting at 0x41414141.

During our testing we discovered that there are multiple points of exploitation. We found instances of stack overflows and heap overflows, both of which were exploitable. In the case of the heap overflow we saw pointers being overwritten for both buffers and functions.

The SSDP service also listens on Multicast and Broadcast addresses. Therefore gaining SYSTEM access to an entire network of XP machines is possible with only one anonymous UDP SSDP attack session.

2. The DoS and DDoS

UPNP consists of multiple protocols, one of which being the Simple Service Discovery Protocol (SSDP). When a UPNP enabled device is installed on a network, whether it be a computer, network device, or even a household appliance, the device sends out an advertisement to notify control points of its existence. On a default XP installation, no support is added for device control as it would be the case in an installation of UPNP from "Network Services".

Although Microsoft added default support for an "InternetGatewayDevice", if a sniffer is run on a network with XP, XP can be observed searching for this device as XP is loading. This support was added to aid leading network hardware manufactures in making UPnP enabled "gateway devices".

By sending a malicious spoofed UDP packet containing an SSDP advertisement, an attacker can force the XP/ME client to connect back to a specified IP address and pass on a specified HTTP/HTTPS request.

An example session:

NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=1
LOCATION: URL
NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1
NTS: ssdp:alive
SERVER: EEYE/2001 UPnP/1.0 PASSITON/1.1
USN: uuid:EEYE

The above packet data needs to be sent as a UDP packet to port 1900 of the XP/ME machine.

When the XP machine receives this request, it will interpret the URL following the LOCATION header entity. With no sanitizing of the URL it is passed on to the functions in the Windows Internet Services API. The string is broken down and the new session is created.

For example:
LOCATION: http://xptest.example.com:19/himom.html

A malicious attacker could specify a chargen service on a remote machine causing the XP client to connect and get caught in a tight read/malloc loop. Doing this will throw the machine into an unstable state where CPU utilization is at %100 and memory is being allocated to the point that it is totally consumed. This basically makes the remote XP system completely unusable and requires a physical power-off shutdown.

Attackers could also use this exploit to control other XP machines, forcing such machines to perform Unicode attacks, double decode, or random CGI exploiting. Due to the insecure nature of UDP, an attacker can exploit security holes on a web server using UPNP with almost total anonymity.

One of the bigger problems, and why this can become a DDoS attack, is that this SSDP announcement can be sent to broadcast addresses and multicast. It is therefore possible to send one UDP packet causing all XP machines on the target network to be navigated to the URL of choice, performing an attack of choice.

Also since parts of the UPNP service are implemented as UDP (in our opinion, a bad idea), it makes all of these attacks completely untraceable.

Vendor Status:
Microsoft has released a patch and security bulletin which is located at: http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

To verify that the patch has been installed on your system, do the following:

Windows 98 and 98SE:
Select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows 98 Q314941 Update" will be listed among the installed patches. To verify the individual files, use the file manifest provided in Knowledge Base article Q314941.

Windows ME:
Select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows Millennium Edition Q314757 Update" will be listed among the installed patches. To verify the individual files, use the file manifest provided in Knowledge Base article Q314757.

Windows XP:
Confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q315000. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q315000\Filelist.

The Common Vulnerabilities and Exposures (CVE) project has assigned the following two IDs:
The Buffer Overflow: CAN-2001-0876
The Denial of Service: CAN-2001-0877
This is a candidate for inclusion in the CVE list http://cve.mitre.org) which standardizes names for security problems.

We would strongly suggest denying all UPNP traffic at your internet borders as there is really no need to allow UPNP traffic across the Internet. Also, it would be wise to completely turn off the UPNP services as most users are probably not utilizing them. The less services running on your machine, the safer you will be. The SSDP Discovery Service and Universal Plug and Play Host service should both be set to manual load.

Credit:
Discovery: Riley Hassell

With extra help from:
Ryan Permeh - for technical advice and exploitation analysis for those difficult reverse engineering situations that Ryan has wet dreams about.

Marc Maiffret - as always with superb technical insight helping to discover and exploit the vulnerabilities in this advisory and once again proving that two heads are better than one.

Neothoth - "The typing machine", for camping out day and night in the eEye lab hammering vulnerabilities in URL handlers. Neo rocks :)

Related Links:
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

Greetings:
Mr. Patron and his tequila and the Three Wise Men (Jim, Jack and Johnny). Also Abraxas coffeeshop in Amsterdam.
eEye would like to offer thanks to all organizations supporting full disclosure, especially Securityfocus.com and NMRC. Don't let silly politics get in the way of what is right for everyone's security.

Oh yeah, one more thing:

Four score and numerous advisories ago, a security company set off to tell the world about its love of Tequila. However, little did people know, the team was not even legal. Now that the youngins Marc and Riley turned 21 this November we are all officially legal. That means the next time the NSA buys us beer at a SEC conference, they won't be breaking the law.

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

[Lessismore]

Former federal agent calls XP a threat to national security

Totally Bogus! Lots of people have Norton utilities installed which includes WipeInfo. Besides, if they outlaw wipe programs, only criminals will be able to wipe their files.

