Bugtraq mailing list archives
Re: UPNP Denial of Service
From: "Patrick Chambet" <patrick.chambet () edelweb fr>
Date: Thu, 10 Jan 2002 18:43:59 +0100
The UPnP DoS code does what it is supposed to do, but that doesn't seem to bother Windows XP: the CPU utilization reaches 80% at the very maximum and returns to a stable state as soon as the attack stops. The same level of CPU utilization is reached with other kinds of attacks, like fragmented UDP packets or other services flooding for example. Extra data: - Server: Windows XP Pro US - Client: Linux RH 7.1 - Network: 10 Mb LAN Maybe Windows ME leads to other results. ___________________________________________ Patrick Chambet - MCP IT Security Consulting EdelWeb - ON-X Consulting Group http://www.edelweb.fr - http://www.on-x.com
We develop a code baseline to test the UPNP DOS. The dos consists in sending a udp packet to port 1900 with a NOTIFY request. This request has a URL that XP uses to open a tcp connection. The XP does not sanitize this request so whatever URL and port could be specified.
Once
the tcp connection is opened, a chargen code fills the XP memory and
the
machine gets into an unstable state with a 100% of cpu utilization. Gabriel Maggiotti, Fernando OubiƱa <<chargen.c>> <<upnp_udp.c>>
Current thread:
- UPNP Denial of Service Gabriel Maggiotti (Jan 09)
- Re: UPNP Denial of Service Patrick Chambet (Jan 10)