Vulnerabilities of Windows XP Brock Prince Dana Zottola ECE 578 Spring 2002 C.K. Koc Outline Introduction Universal Plug and Play (UPnP) Unchecked Buffer Denial of Service Distributed Denial of Service Discovery of Vulnerabilities Patch Conclusions Introduction Universal Plug and Play is a valuable feature, and a growing trend in network systems Windows XP claimed to be secure against hackers 3 Vulnerabilities found related to UPnP in Windows XP Universal Plug and Play (UPnP) Detects and connects to: Computers Intelligent appliances Wireless devices Defines set of protocols for connection Allows for easy configuration Universal Plug and Play (UPnP) Example: User connects laptop to: Network Print server DSL router Fax machine Other computers Universal Plug and Play (UPnP) Universal Plug and Play (UPnP) Six basic layers: Device addressing Device discovery Device description Action invocation Event messaging Presentation or human interface Remotely Exploitable Buffer An attacker can gain remote SYSTEM level access to any default installation of Windows XP Unchecked buffer in one of the components that handle the NOTIFY directives Send a specially malformed NOTIFY directive, and it is possible for an attacker to run code in the context of the UPnP subsystem, which runs with System priviledges on Windows XP. Denial of Service Attack Denial of Service (DoS) attacks crash a system, and the user has to physically power cycle the machine to regain functionality The UPnP feature of Windows XP leaves the system vulnerable to DoS attacks Distributed Denial of Service Attack Distributed Denial of Service (DDoS) attacks cause many systems to flood or attack a single host. The UPnP and raw socket support features of Windows XP leave the system vulnerable to DDoS attacks Raw Sockets (Not Related to UPnP) Discovery of Vulnerabilities eEye Digital Security Believe there are several security issues with the UPnP protocol Found 3 vulnerabilities within Microsoft’s implementation of UPnP Alerted Microsoft immediately upon discovery of the vulnerabilities Patch Available soon after vulnerabilities discovered Downloadable from: http://www.microsoft.com/technet/security/bulleti n/MS01-059.asp Conclusions UPnP is a good idea Windows XP is vulnerable upon default installation, but patch is available Raw socket support still under debate References [1] http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34951 [2] http://www.microsoft.com/technet/security/bulletin/ms01-059.asp [3] http://www.eeye.com/html/press/PR20011220.html [4] http://www.eeye.com/html/Research/Advisories/AD20011220.html [5] http://special.northernlight.com/windowsxp/security_flaw.htm#doc [6] http://grc.com/dos/xpsummary.htm [7] http://special.northernlight.com/windowsxp/pentagon.htm#doc [8] http://www.nwfusion.com/news/2001/1015threatxp.html [9] http://www.irchelp.org/irchelp/nuke/ [10] http://www.cnet.com/software/0-6688749-8-7004399-6.html