Snort mailing list archives
Re: UPnP transaction: ASCII decode
From: Matt Scarborough <vexversa () usa net>
Date: 27 Dec 2001 23:31:28 EST
John Sage <jsage () finchhaven com> wrote:
Here is a rough cut of a UPnP transaction, run through a right-cool little proggie, tcpflow (See: http://freshmeat.net/projects/tcpflow/) that will strip out and present the ASCII contents of tcp/ip packets. The original dump came from Matt Scarborough; here's his narrative as to what's going on: "192.168.1.90 is the WinME box with UPnP client installed. 192.168.1.80 is a Win2K box with IIS. I started the capture (Ethereal) on the Win2K box, and then booted up the WinME box. So you see the WinME box coming online and sending the three UDP M-SEARCH packets to the broadcast address. Nothing responds. Then I fire up a Sample Device. This is a piece of software that comes from the MS UPnP Developer's Kit. Essentially we'll use it to emulate some piece of hardware that has just been connected to the network. Sample Device sends NOTIFY packets. It sends several because we know UDP is unreliable. Inside the NOTIFY packets we see the URL of the IIS server
(same
Win2K box.) IIS simulates a mini-webserver inside Sample Device. We could stop right here, in terms of exploit, because as you'll see in a moment the WinME box responds by requesting the URL at the Sample Device http://192.168.1.80/upnp-emulator/description/x10light-desc.xml The XML tells the WinME, "I am a sample device, this is how you use me,
<snip> Imagine my suprise to see this decoded and posted to the lists with my comments intact! The purpose of sending John the packet capture was to aid him in understanding Windows implementation of UPnP, and develop a Snort signature to detect malicious SSDP NOTIFY packets. Oh well, now we can all work towards those goals. If you have any friends running Windows, point them here for good advice http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm If they need help disabling the UPnP services on Windows XP, they can find a tool to help them here http://grc.com/UnPnP/UnPnP.htm "[UnPlug n' Pray] first stops the UPNPDH service if it is running, then disables its future operation. After this is done the SSDPDS service is stopped and also disabled." "This shuts down Windows XP's external Internet server to prevent exposure to any presently known or later discovered UPnP vulnerabilities." Matt Scarborough 2001-12-28 -- Network computing is a dynamic and volatile environment. Responsibility for securing network computing environments from intrusion is solely held by that environment's Owners, Administrators, and Users. The reader should research these issues and make decisions wholly independent of the information presented herein. The information presented herein is provided without warranty of any kind. -- ____________________________________________________________________ Get free e-mail and a permanent address at http://www.amexmail.com/?A=1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UPnP transaction: ASCII decode John Sage (Dec 27)
- <Possible follow-ups>
- Re: UPnP transaction: ASCII decode Matt Scarborough (Dec 27)