Microsoft UPnP NOTIFY Buffer Overflow Vulnerability



Date Discovered

December 20, 2001


Universal Plug and Play, or UPnP, is a service that allows for hosts to locate and use devices on the local network. UPnP support ships with Windows XP and ME. For Windows 98 and 98SE, it is available with Windows XP's Internet Connection Sharing client. It should be noted that UPnP services are enabled on Windows XP by default. When processing the location field in a NOTIFY directive, UPnP server process memory can be overwritten by data that originated in the packet. If the IP address, port and filename components are of excessive length, access violations will occur when the server attempts to dereference pointers overwritten with data from the packet. It should be noted that the service listens on broadcast and multicast interfaces. This could permit an attacker to exploit a number of systems without knowing their individual IP addresses, if they employed an exploitation method targeting a UDP port. It is however possible to exploit this condition using either the TCP or UDP protocols. The UPnP service runs in the LOCAL SERVICE security context. An attacker who successfully exploits this vulnerability could gain control over the target host.

Technologies Affected

  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows ME
  • Microsoft Windows XP
  • Microsoft Windows XP Home
  • Microsoft Windows XP Professional


Block external access at the network boundary, unless external parties require service.
Ensure that network-based access controls are put in place to filter unwanted traffic to remote services. Filtering access to TCP port 5000 and UDP port 1900 will effectively deny a remote host access to UPnP services.

Disable any unneccessary default services.
Although this issue is not enabled by default on Windows ME, it is enabled on Windows XP. As such, unless they are explicitly required it is advised that UPnP services be disabled by an administrator.

Fixes are available:



Discovery by Riley Hassell <> of eEye Digital Security.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.