cbcvebase.
CVE-2001-0876
published 2001-12-20

CVE-2001-0876: Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with…

PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
49.48%
98.7th percentile
Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.

Detection & IOCsextracted from sources · hover to see the quote

port1900
commandNOTIFY *
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15
bytes
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA
  • The UPnP NOTIFY buffer overflow is triggered via an oversized Location header field in a NOTIFY directive. Detection should look for Location headers exceeding 128 bytes in UDP traffic to port 1900.
  • The exploit can be delivered over both TCP (port 5000) and UDP (port 1900), including via broadcast/multicast, allowing mass exploitation without knowing individual target IPs.
  • The UPnP service listens on broadcast and multicast interfaces; monitor for NOTIFY packets sent to broadcast/multicast addresses targeting UDP port 1900 with long Location headers.
  • Exploit (21189) opens a reverse/bind shell on port 1981; monitor for unexpected inbound connections to port 1981 on Windows hosts following UPnP anomalies.
  • Exploit (21188) spawns cmd.exe on port 7788; monitor for unexpected listening processes on port 7788 on Windows hosts.
  • Snort SID 2101388 uses a PCRE to detect Location headers longer than 128 characters in UPnP traffic: /^Location\x3a[^\n]{128}/smi — use this pattern for network-level detection.
  • Vulnerability scanners (e.g., Nessus) frequently false-positive on this CVE for non-Windows 98/ME/XP systems; correlate scanner findings with OS fingerprinting before acting.
  • ·This vulnerability only affects Windows 98, 98SE, ME, and XP SP0 (and lower). Systems running later Windows versions or non-Windows OSes are not vulnerable; scanner alerts on other platforms are false positives.
  • ·UPnP services are enabled by default on Windows XP; this significantly broadens the attack surface without user action.
  • ·Exploit 21189 (ArgoXP) explicitly targets Windows XP SP0 English version only; exploitation against other language versions or service pack levels may fail.
  • ·The UPnP service runs in the LOCAL SERVICE security context; successful exploitation grants attacker control at that privilege level, not necessarily SYSTEM.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.