"Norton WipeInfo removes all traces of selected files or folders from your hard drive. It can also wipe the free space on your hard disk, insuring that previously deleted information is not left on your hard disk. You can use the Fast Wipe, which writes all zeros or any other character you choose. Alternately, you can use the Government Wipe, which is a 7-pass procedure that conforms to the method specified in DoD document 5220-22-M, National Industrial Security Program Operating Manual.

[webster]

"He acknowledges that savvy terrorists can use third-party tools, such as Evidence Eraser by Mad Hornet, to stifle forensics work..."

And Evidence Eliminator (my favorite) ;-)

[steve-b]

Microsoft considers disabling the "plug and play" features unnecessary.

Yeah, and Clinton considered impeachment a distraction from "the people's business".

Turning this sort of gaping security hole on by default is idiotic. It should be turned off, and turned on only by people who 1)need it for some defined purpose and 2)know what the hell they're doing.

[zog]

--anyone-you are being asked by microsoft and the us government that BOTH the glitch and the patch for it are "accidental", with the former necessitating the latter. Uh huh, yep, sure..

Mostly I gots a prob with that assumption, I don't think this was 'accidental". I think if folks are smart they'll trash that syetem and reformat, super DOD burn their disks, and start from scratch with something else.

And I won't point to it, but I've seen discussions in certain "enthusiast" newsgroups of another buffer overflow (sorta) exploit that is worse than this one, and there isn't any firewall for it. It's got some dudes who handle electronic wealth digits transfers more than a little sweaty last I looked (admittedly a few months ago).

[AshleyMontagu]

I can't wait until .NET comes out. We can have problems like this on our phones, pdas, computers, cars, ......

[steve-b]

How come whenever Microsoft has a catastrophe like this - you disappear for several days?

I think he tried to download the list of talking points from the MS web site, but some 133^ haquer d00d got into his system....

[elfman2]

"You know, I can recall Gibson talking about this months before XP was released. And he was, it turns out, a voice crying in the wilderness. "

I may be wrong, but I think this XP Security flaw and Gibson's warning of denial of service vulnerabilities are two separate issues. I remember Gibson warning how XP enables denial of service attacks on other computers 6 months ago when he got hacked.

It turned out that just a computer savvy 13 yo, not even a real hacker, got a hold of a program that allow the management and distribution of little hidden robot worm programs (bots) that can email copies of themselves to thousands of people and hide in their computer if the recipients are careless enough to open executables. They don't actually hurt the recipient's computer, but they can take commands from the bots author and then all at once turn on a third party's web site, bombarding it with millions of requests per page per second, effectively shutting it down. A good router in the proper place can generally eventually render these things next to harmless, but it takes work to set it up and it may need to be set up for each attack.

Gibson's warning was that XP fully implemented IP Sockets that enable these little bots to mask their IP address and therefore make blocking their attacks much more difficult. Before, someone simply had to configure the router to reject transmissions from the thousands of IPs from which these bots were running. Now with XP socket support, these bots can each hit a web site with thousand of requests per second pretending to be at a different IP address each time. It's then very hard to differentiate between a real page request and the denial of service attack.

[Capt. Tom]

Windows '95......works for me. Foolproof.

About a month ago I was asking my son what type of computer and operating system he has in work. He is rising in a well known company and I figured he had a super duper setup, since his computer at home is state of the art.

When he told me about his modest work computer with Win 95 I was amazed. He explaind his company regularly upgrades the computers and the Operating Systems. He has seen plenty of new upgrades to other Win systems that are less reliable. He passes on the upgrades in work and just keeps chugging along on an older computer with win 95 .

The reason his home computer is so far advanced over his work computer is they refused to build the older systems with win 95 for his home use.

So now he has at home, a 2 GHZ 512 super duper Ram -XP operating system with a major security leak. - Tom

[elfman2]

"I don't understand why folks don't secure their 'puter boxes (of any OS flavor) with a hardware firewall. It is easy and inexpensive while requiring no attention for monitoring software."

Because most people can't even set the timer on their VCR.

I agree firewalls help, but they are not foolproof. If the user runs an emailed executable, it could still take residence and mask its communication as being from a browser that the firewall will have already been set up to allow penetration.

[Rocky]

Microsoft declined to tell U.S. officials how many consumers downloaded and installed its fix during the first 24 hours it was available.

Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.

What an arrogant bunch of jerks.

[webster]

PING!

[Buckeroo]

What email are you talking about? Billy Gates BS stuff? All others are immune from the crap Gates set up.

[elfman2]

"What email are you talking about? Billy Gates BS stuff? All others are immune from the crap Gates set up."

Did you write this during an epileptic seizure?

[Buckeroo]

The only problems with security issues are with MS stuff ... to include MS email programs.

Bill Gates has done nothing for the internet but to show his lack of a college degree will crack his windows.

[elfman2]

I'm not going to defend MS's lack of concern for security other than to say that if Linux were the dominant consumer OS, worms and viruses would be written in Linux.

[Buckeroo]

Actually linux *IS* the internet router and server method. APACHE has withstood hackers for years; it is the predomininat method of routing not just because of low cost but because of ease for public use. Keep in mind that preceding the domininance of the public domain of the internet, we created the TCP/IP stack independent of Bill Gates.

[Buckeroo]

Within the UNIX community, we have few problems about all this hoopla concerning security. It is all built in, if you know a few simple steps to use it. It is available free on the internet, free of charge. Look it up, when you have time.