https



Instantly and Easily Control Windows' Insecure, Exploit-Prone and
Probably Unnecessary Universal Plug and Play Network Support


Page last modified: May 04, 2013 at 18:21Developed by Steve Gibson

The FBI has Strongly Recommended that
All Users Immediately Disable Windows'
Universal Plug n' Play Support

Our 22 kbyte "UnPlug n' Pray" utility makes that very
easy to do . . . and if ever needed, to later undo:

Now compatible with ALL Versions of Windows!


File stats for: UnPlug n' Prayfile download  freeware page
spacer
gray
spacer
Last Updated:
Size: 22k
Dec 28, 2001 at 15:47
(4,500.41 days ago)
Downloads/day: 504
Total downloads: 3,670,197
Current Rank: 3
Historical Rank: 2


Note: The FBI's NIPC (National Infrastructure Protection Center) has apparently reversed their original opinion. They no longer assert that Microsoft's Universal Plug & Play services should be disabled for extra protection. The most recent update to their previous two notices — which did advise users to disable the UPnP services — no longer includes this advice.

As you will see below, we believe that the FBI's original security advice was correct. Leaving unneeded and potentially vulnerable Internet services running makes no sense. Doing so is foolhardy, pointless, and insecure. Why would you?


What is all the fuss about?
On Thursday, December 20, 2001 Microsoft revealed that the hackers at eEye had discovered multiple critical security flaws in all versions of Windows using Universal Plug and Play:

Quoting from eEye's press release:

"eEye has discovered three vulnerabilities within Microsoft's UPnP implementation: a remotely exploitable buffer overflow that allows an attacker gain SYSTEM level access to any default installation of Windows XP, a Denial of Service (DoS) attack, and a Distributed Denial of Service (DDoS) attack. eEye would like to stress the extreme seriousness of this vulnerability. Network administrators are urged to immediately install the patch released by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-059.asp"

"The most serious of the three Windows XP vulnerabilities is the remotely exploitable buffer overflow. It is possible for an attacker to write custom exploit code that will allow them to execute commands with SYSTEM level access, the highest level of access within Windows XP."

"The other two vulnerabilities are types of denial of service attacks. The first is a fairly straightforward denial of service attack, which allows an attacker to remotely crash any Windows XP system. The crash will require Windows XP users to physically power down their machines and start them up again before the system will function. The second denial of service attack is a distributed denial of service attack. This vulnerability allows attackers to remotely command many Windows XP systems at once in an effort to make them flood/attack a single host."

Translating eEye's and Microsoft's statements into consequences, this means that without the security update patch, and with the Universal Plug and Play (UPnP) system in its default "enabled" state, any of the many millions of Internet-connected UPnP-equipped Windows systems could be remotely commandeered and forced to download and run any malicious code of a hacker's design. This includes using the machine to launch potent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

This means that extremely damaging CodeRed and Nimda-style worms can now be written for millions of Windows machines. Whereas the Microsoft IIS server worms of 2001 found and infested 'only' several hundred thousand IIS servers, a Windows "Universal Plug and Play" worm would have more than ten million XP systems, in addition to many more Windows 98/ME systems, upon which to prey today.

The highly respected Gartner Group has said that they expect hackers to incorporate the UPnP vulnerabilities into their attack tools by the end of the first quarter of 2002. Here's Gartner's Commentary.

Three-Month Estimate Too Conservative??

Dec. 30, 2001 — Gartner's "by the end of the first quarter, 2002" exploit development prediction may have been conservative. Exploits for the previous UPnP vulnerability are now floating around the Internet. The authors of this exploit have written:

"We have found some new bugs. At this moment we are
on the way to create a suite of utilities to fully exploit
WinXP UPnP application (perhaps others too)."

Published exploit code like this forms the raw material for tomorrow's high-performance Internet worms. eEye did not publish "proof of concept" code this time (as they did for 2001's IIS worms) but that clearly doesn't matter.

Jan. 9, 2002 — BugTraq reports another newer UPnP Denial of Service exploit against Windows XP, ME, and other Microsoft UPnP-equipped machines.

