Re: UPnP transaction: ASCII decode

[Matt Scarborough <vexversa () usa net>]

John Sage <jsage () finchhaven com> wrote:
> Here is a rough cut of a UPnP transaction, run through a right-cool 
> little proggie, tcpflow (See: http://freshmeat.net/projects/tcpflow/) 
> that will strip out and present the ASCII contents of tcp/ip packets.
>
> The original dump came from Matt Scarborough; here's his narrative as to 
> what's going on:
>
> "192.168.1.90 is the WinME box with UPnP client installed.
>
> 192.168.1.80 is a Win2K box with IIS.
>
> I started the capture (Ethereal) on the Win2K box, and then booted up the
> WinME box. So you see the WinME box coming online and sending the three UDP
> M-SEARCH packets to the broadcast address. Nothing responds.
>
> Then I fire up a Sample Device. This is a piece of software that comes from
> the MS UPnP Developer's Kit. Essentially we'll use it to emulate some piece
> of hardware that has just been connected to the network.
>
> Sample Device sends NOTIFY packets. It sends several because we know UDP is
> unreliable. Inside the NOTIFY packets we see the URL of the IIS server
(same
> Win2K box.) IIS simulates a mini-webserver inside Sample Device.
>
> We could stop right here, in terms of exploit, because as you'll see in a
> moment the WinME box responds by requesting the URL at the Sample Device
> http://192.168.1.80/upnp-emulator/description/x10light-desc.xml
>
> The XML tells the WinME, "I am a sample device, this is how you use me,

<snip>

Imagine my suprise to see this decoded and posted to the lists with my
comments intact!

The purpose of sending John the packet capture was to aid him in understanding
Windows implementation of UPnP, and develop a Snort signature to detect
malicious SSDP NOTIFY packets. Oh well, now we can all work towards those
goals.

If you have any friends running Windows, point them here for good advice
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm

If they need help disabling the UPnP services on Windows XP, they can find a
tool to help them here
http://grc.com/UnPnP/UnPnP.htm

"[UnPlug n' Pray] first stops the UPNPDH service if it is running, then
disables its future operation. After this is done the SSDPDS service is
stopped and also disabled."


"This shuts down Windows XP's external Internet server to prevent exposure to
any presently known or later discovered UPnP vulnerabilities."


Matt Scarborough 2001-12-28
-- 
Network computing is a dynamic and volatile environment. Responsibility for
securing network computing environments from intrusion is solely held by that
environment's Owners, Administrators, and Users.

The reader should research these issues and make decisions wholly independent
of the information presented herein. The information presented herein is
provided without warranty of any kind.
-- 



____________________________________________________________________
Get free e-mail and a permanent address at http://www.amexmail.com/?A=1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users