CVE-2001-0877
published 2001-12-20CVE-2001-0877: Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service via (1) a spoofed SSDP advertisement that…
PriorityP424medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
43.76%
98.6th percentile
Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to cause a denial of service via (1) a spoofed SSDP advertisement that causes the client to connect to a service on another machine that generates a large amount of traffic (e.g., chargen), or (2) via a spoofed SSDP announcement to broadcast or multicast addresses, which could cause all UPnP clients to send traffic to a single target system.
Detection & IOCsextracted from sources · hover to see the quote
port1900/udp
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
bytes
NOTIFY *
- →Detect spoofed SSDP NOTIFY advertisements inbound on UDP port 1900 from external networks; the Snort rule (sid:2101384) triggers on the 'NOTIFY * ' string case-insensitively.
- →CVE-2001-0877 detections from vulnerability scanners and untuned Snort sensors are frequently false positives; alerts on non-Windows 98/ME/XP systems should be treated as noise. ↗
- →IDS alerts for this CVE are commonly triggered by benign network discovery tools and Nessus scans correlated against untuned public-facing Snort sensors; tune accordingly before acting on alerts. ↗
- ·The vulnerability only affects Windows 98, 98SE, ME, and XP (SP0 and lower); alerts firing on any other OS are false positives and should be suppressed. ↗
- ·Attack vector 2 uses spoofed SSDP announcements to broadcast or multicast addresses, meaning detection rules scoped only to unicast traffic may miss this variant. ↗
- ·Attack vector 1 abuses a spoofed SSDP advertisement to redirect the victim to a high-bandwidth service (e.g., chargen) on a third-party machine; the malicious traffic originates from the victim, not the attacker, complicating attribution. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL MISC UPnP malformed advertisement
suricata·2010-09-23
CVE-2001-0876 GPL MISC UPnP malformed advertisement
GPL MISC UPnP malformed advertisement
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, cve CVE_2001_0876, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
No public exploits indexed.
Trailofbits
The DBIR’s ‘Forest’ of Exploit Signatures
blogs_trailofbits·2016-05-05
The DBIR’s ‘Forest’ of Exploit Signatures
If you follow the recommendations in the 2016 Verizon Data Breach Investigations Report (DBIR), you will expose your organization to more risk, not less. The report’s most glaring flaw is the assertion that the TLS FREAK vulnerability is among the ‘Top 10’ most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited. Where else did Verizon get it wrong?
This question undermines the rest of the report. The DBIR is a collaborative effort involving 60+ organizations’ proprietary data. It’s the single best source of information for enterprise defenders, which is why it’s a travesty that its section on vulnerabilities used in data breaches contains misleading data, analysis, and recommendations.
Verizon must ‘be better.’ They have to set a highe
Trailofbits
The DBIR’s ‘Forest’ of Exploit Signatures
blogs_trailofbits·2016-05-05
The DBIR’s ‘Forest’ of Exploit Signatures
If you follow the recommendations in the 2016 Verizon Data Breach Investigations Report ( DBIR ), you will expose your organization to more risk, not less. The report’s most glaring flaw is the assertion that the TLS FREAK vulnerability is among the ‘Top 10’ most exploited on the Internet. No experienced security practitioner believes that FREAK is widely exploited. Where else did Verizon get it wrong?
This question undermines the rest of the report. The DBIR is a collaborative effort involving 60+ organizations’ proprietary data. It’s the single best source of information for enterprise defenders, which is why it’s a travesty that its section on vulnerabilities used in data breaches contains misleading data, analysis, and recommendations.
Verizon must ‘be better.’ They have to set a hig
http://marc.info/?l=bugtraq&m=100887440810532&w=2http://marc.info/?l=ntbugtraq&m=100887271006313&w=2http://www.cert.org/advisories/CA-2001-37.htmlhttp://www.ciac.org/ciac/bulletins/m-030.shtmlhttp://www.kb.cert.org/vuls/id/411059http://www.securityfocus.com/archive/1/249238http://www.securityfocus.com/bid/3724https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-059https://exchange.xforce.ibmcloud.com/vulnerabilities/7722http://marc.info/?l=bugtraq&m=100887440810532&w=2http://marc.info/?l=ntbugtraq&m=100887271006313&w=2http://www.cert.org/advisories/CA-2001-37.htmlhttp://www.ciac.org/ciac/bulletins/m-030.shtmlhttp://www.kb.cert.org/vuls/id/411059http://www.securityfocus.com/archive/1/249238http://www.securityfocus.com/bid/3724https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-059https://exchange.xforce.ibmcloud.com/vulnerabilities/7722
2001-12-20
Published