The SecurityFocus archive has the details


The threat is so significant that the FBI has urged
consumers to take matters into their own hands:


MSNBC, WASHINGTON, Dec. 21 — The FBI's top cyber-security unit warned consumers and corporations Friday night to take new steps beyond those recommended by Microsoft Corp. to protect against hackers who might try to attack major flaws discovered in the newest version of Windows software.

Additional early coverage:
Salon.com — "FBI urges consumers to protect Windows XP"
Info Warrior — "Who Needs Hackers? We've Got Microsoft!" (Good rant)
WashingtonPost.com — "Windows Vulnerable to Hack Attacks"
BBC News — "Fix your Windows, says Microsoft"
Incidents.org — "Remote SYSTEM-level UPnP Vulnerability in Windows XP"
The Register — "Feds grill MS on Windows security"
The Register — "MS warns of severe universal plug & play security hole"

Note that this is NOT EVEN the first significant UPnP vulnerability:
Neohapsis Archives — " Previous security vulnerabilities in UPnP service"
Microsoft's Response Page — "Microsoft Security Bulletin MS01-054"

Bruce Schneier of Counterpane Internet Security literally wrote the book on cryptography and security. Bruce's January 2002 newsletter discusses the Windows UPnP Vulnerability, Microsoft's misleading statements about this problem, and their recent security policy changes. You should read Bruce's commentary.

On the lighter side:
BBspot — "Gates Announces Security Death Squads"

See the end of this page for additional press coverage of this developing issue.


Why did this disaster happen?
The Universal Plug and Play service (UPnP), which is installed and running in all versions of Windows XP — and may be loaded into Windows 98 and ME — essentially turns every one of those systems into a wide-open Internet server. This server listens for TCP connections on port 5000 and for UDP 'datagram' packets arriving on port 1900. This allows malicious hackers (or high-speed Internet worms) located anywhere in the world to scan for, and locate, individual Windows UPnP-equipped machines. Any vulnerabilities — known today or discovered tomorrow — can then be rapidly exploited.

(Note that when enabled, XP's built-in Internet Connection Firewall (ICF), and some third-party personal firewalls, are effective in blocking this external access.)

Can't anyone make an honest mistake?
Of course . . . but this was intentional, and Microsoft has still not learned their lesson:  Do not enable Internet servers to be running, by default, in consumer computers. The last time Microsoft did this, the server was called "File and Printer Sharing". The insecurity of that decision has caused untold customer damage through the years and it still causes serious problems.

Consequently, the most troubling aspect of this issue is that the POTENTIAL for this insecurity was intentionally and needlessly designed into Windows XP from the start. ALMOST NO ONE uses or needs to have Universal Plug and Play enabled today. Yet every copy of Windows XP sold has it enabled and running by default.

This goes to the heart of Microsoft's lack of understanding,
or lack of honest concern, about security.

For Microsoft to proclaim that Windows XP is the most secure Windows operating system ever shipped — while every copy has an unnecessary Internet server running — makes a mockery of their professed commitment to security.

An Observation about the nature of 'Security'

A number of Microsoft spokesmen have publicly stated that Windows XP is the most secure operating system they have ever produced. The declaration itself is patently absurd. 'Security', like the endurance of an alloy, can only be proven over time. Microsoft can say that they hope Windows XP will be the most secure system they have ever made, or that they tried to make it secure. But they have no basis for a statement that it is actually secure. That judgement may only be properly made by history.

It should escape no one's attention that, thus far, Windows XP has proven to be THE LEAST SECURE operating system Microsoft has ever produced.

As reported by Ted Bridis writing for the Associated Press, Scott Culp, Microsoft's extremely busy security response manager, stated: "This is the first network-based, remote compromise that I'm aware of for Windows desktop systems." In other words, based upon our experience so far, Windows XP is the least secure operating system Microsoft has ever produced.

Universal Plug and Play is a forward-
looking and very useful technology.

