[497] in resnet
Re: Millenium Universal PnP
daemon@ATHENA.MIT.EDU (Eric Rosenberry)
Mon Dec 3 19:48:08 2001
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0070_01C17C19.51082740"
Message-ID: <GLEOKLAKEIBLAAKKFHEIEEOCCKAA.eric@rosenberry.org>
Date: Mon, 3 Dec 2001 16:41:11 -0800
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Eric Rosenberry <eric@ROSENBERRY.ORG>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <a05100306b831b52d7702@[128.223.123.229]>
This is a multi-part message in MIME format.
------=_NextPart_000_0070_01C17C19.51082740
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Hehehe, well "thankfully" is the right word. That game could have gone
either way (and almost did on several occasions!). Not to mention that you
had home court advantage. It was an excellent game though! I would be
curious to see how it would have turned out had the players not been sliding
around the field on the wet astro-turf.
Detecting the machines was actually really easy once I figured out how the
protocol works. When the machines boot up and start UPnP they send out
several UDP multicast packets on port 1900 announcing availability. Simply
run a sniffer with a filter to watch traffic on port 1900 and voila, you
have a non-intrusive way of discovering who is running UPnP. Now I use a
program called Network Observer which has a top-talkers mode which will give
me a list of all clients that I have captured packets for along with their
IP address. We exported this list to a .csv file and then ran a query
against our database to get the email addresses.
The way I can tell who is running what version is by looking at the packet
data (size is the easiest way). It would appear that Microsoft is not
*just* patching the bug, but also updating the protocol. Boxes running
un-patched ME send out packets with a Size of 136 and a TTL of 1. Boxes
running patched ME send out packets with a Size of 143 and a TTL of 4. Now
this is really nasty also, because now the packets are not just confined to
the local subnet, but they also traverse routers (if your routers have
multicast enabled).
This brings up the further question of what should be done about this? Is
this service going to cause ResNets grief in the future? Will these
Multicast broadcasts cause trouble? Will people's X-Boxes start showing up
in everyone's "My network places" (I am not sure if the X-Box is UPnP
enabled but I would not doubt it).
Oh, and you need to run that capture for quite a while as they only send on
boot up. Not that you should have to wait weeks though considering the
frequency at which ME boxes need to be rebooted. You will also have to do a
capture in each subnet to find the un-patched ME boxes as their packets wont
traverse routers.
Let me know if you have any questions.
-Eric
-----Original Message-----
From: Resnet Forum [mailto:RESNET-L@listserv.nd.edu]On Behalf Of Norm Myers
Sent: Monday, December 03, 2001 3:12 PM
To: RESNET-L@listserv.nd.edu
Subject: Re: Millenium Universal PnP
Very nice page, clear and to the point. OSU gets points for that but
thankfully they don't count for Saturdays game, Go Ducks :)
Yes, I'd like to see how you detected and separated the vulnerable machines.
Norm
Here is OSU's web page dealing with this:
http://www.rcn.orst.edu/helpfaq/upnp.php
<http://www.rcn.orst.edu/helpfaq/upnp.php>
I actually found a way to detect all of the machines on our network running
UPnP and then based on the IP's they were using we correlated them to users
and sent about 700 people an email telling them about the problem and giving
them a link to the above page.
I have also found a way to tell the difference between packets generated by
the vulnerable version of UPnP and patched versions of UPnP. This way we
can continue to identify vulnerable computers and inform the owners.
If anybody wants details please let me know and I will throw together an
email detailing it.
-Eric
------=_NextPart_000_0070_01C17C19.51082740
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 9">
<meta name=3DOriginator content=3D"Microsoft Word 9">
<link rel=3DFile-List href=3D"cid:filelist.xml@01C17C19.50755D20">
<title>Re: Millenium Universal PnP</title>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:Zoom>0</w:Zoom>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:553679495 -2147483648 8 0 66047 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;
text-underline:single;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal-reply;
mso-ansi-font-size:10.0pt;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dblue style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>He=
hehe,
well “thankfully” is the right word.<span =
style=3D"mso-spacerun: yes">
</span>That game could have gone either way (and almost did on several
occasions!).<span style=3D"mso-spacerun: yes"> </span>Not to =
mention that
you had home court advantage…<span style=3D"mso-spacerun: =
yes"> </span>It
was an excellent game though!<span style=3D"mso-spacerun: yes"> =
</span>I
would be curious to see how it would have turned out had the players not =
been
sliding around the field on the wet =
astro-turf.<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>De=
tecting
the machines was actually really easy once I figured out how the =
protocol
works.<span style=3D"mso-spacerun: yes"> </span>When the machines =
boot up
and start UPnP they send out several UDP multicast packets on port 1900
announcing availability.<span style=3D"mso-spacerun: yes"> =
</span>Simply
run a sniffer with a filter to watch traffic on port 1900 and voila, you =
have a
non-intrusive way of discovering who is running UPnP.<span =
style=3D"mso-spacerun:
yes"> </span>Now I use a program called Network Observer which has =
a
top-talkers mode which will give me a list of all clients that I have =
captured
packets for along with their IP address.<span style=3D"mso-spacerun: =
yes">
</span>We exported this list to a .csv file and then ran a query against =
our
database to get the email addresses.<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>Th=
e way I
can tell who is running what version is by looking at the packet data =
(size is
the easiest way).<span style=3D"mso-spacerun: yes"> </span>It =
would appear
that Microsoft is not *<b><span =
style=3D'font-weight:bold'>just</span></b>*
patching the bug, but also updating the protocol.<span =
style=3D"mso-spacerun:
yes"> </span>Boxes running un-patched ME send out packets with a =
