The FBI's National Infrastructure Protection Center 
(http://www.nipc.gov) has issued a warning about the latest and 
greatest Windows security flaw, citing a Dec. 20, 2001, eEye Digtital 
Security discovery. "eEye has discovered three vulnerabilities within 
Microsoft's UPnP (Universal Plug and Play) implementation: a remotely 
exploitable buffer overflow that allows an attacker gain SYSTEM level 
access to any default installation of Windows XP, a Denial of Service 
(DoS) attack, and a Distributed Denial of Service (DDoS) attack. eEye 
would like to stress the extreme seriousness of this vulnerability. 
Network administrators are urged to immediately install the patch 
released by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-059.asp" 

"The most serious of the three Windows XP vulnerabilities is the 
remotely exploitable buffer overflow. It is possible for an attacker 
to write custom exploit code that will allow them to execute commands 
with SYSTEM level access, the highest level of access within Windows 
XP."

"The other two vulnerabilities are types of denial of service attacks. 
The first is a fairly straightforward denial of service attack, which 
allows an attacker to remotely crash any Windows XP system. The crash 
will require Windows XP users to physically power down their machines 
and start them up again before the system will function. The second 
denial of service attack is a distributed denial of service attack. 
This vulnerability allows attackers to remotely command many Windows 
XP systems at once in an effort to make them flood/attack a single 
host."

According to the FBI, "UPnP is a service that identifies and uses 
network-based devices. There are two known vulnerabilities in the UPnP 
service. The first vulnerability involves a buffer overflow in the 
UPnP service that could give an attacker system or root level access. 
With this level of access, an attacker could execute any commands and 
take any actions they choose on the victim's computer.

"The second vulnerability is in the Simple Service Discovery Protocol 
(SSDP) that allows new devices on a network to be recognized by 
computers running UPnP by sending out a broadcast UDP packet. 
Attackers can use this feature to send false UDP packets to a 
broadcast address hosting vulnerable Windows systems. Once a 
vulnerable system receives this message, it will respond to the 
spoofed originating IP address. This can be exploited to cause a 
distributed denial of service attack.

"Another example of this vulnerability is if an attacker spoofed an 
address that had the character generator (chargen) service running. If 
a vulnerable machine were to connect to the chargen service on a 
system, it could become stuck in a loop that would quickly consume 
system resources."

How did this Windows security disaster happen? According to Steve 
Gibson (http://grc.com/UnPnP/UnPnP.htm) "The Universal Plug and Play 
service (UPnP), which is installed and running in all versions of 
Windows XP - and may be loaded into Windows 98 and ME - essentially 
turns every copy of those systems into wide-open Internet servers. 
This server listens for TCP connections on port 5000 and for UDP 
'datagram' packets arriving on port 1900. This allows malicious 
hackers (or high-speed Internet worms) located anywhere in the world 
to scan for, and locate, individual Windows UPnP-equipped machines. 
Any vulnerabilities - known today or discovered tomorrow - can then be 
rapidly exploited. Note that the security of XP's built-in personal 
firewall was deliberately compromised to allow these unsolicited 
connections to take place. (You can verify this yourself by using our 
ShieldsUP! Port Probe to check for an open TCP port 5000 exposed to 
the outside world - right through XP's firewall.)"

If you want a quick fix to this problem, you can use Gibson's program 
at http://grc.com/files/UnPnp.exe . 

To fix it by hand (instructions from the NIPC web site):

In Windows XP
1. Click the "Start" button
2. Go to the "Control Panel" tab and press it
3. Go to the "Administrative Tools" folder and double click on it
4. Go to the "Services" icon and double click on it. It looks like two 
gears interlocked with each other
5. Scroll down until you see the "Universal Plug and Play Device Host" 
service and double click on it
6. A window will pop up with several tabs, on the "General" tab there 
will be a field called "Startup Type" 
7. In the "Startup Type:" field, change the option to "Disabled" and 
click "Ok"

In Windows Millennium Edition
1. Click the "Start" Button
2. Go to the "Control Panel under Settings and select Add/Remove 
Programs
3. Select the "Windows Set-up" Tab
4. In the Components Field select "Communications"
5. In that Components Field scroll down and uncheck the box to the 
left of "Universal Plug and Play" 
6. Click "Ok"

In Windows 98 and Windows 98 Second Edition

There is no built-in UPnP support for these operating systems except 
in the case of computers on which the Windows XP Internet Connection 
Sharing client has been installed.