Microsoft WSDAPI Vulnerability

November 12, 2009

A vulnerability has been reported in Microsoft Windows Web Services on Devices API (WSDAPI), which can be exploited by attackers to compromise a vulnerable system.

WSDAPI is an extension of the local Plug and Play model. It allows a client to discover and use remote devices/services over a network. The Devices Profile for Web Services (DPWS) standard defines a set of functionality to perform Web Service messaging, discovery, description, and event generation. In Microsoft Windows Vista and 2008, DPWS is integrated with WSDAPI.

Every device is given a unique identifier when it is manufactured. The identifier is called Machine GUID and is stored in the registry. When the device is powered on, it will broadcast its GUID via a WS-Discovery Hello message over 3702/UDP. Other devices on the network will receive this message and may initiate communication with that device. Once the handshake has been completed, communication continues over 5357/TCP (HTTP) or 5358/TCP (HTTPS). The HTTP messages include various headers and fields, one of them is MIME-Version. A MIME-Version field must appear as follows:


There exists a stack corruption vulnerability in Microsoft Windows WSDAPI. Specifically, the vulnerability is due to the way that the WSDAPI parses the MIME-Version field of the WS-Discovery message. An remote attacker can exploit this vulnerability by sending a crafted WS-Discovery message, which contains an overly long MIME-Version string, to the target system. Successful exploitation would overwrite critical stack data, such as return addresses and exception handlers, which leads to arbitrary code injection and execution with the privileges of the affected service. In the case code execution is not successful, the vulnerable process may terminate abnormally causing a denial of service condition.

The vulnerability has be assigned as CVE-2009-2512. SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 3209 MS WSDAPI Memory Corruption Attempt (MS09-063)