CVE-2001-0876
published 2001-12-20CVE-2001-0876: Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with…
PriorityP343high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
49.48%
98.7th percentile
Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.
Detection & IOCsextracted from sources · hover to see the quote
port1900
commandNOTIFY *
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)bytes↗
\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15
bytes↗
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x66\x01\x80\x34\x0A\x99\xE2\xFA
- →The UPnP NOTIFY buffer overflow is triggered via an oversized Location header field in a NOTIFY directive. Detection should look for Location headers exceeding 128 bytes in UDP traffic to port 1900. ↗
- →The exploit can be delivered over both TCP (port 5000) and UDP (port 1900), including via broadcast/multicast, allowing mass exploitation without knowing individual target IPs. ↗
- →The UPnP service listens on broadcast and multicast interfaces; monitor for NOTIFY packets sent to broadcast/multicast addresses targeting UDP port 1900 with long Location headers. ↗
- →Exploit (21189) opens a reverse/bind shell on port 1981; monitor for unexpected inbound connections to port 1981 on Windows hosts following UPnP anomalies. ↗
- →Exploit (21188) spawns cmd.exe on port 7788; monitor for unexpected listening processes on port 7788 on Windows hosts. ↗
- →Snort SID 2101388 uses a PCRE to detect Location headers longer than 128 characters in UPnP traffic: /^Location\x3a[^\n]{128}/smi — use this pattern for network-level detection.
- →Vulnerability scanners (e.g., Nessus) frequently false-positive on this CVE for non-Windows 98/ME/XP systems; correlate scanner findings with OS fingerprinting before acting. ↗
- ·This vulnerability only affects Windows 98, 98SE, ME, and XP SP0 (and lower). Systems running later Windows versions or non-Windows OSes are not vulnerable; scanner alerts on other platforms are false positives. ↗
- ·UPnP services are enabled by default on Windows XP; this significantly broadens the attack surface without user action. ↗
- ·Exploit 21189 (ArgoXP) explicitly targets Windows XP SP0 English version only; exploitation against other language versions or service pack levels may fail. ↗
- ·The UPnP service runs in the LOCAL SERVICE security context; successful exploitation grants attacker control at that privilege level, not necessarily SYSTEM. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL MISC UPnP malformed advertisement
suricata·2010-09-23
CVE-2001-0876 GPL MISC UPnP malformed advertisement
GPL MISC UPnP malformed advertisement
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL MISC UPnP Location overflow
suricata·2010-09-23
CVE-2001-0876 GPL MISC UPnP Location overflow
GPL MISC UPnP Location overflow
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Exploit-DB
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (1)
exploitdb·2001-12-20
CVE-2001-0876 Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (1)
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (1)
---
// source: https://www.securityfocus.com/bid/3723/info
Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. It should be noted that UPnP services are enabled on Windows XP by default.
When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet.
It should b
Exploit-DB
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (2)
exploitdb·2001-12-20
CVE-2001-0876 Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (2)
Microsoft Windows 98/XP/ME - UPnP NOTIFY Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/3723/info
Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. It should be noted that UPnP services are enabled on Windows XP by default.
When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet.
It should b
Tenable
Verizon 2016 DBIR – Most Interesting Things
blogs_tenable·2016-05-18
Verizon 2016 DBIR – Most Interesting Things
by Andrew Freeborn May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This dashboard can ass
Tenable
Verizon 2016 DBIR – Most Common Vulnerabilities
blogs_tenable·2016-05-18
Verizon 2016 DBIR – Most Common Vulnerabilities
by Andrew Freeborn May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that can assist organizations in meeting many of the recommendations and best practices in the DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This ARC can assist an org
Trailofbits
The DBIR’s ‘Forest’ of Exploit Signatures
blogs_trailofbits·2016-05-05
The DBIR’s ‘Forest’ of Exploit Signatures
If you follow the recommendations in the 2016 Verizon Data Breach Investigations Report (DBIR), you will expose your organization to more risk, not less. The report’s most glaring flaw is the assertion that the TLS FREAK vulnerability is among the ‘Top 10’ most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited. Where else did Verizon get it wrong?
This question undermines the rest of the report. The DBIR is a collaborative effort involving 60+ organizations’ proprietary data. It’s the single best source of information for enterprise defenders, which is why it’s a travesty that its section on vulnerabilities used in data breaches contains misleading data, analysis, and recommendations.
Verizon must ‘be better.’ They have to set a highe
Trailofbits
The DBIR’s ‘Forest’ of Exploit Signatures
blogs_trailofbits·2016-05-05
The DBIR’s ‘Forest’ of Exploit Signatures
If you follow the recommendations in the 2016 Verizon Data Breach Investigations Report ( DBIR ), you will expose your organization to more risk, not less. The report’s most glaring flaw is the assertion that the TLS FREAK vulnerability is among the ‘Top 10’ most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited. Where else did Verizon get it wrong?
This question undermines the rest of the report. The DBIR is a collaborative effort involving 60+ organizations’ proprietary data. It’s the single best source of information for enterprise defenders, which is why it’s a travesty that its section on vulnerabilities used in data breaches contains misleading data, analysis, and recommendations.
Verizon must ‘be better.’ They have to set a hig
http://marc.info/?l=bugtraq&m=100887440810532&w=2http://marc.info/?l=ntbugtraq&m=100887271006313&w=2http://www.cert.org/advisories/CA-2001-37.htmlhttp://www.ciac.org/ciac/bulletins/m-030.shtmlhttp://www.kb.cert.org/vuls/id/951555http://www.securityfocus.com/bid/3723https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-059https://exchange.xforce.ibmcloud.com/vulnerabilities/7721http://marc.info/?l=bugtraq&m=100887440810532&w=2http://marc.info/?l=ntbugtraq&m=100887271006313&w=2http://www.cert.org/advisories/CA-2001-37.htmlhttp://www.ciac.org/ciac/bulletins/m-030.shtmlhttp://www.kb.cert.org/vuls/id/951555http://www.securityfocus.com/bid/3723https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-059https://exchange.xforce.ibmcloud.com/vulnerabilities/7721
2001-12-20
Published