You should not read anything here as an indictment of Universal Plug and Play itself. In the wake of this latest exploit announcement I studied UPnP closely and wrote several experimental Universal Plug and Play protocol devices. The system has great potential and in several years it will grow into an important networking technology. But that's in the future.

Today, the overwhelming majority of Windows XP users have NO NEED for their machines to be running a security-compromising UPnP Internet server. Therefore, this UPnP service should simply be turned off by default and only activated when it is actually needed by the end user.

Incredibly, even after this grand debacle, Microsoft refuses to take the simple and obvious security measure of disabling the unnecessary UPnP Internet service.

It is crucial to understand that Microsoft's latest UPnP
security patch DOES NOT DISABLE the UPnP services.

All Windows UPnP machines will continue to run an open
server advertising their presence across the Internet.

It is up to you to take responsibility for
the security of your personal computer.




Introducing UnPlug n' Pray:

UnPlug n' Pray empowers all Windows users with the
means to shut down the dangerous and unnecessary
UPnP Internet server running in their machines.



Click this link, or the image above, to download the 22k byte UnPlug n' Pray.


Questions, Answers, and Details about UnPlug n' Pray:
How is UnPnP used?
UnPnP's management of your system's Universal Plug & Play system is "sticky". Nothing is installed or left running in your machine, and after its use you can freely delete the utility.

Simply download this small (22k byte) Windows application, then run it to display and optionally alter the current state of your system's UPnP services. Once this work has been done, everything is set and you no longer need this UnPnP utility. You may wish to keep it around in the event that you need to re-enable your system's UPnP system someday, but you will always be able to grab a fresh copy from our web site.

If you should ever need to re-enable your system's UPnP system, simply rerun this UnPlug n' Play utility.
What, exactly, does UnPnP do?
Under Windows XP, the Universal Plug & Play system is supported by two service processes, the "SSDP Discovery Service" (SSDPDS) and the "Universal Plug and Play Device Host" (UPNPDH). Although both services are started upon demand, the SSDP service is started when Windows XP is booted. The SSDPDS service is the Internet server component which opens and exposes Windows XP to the global Internet. The UPNPDH service is only started when needed and its operation is dependent upon SSDPDS.

PLEASE NOTE: There is a great deal of confusion being caused by Microsoft's non-obvious naming of the two UPnP services. This situation is exacerbated by the FBI's NIPC web site, which has unfortunately posted wrong information over the holidays. People are led to believe that disabling the service named "Universal Plug and Play Device Host" disables the UPnP system. But it does not. That service is not even running by default. The correct action is to STOP then DISABLE the service named "SSDP Discovery Service".

You can demonstrate this for yourself by issuing the command "netstat -an" at a command prompt. While the SSDP Discovery service is running, Netstat will show that TCP port 5000 is in the listening state and UDP port 1900 is accepting inbound datagrams. After the SSDP Discovery Service has been stopped those Netstat lines will disappear.

 To disable the Universal Plug & Play system: UnPnP first stops the UPNPDH service if it is running, then disables its future operation. After this is done the SSDPDS service is stopped and also disabled. This shuts down Windows XP's external Internet server to prevent exposure to any presently known or later discovered UPnP vulnerabilities.

 To re-enable the Universal Plug & Play system: UnPnP simply reverses the process. The SSDPDS service is set to start on demand, and it is then started. Then, the UPNPDH service is also set to start on demand, but it is not started. With the SSDPDS service running the Windows XP system will have TCP port 5000 open and accepting remote connections and UDP port 1900 listening for inbound datagrams.

UnPnP's actions are completely benign and reversible. There are no known negative side effects caused by disabling the Universal Plug & Play components when they are not needed. They may easily be re-enabled if they are ever needed at any time in the future.

One important note of caution: Microsoft has a nasty and very insecure habit of "undoing" non-standard system changes that have been made to enhance the system's security. We will update this page if we learn of anything that secretly re-enables these services. But you may want to briefly run UnPnP from time to time, especially after making extensive changes to your system, to be sure everything is still securely disabled.

