Possible Universal Plug and Play (uPnP)
Vulnerability
Summary
Universal Plug and Play, or UPnP, is a service that allows for hosts to
locate and use devices on the local network. UPnP support ships with
Windows XP and ME. For Windows 98 and 98SE, it is available with Windows
XP's Internet Connection Sharing client. Unpatched versions of UPnP
may be vulnerable to attack leading to system compromise.
The problem
(From SecurityFocus BID 3723) When processing the location field in a
NOTIFY directive, UPnP server process memory can be overwritten by data
that originated in the packet. If the IP address, port and filename
components are of excessive length, access violations will occur when
the server attempts to dereference pointers overwritten with data from
the packet.
It should be noted that the service listens on broadcast and multicast
interfaces. This could permit an attacker to exploit a number of systems
without knowing their individual IP addresses.
The UPnP service runs in the LOCAL SERVICE security context. An attacker
who successfully exploits this vulnerability could gain control over the
target host.
Fix
Reference