New Custom Signature for the Windows UPnP Service Buffer Overflow

mcerha · ‎12-21-2001

Below is a custom signature for the recent Windows UPnP Service buffer overflow referenced by CERT Advisory CA-2001-37. The information is presented as a 'SigWizMenu' screenshot. The signature can be added to a sensor using the 'SigWizMenu' tool. Please see the sensor release notes for more information regarding adding custom signatures.

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.UDP SIGID 20000

SigName: UPnP LOCATION Overflow

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits =

9 * RegexString = [Ll][Oo][Cc][Aa][Tt][Ii][Oo][Nn][:]([^\n\r]){116}.*[\r\n]

10 - ResetAfterIdle = 15

11 * ServicePorts = 1900

12 - SigComment =

13 - SigName = UPnP LOCATION Overflow

14 - SigStringInfo = LOCATION <100+ Chars>

15 - ThrottleInterval = 15

16 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

dlac455 · ‎12-28-2001

Is this signature included in either the S12 or S13 updates?

klwiley · ‎12-28-2001

Unfortunately no. The exploit was not announced until after we had already shipped the S13 update. It will be included in S14.