Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Update falls down using Vodafone mobile

  • 11-05-2021 1:51pm
    #1
    Registered Users, Registered Users 2 Posts: 1,306 ✭✭✭


    Hi all,

    I have an older Windows 7 test machine which is running Microsoft Security Essentials and pretty much nothing else. Every so often MSE updates its signatures using Windows Update and the BITS services and this seems to work ok. Obviously there aren't any more Updates for W7 (aside from the Malicious Software Removal Tool).

    One day I decided to connected this machine to a WiFi hotspot on my phone - this is a p30 lite with a Vodafone sim. This seems fine until MSE tried to update. At which point the BITS service goes a bit nuts - it writes to C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat continuously until I do a "net stop bits".

    This is quite odd. I'm not sure if Windows 10 would have the same issue as I don't use it (I run Linux Mint most of the time). If it does, it would seem like a way to DOS a Windows 10 machine.

    Does anyone know if Vodafone filter weird ports or do odd things with their DNS? I remember Three used to filter imgur using a DNS filter but that was easily circumvented and I think they got bored doing that and went away :)

    Edit: That wasn't a particularly well thought out Subject line!


Comments

  • Registered Users, Registered Users 2 Posts: 1,306 ✭✭✭carveone


    After some network probing, I've found that "download.windowsupdate.com" is a different server (8.238.55.126) on the UPC broadband network compared to 93.184.221.240 on the Vodafone 4G network. They are different servers and elicit different header responses for the same file request.

    Using "curl -I" on one of the MSE update patches, the first server returns a perfectly reasonable reply. The second returns complete rubbish.

    > curl -I "http://download.windowsupdate.com/d/msdownload/update/software/defu/2021/05/am_delta_6a3649beb57cee48081bd31631c8774de6505d2f.exe"
    HTTP/1.1 200 OK
    [...snip...]
    Server: ECAcc (lha/8DA7)
    Content-Length: 0
    Connection: keep-alive
    

    Note the Content-Length is zero along with a keep-alive connection. Super. How is that supposed to work? From what I can see, BITS goes nuts and starts reissuing the job over and over.

    In my opinion this is an effective denial of service attack against a Windows 7 machine and I've seen the same problem reported against a Windows 2016 Server.

    I'll have to make a reproducible test case but I've no idea if Microsoft will care (they won't fix it for Windows 7 anyway).


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,581 Mod ✭✭✭✭Capt'n Midnight


    Let's blame DNS.

    Would it work with a generic third party DNS server ? I gave up relying on NTL/UPC/VM DNS servers a long time ago.


  • Registered Users, Registered Users 2 Posts: 1,306 ✭✭✭carveone


    Let's blame DNS.

    Would it work with a generic third party DNS server ? I gave up relying on NTL/UPC/VM DNS servers a long time ago.

    Thanks for replying! I tried using 8.8.8.8 to do the query but it returned the same IP address ranges resulting in the same problem. I think - I can't remember what I was trying so I'll go off and try it again! I definitely remember thinking of DNS too though :)

    To me it's a malconfigured Vodafone proxy server. I've tried the same curl command above on Tesco, Virgin, Three and Eir and get valid HEAD responses.

    I spent a day writing out and logging a vulnerability with MSRC but they just closed it with a rather curt need "valid proof of concept (POC) ideally with images or video". Gee, thanks. I'd have to write a broken web server to prove it and, although I can do this, I won't.

    I phoned Vodafone technical support. You can guess how that worked out. They started off by looking for my phone number and phone type and who I was sharing my internet connection with so I hung up on them :p


  • Registered Users, Registered Users 2 Posts: 1,306 ✭✭✭carveone


    Nope. Changing the DNS doesn't fix it.

    Which is interesting because it usually fixes all manner of stupid nonsense with DNS servers. Especially 3's - they used to filter out imgur because reasons. And all stackexchange images were on imgur so that was massively irritating. Change the DNS, problem goes away...


  • Registered Users, Registered Users 2 Posts: 1,306 ✭✭✭carveone


    I know this is an old post but it turns out that the issue is a bug in Windows update (https://github.com/conoror/wudos). If the Content-Length is zero for the HEAD response to a windows update file, then the update goes into an infinite loop. Reported to MS but they're not interested (they could reproduce it alright, they're just not going to fix it).

    I reported it to Vodafone but they didn't care. So I can't hotspot my Windows machines using Vodafone and I'm using Tesco now instead.

    One of those things I guess...



  • Advertisement
Advertisement