Rule: -- Sid: 1388 -- Summary: This event is generated when a remote user attempts to send a NOTIFY directive with an overly long Location URL to an internal host's Universal Plug and Play (UPnP) server. -- Impact: Attempted administrator access. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges. -- Detailed Information: The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive with an overly long Location URL to cause a buffer overflow on the remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges. -- Affected Systems: Microsoft Windows 98, 98SE, ME, XP -- Attack Scenarios: An attacker may obtain craft a malformed NOTIFY directive to execute arbitrary code on the victim host. -- Ease of Attack: Simple. Exploit code is freely available. -- False Positives: This event will be generated if external hosts are permitted to query for UPnP devices. -- False Negatives: None Known. -- Corrective Action: Block inbound UPnP traffic. -- Contributors: Original rule writer unknown. Modified by Brian Caswell <bmc@sourcefire.com> Sourcefire Research Team Judy Novak <judy.novak@sourcefire.com> -- Additional References: CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 --