CVE-2005-3644

An unauthenticated remote attacker sends a crafted DCE/RPC request to the UPnP service on TCP port 445, specifying operation number 0x0a (`upnp_getdevicelist`). The critical payload bytes are `\x10\x10\x10\x10` in the request data, which cause the underlying demarshalling routines to allocate an excessively large output buffer [ref_id=1]. This triggers a memory leak in `services.exe`, exhausting the target's virtual memory and leading to a denial of service where desktop, HTTP, and SMB requests stop being serviced [ref_id=1]. No authentication is required; the exploit uses a null session over SMB to reach the RPC endpoint [ref_id=1].

The vulnerability resides in the UPnP service's `PNP_GetDeviceList` (also called `upnp_getdevicelist`) function, which is exposed via DCE/RPC over SMB on port 445. The advisory does not specify the exact source file or line number, but the function is part of the UPnP subsystem in `services.exe` on Microsoft Windows 2000 SP4 and earlier, and possibly Windows XP SP1 and earlier [ref_id=1].

No patch is included in the bundle. The advisory does not provide official remediation guidance from Microsoft. Based on the researcher's description, the fix would need to validate the output buffer size specified in the DCE/RPC request for `upnp_getdevicelist`, rejecting oversized allocation hints to prevent the memory exhaustion [ref_id=1]. The researcher notes that changing the operation number or altering the payload to avoid errors in the demarshalling routines might also reproduce the effect for other UPnP operations, suggesting the root cause is a lack of bounds checking on the allocation hint field [ref_id=1].

The public exploit at [ref_id=1] provides a full C source file. Compile and run it against a vulnerable target: `./exploit