JAN 3, 2002: We have received preliminary reports of the UPnP service being silently re-enabled without the users' knowledge or permission. We hope that this is an innocent side-effect of background XP updates, but it is our position that users have the implicit right to decide how their computers operate, and what services they run.

Please keep an eye on this for a while by re-running UnPnP from time to time to check on the "disabled" status. If you find that UPnP has become silently re-enabled on your system, please drop a note to us at . If this behavior is confirmed, we will immediately enhance UnPnP to prevent this silent re-enabling. Our eMail system subscribers will then be notified of this enhancement.
What is "Universal Plug & Play" and why don't I need it?
Universal Plug & Play is not related to the established Plug & Play hardware standard for PCs. Microsoft presumably adopted the name "Universal Plug & Play" because it is a warm and fuzzy feel-good name. A more descriptive name would have been "Network Plug & Play" since that is exactly what it is.

UPnP is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion. There is nothing wrong with the idea, though even in the absence of security mistakes, it is not difficult to be concerned about the overall security of the system. If you want to learn more, the Universal Plug & Play Forum web site has additional information.

As for why you don't need it; unless you actually have some UPnP devices on your local network, there is no one for the Windows UPnP system to talk to. It was bizarre and irresponsible for Microsoft to turn every Windows machine into a Universal Plug & Play Internet server, opening every machine to wide ranging Internet exploitation. It is still irresponsible today.
Will a personal firewall, like ZoneAlarm, protect my system?
If you disable the unnecessary UPnP service you will not be vulnerable to current or future UPnP exploits whether or not you have a personal firewall. Our experiments and independent reports have indicated that some personal firewalls are penetrated by the UPnP service while others are effective in protecting the machine. Our ShieldsUP! Port Probe now checks for the UPnP TCP server running on port 5000. This allows you to determine whether that UPnP port is exposed to the world. However, you should not consider this conclusive since the UPnP protocol also uses UDP datagram messages which ShieldsUP! was not designed to test.
UnPnP says that UPnP is safely disabled, but my system's personal firewall keeps reporting UPnP traffic on port 1900.
UnPlug and Pray shuts down the UPnP server services, but it does not prevent Windows or its programs from acting as UPnP clients. Client programs like Windows itself, and later versions of Windows Messenger, periodically search the local network for a UPnP router to control. This network noise is annoying, but it does not mean that Windows' UPnP server is still active and insecure.
Will a NAT Router, like a LinkSys, protect my system?
A non-UPnP aware NAT router makes a terrific hardware firewall since it discards unexpected and unsolicited inbound Internet packets. But as routers become UPnP-aware their behavior will need to be carefully scrutinized with regard to Internet pass-through. We can hope that they will offer explicit UPnP security to prevent external traffic from entering the internal network. But in any event, our ShieldsUP! Port Probe can always be used to quickly check your network's external UPnP profile.
How can UnPlug n' Pray be so small?  Only 22 kbytes?
I have been programming computers for more than three decades. There's nothing I love more. You can see this experience and caring in every piece of software I create. I write all of my software in 100% pure assembly language — the raw native language of the Intel microprocessor. I use it because, as the actual language of the system, it requires no inefficient translation from an easier-to-use "high level" language.

Some people develop software because its their job — it's what they do to survive. I do it for the sheer joy of creating and sharing useful, tight, efficient and effective tools. It is one of my favorite forms of communication.

UnPnP Version History:

Version 1.0 — December 25, 2001
Initial release. Compatible with Windows XP only.
No known bugs or problems found.
Version 1.1 — December 27, 2001
Added support for all Windows platforms: 98/98SE/ME/2000.
No known bugs or problems found.
Version 1.2 — December 28, 2001
At the request of several administrators of large networks, support was added for a non-GUI command-line interface. This allows UnPnP to be easily deployed throughout corporate networks and invoked by login scripts.

Use commands:  UnPnP disable  or  UnPnP enable

I hope you will find UnPlug n' Pray to be important, useful and reliable.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 04, 2013 at 18:21 (355.31 days ago)Viewed 588 times per day