Size of 136
and a TTL of 1.<span style=3D"mso-spacerun: yes"> </span>Boxes =
running
patched ME send out packets with a Size of 143 and a TTL of 4.<span
style=3D"mso-spacerun: yes"> </span>Now this is really nasty also, =
because now
the packets are not just confined to the local subnet, but they also =
traverse
routers (if your routers have multicast =
enabled).<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>Th=
is
brings up the further question of what should be done about this?<span
style=3D"mso-spacerun: yes"> </span>Is this service going to cause =
ResNets
grief in the future?<span style=3D"mso-spacerun: yes"> </span>Will =
these
Multicast broadcasts cause trouble?<span style=3D"mso-spacerun: =
yes">
</span>Will people’s X-Boxes start showing up in everyone’s =
“My network places”
(I am not sure if the X-Box is UPnP enabled but I would not doubt =
it).<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>Oh=
, and you
need to run that capture for quite a while as they only send on boot =
up.<span
style=3D"mso-spacerun: yes"> </span>Not that you should have to =
wait weeks
though considering the frequency at which ME boxes need to be =
rebooted.<span
style=3D"mso-spacerun: yes"> </span>You will also have to do a =
capture in
each subnet to find the un-patched ME boxes as their packets wont =
traverse
routers.<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'>Le=
t me
know if you have any questions.<o:p></o:p></span></font></span></p>
<p class=3DMsoNormal><span class=3DEmailStyle17><font size=3D2 =
color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><!=
[if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoAutoSig><!--[if supportFields]><span =
class=3DEmailStyle17><font=20
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;mso-bidi-font-size:
12.0pt;font-family:Arial'><span =
style=3D'mso-element:field-begin'></span><span=20
style=3D"mso-spacerun: yes"> </span>AUTOTEXTLIST \s "E-mail=20
Signature" <span =
style=3D'mso-element:field-separator'></span></span></font></span><![endi=
f]--><font
color=3Dnavy><span style=3D'color:navy'>-Eric</span></font><font =
color=3Dnavy><span
style=3D'color:navy;mso-color-alt:windowtext'><o:p></o:p></span></font></=
p>
<p class=3DMsoNormal><!--[if supportFields]><span =
class=3DEmailStyle17><font=20
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;mso-bidi-font-size:
12.0pt;font-family:Arial'><span =
style=3D'mso-element:field-end'></span></span></font></span><![endif]--><=
span
class=3DEmailStyle17><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;mso-bidi-font-size:12.0pt;font-family:Arial'><![if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></span></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D2 =
color=3Dblack
face=3DTahoma><span =
style=3D'font-size:10.0pt;font-family:Tahoma;color:black'>-----Original
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Resnet Forum
[mailto:RESNET-L@listserv.nd.edu]<b><span style=3D'font-weight:bold'>On =
Behalf Of
</span></b>Norm Myers<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, December =
03, 2001
3:12 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> =
RESNET-L@listserv.nd.edu<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: Millenium =
Universal
PnP</span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'><![if =
!supportEmptyParas]> <![endif]><o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Very nice
page, clear and to the point. OSU gets points for that but =
thankfully
they don't count for Saturdays game, Go Ducks :) </span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><![if =
!supportEmptyParas]> <![endif]></span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Yes, I'd like
to see how you detected and separated the vulnerable =
machines.</span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'> Norm</span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><![if =
!supportEmptyParas]> <![endif]></span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>Here is OSU's =
web page
dealing with this:</span></font><font color=3Dblack><span =
style=3D'color:black;
mso-color-alt:windowtext'><o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></fo=
nt><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D3 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt;color:black'><a
href=3D"http://www.rcn.orst.edu/helpfaq/upnp.php"><font size=3D2 =
color=3Dnavy
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>http://www.rcn.or=
st.edu/helpfaq/upnp.php</span></font></a></span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></fo=
nt><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>I actually found =
a way to
detect all of the machines on our network running UPnP and then based on =
the
IP's they were using we correlated them to users and sent about 700 =
people an
email telling them about the problem and giving them a link to the above =
page.</span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></fo=
nt><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>I have also =
found a way
to tell the difference between packets generated by the vulnerable =
version of
UPnP and patched versions of UPnP. This way we can continue to =
identify
vulnerable computers and inform the owners.</span></font><font =
color=3Dblack><span
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></fo=
nt><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'>If anybody wants =
details
please let me know and I will throw together an email detailing =
it.</span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D2 color=3Dnavy face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial;color:navy'> </span></fo=
nt><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal =
style=3D'margin-right:.5in;mso-margin-top-alt:auto;mso-margin-bottom-alt:=
auto;margin-left:1.0in'><font size=3D3 color=3Dnavy face=3D"Times New =
Roman"><span
style=3D'font-size:12.0pt;color:navy'>-Eric</span></font><font =
color=3Dblack><span
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
<p class=3DMsoNormal style=3D'margin-left:.5in'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><![if =
!supportEmptyParas]> <![endif]></span></font><font
color=3Dblack><span =
style=3D'color:black;mso-color-alt:windowtext'><o:p></o:p></span></font><=
/p>
</div>
</body>
</html>
------=_NextPart_000_0070_01C17C19.51082740--
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
