» »

Pozor, resna pomankjlivost v WINXP

Pozor, resna pomankjlivost v WINXP

zile ::

Torej, če imate WinXP, si čimprej namestite tale patch
Za info odsurfajte sem.

andrej ::

vec informacij:

- ----------------------------------------------------------------------

Title: Unchecked Buffer in Universal Plug and Play can Lead

to System Compromise

Date: 20 December 2001

Software: Windows 98, Windows 98SE, Windows ME, Windows XP

Impact: Run code of attacker's choice

Max Risk: Critical

Bulletin: MS01-059

Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/securi...

- ----------------------------------------------------------------------

Issue:

======

The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP

include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the

Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these

UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the

discovery of new devices on the network.

The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle

NOTIFY directives - messages that advertise the availability of UPnP-capable devices on the network. By sending a specially

malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service,

which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating

system). This would enable the attacker to gain complete control over the system.

The second vulnerability results because the UPnP doesn't sufficiently limit the steps to which the UPnP service will go to

obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is

information telling interested computers where to obtain its device description, which lists the services the device offers

and instructions for using them. By design, the device description may reside on a third-party server rather than on the

device itself. However, the UPnP implementations don't adequately regulate how it performs this operation, and this gives

rise to two different denial of service scenarios.

In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device

description should be downloaded from a particular port on a particular server. If the server was configured to simply echo

the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was

directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system's

availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP

address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within

earshot, consuming some or all of those systems' availability.

In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY

directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with

bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the

directives to the victim directly, or to a broadcast or multicast domain.

Mitigating Factors:

====================

General:

- Standard firewalling practices (specifically, blocking ports

1900 and 5000) could be used to protect corporate networks

from Internet-based attacks.

Windows 98 and 98SE:

- There is no native UPnP support for these systems. Windows 98

and 98SE systems would only be affected if the Internet Connection

Sharing Client from Windows XP had been installed on the system.

- Windows 98 and 98SE machines that have installed the Internet

Connection Sharing client from a Windows XP system that has

already applied this patch are not vulnerable.

Windows ME:

- Windows ME provides native UPnP support, but it is neither

installed nor running by default. (However, some OEMs do

configure pre-built systems with the service installed and

running).

Windows XP:

- Internet Connection Firewall, which runs by default, would make it

significantly more difficult for an attacker to determine the IP

address of an affected machine. This could impede an attacker's

ability to attack a machine via unicast messages. However, attacks

via multicast or broadcast would still be possible.

Risk Rating:

============

Buffer Overrun:

- Internet servers: None

- Intranet servers: None

- Client systems: Critical for Windows XP, moderate for Windows 98,

Windows 98SE and Windows ME

Denial of service:

- Internet servers: None

- Intranet servers: None

- Client systems: Moderate

Aggregate risk:

- Internet servers: None

- Intranet servers: None

- Client systems: Critical for Windows XP, moderate for Windows 98,

Windows 98SE and Windows ME

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/securi...

for information on obtaining this patch.

Acknowledgment:

===============

- eEye Digital Security (http://www.eeye.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS

BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR

SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME

STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING

LIMITATION MAY NOT APPLY.


--
For up to date IIS information:
http://support.microsoft.com/directory/...

Get Secure!
http://www.microsoft.com/security

Regards,

Jerry Bryant
Microsoft IT Communities



This posting is provided "AS IS" with no warranties, and confers no rights.

andrej ::

Aja, najpreprostejsa resiteve je, da uporabljate firewall. Kar bi ze morali...

zile ::

ALI firewall prepreči vdor, če je taka rupa že v samem OS ?

Uporabnik ::

firewall -> set to block all trafic :)

andrej ::

zile: daj preberi si za kaj gre. Ce mas firewall potem ti paketi sploh ne pridejo do modula kjer je bug.

zile ::

andrej: No zdej, ko sem mel čas sem si prebral celo zgodbo. Prej sem pač samo na hitro objavil.

Would a corporate firewall protect against attacks from the Internet?

Yes. Most corporate firewalls block both multicast messages and unsolicited unicast messages. In addition, blocking ports 1900 and 5000 helps to protect against Internet based attacks.

Would Internet Connection Firewall (ICF) protect against this vulnerability?

ICF would provide some protection against an attack via unicast messages because, to carry out such an attack, the attacker would need to know the IP address of the target system. ICF causes the machine not to respond to port scans and other common methods of obtaining the IP address, so the attacker might be unable to learn the IP address, and hence unable to send a unicast message to it.

However, this would still leave the possibility of an attack via multicast or broadcast. Because the attacker wouldn't need to know a specific IP address in order to carry out such an attack, ICF wouldn't provide any protection against it.

Torej kakšen firewall se splača uporabit ? Mogoče BlackIce Defender, Zone Alarm, mogoče kaj tretjega ?

Zgodovina sprememb…

  • spremenil: zile ()

sasox ::

Verjetno ti bo čisto zadostoval že vgrajeni firewall v XP-jih.......drugače pa kakšen tiny personal

Klemenn ::

jaz se ne spomnim, da bi bila kje novica, da andrej ni več admin?!!!!;((

sasox ::

jebidah: Kaj te muči? :)

Klemenn ::

očitno bom moral imeti krožke o tem kako se napiše moje ime!!!!!!!!! jebediah

neč me ne muč sm pač rad bi vedu, zakaj, kako je šel:\:)

rc-car ::

ZoneAlarm je menda zelo dober firewall...
Nothings gonna stop me now, I'm breaking the rules, I'm gonna do it if its not allowed

kockish ::

ha, win2k so imuni :D

andrej ::

kdo sel?

Klemenn ::

novic ne pišeš, pa tut zdraven nimaš slikce

andrej ::

tocno tako. novic ne pisem. slikce pa nimam ceprav bi bla ql.:D

drugace pa nikdar nisem bil nic kaj vec kot sedaj...


Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

Ranljivost v AMD Ryzen procesorjih (strani: 1 2 )

Oddelek: Strojna oprema
556251 (1345) Mr.B
»

ASUS RX3041 firewall

Oddelek: Omrežja in internet
51245 (1152) whatever
»

Emule/Siol modem-router težave

Oddelek: Pomoč in nasveti
62036 (2000) Ursus
»

Web server inštalacija recimo IIS preko modema ruterčka in firewalla brez domene

Oddelek: Omrežja in internet
61550 (1497) StratOS
»

Pogovarjanje preko mreže

Oddelek: Programska oprema
152143 (1898) snow

Več podobnih tem