Post Reply  
 
Thread Tools Search this Thread
11-05-2021, 14:51   #1
carveone
Registered User
 
carveone's Avatar
 
Join Date: Sep 2005
Posts: 1,111
Update falls down using Vodafone mobile

Hi all,

I have an older Windows 7 test machine which is running Microsoft Security Essentials and pretty much nothing else. Every so often MSE updates its signatures using Windows Update and the BITS services and this seems to work ok. Obviously there aren't any more Updates for W7 (aside from the Malicious Software Removal Tool).

One day I decided to connected this machine to a WiFi hotspot on my phone - this is a p30 lite with a Vodafone sim. This seems fine until MSE tried to update. At which point the BITS service goes a bit nuts - it writes to C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat continuously until I do a "net stop bits".

This is quite odd. I'm not sure if Windows 10 would have the same issue as I don't use it (I run Linux Mint most of the time). If it does, it would seem like a way to DOS a Windows 10 machine.

Does anyone know if Vodafone filter weird ports or do odd things with their DNS? I remember Three used to filter imgur using a DNS filter but that was easily circumvented and I think they got bored doing that and went away

Edit: That wasn't a particularly well thought out Subject line!

Last edited by carveone; 11-05-2021 at 15:11.
carveone is offline  
Advertisement
14-05-2021, 16:31   #2
carveone
Registered User
 
carveone's Avatar
 
Join Date: Sep 2005
Posts: 1,111
After some network probing, I've found that "download.windowsupdate.com" is a different server (8.238.55.126) on the UPC broadband network compared to 93.184.221.240 on the Vodafone 4G network. They are different servers and elicit different header responses for the same file request.

Using "curl -I" on one of the MSE update patches, the first server returns a perfectly reasonable reply. The second returns complete rubbish.

> curl -I "http://download.windowsupdate.com/d/msdownload/update/software/defu/2021/05/am_delta_6a3649beb57cee48081bd31631c8774de6505d2f.exe"

Code:
HTTP/1.1 200 OK
[...snip...]
Server: ECAcc (lha/8DA7)
Content-Length: 0
Connection: keep-alive
Note the Content-Length is zero along with a keep-alive connection. Super. How is that supposed to work? From what I can see, BITS goes nuts and starts reissuing the job over and over.

In my opinion this is an effective denial of service attack against a Windows 7 machine and I've seen the same problem reported against a Windows 2016 Server.

I'll have to make a reproducible test case but I've no idea if Microsoft will care (they won't fix it for Windows 7 anyway).
carveone is offline  
Thanks from:
15-05-2021, 22:43   #3
Capt'n Midnight
00:00
 
Capt'n Midnight's Avatar
Let's blame DNS.

Would it work with a generic third party DNS server ? I gave up relying on NTL/UPC/VM DNS servers a long time ago.
Capt'n Midnight is offline  
(2) thanks from:
17-05-2021, 15:20   #4
carveone
Registered User
 
carveone's Avatar
 
Join Date: Sep 2005
Posts: 1,111
Quote:
Originally Posted by Capt'n Midnight View Post
Let's blame DNS.

Would it work with a generic third party DNS server ? I gave up relying on NTL/UPC/VM DNS servers a long time ago.
Thanks for replying! I tried using 8.8.8.8 to do the query but it returned the same IP address ranges resulting in the same problem. I think - I can't remember what I was trying so I'll go off and try it again! I definitely remember thinking of DNS too though

To me it's a malconfigured Vodafone proxy server. I've tried the same curl command above on Tesco, Virgin, Three and Eir and get valid HEAD responses.

I spent a day writing out and logging a vulnerability with MSRC but they just closed it with a rather curt need "valid proof of concept (POC) ideally with images or video". Gee, thanks. I'd have to write a broken web server to prove it and, although I can do this, I won't.

I phoned Vodafone technical support. You can guess how that worked out. They started off by looking for my phone number and phone type and who I was sharing my internet connection with so I hung up on them
carveone is offline  
17-05-2021, 16:34   #5
carveone
Registered User
 
carveone's Avatar
 
Join Date: Sep 2005
Posts: 1,111
Nope. Changing the DNS doesn't fix it.

Which is interesting because it usually fixes all manner of stupid nonsense with DNS servers. Especially 3's - they used to filter out imgur because reasons. And all stackexchange images were on imgur so that was massively irritating. Change the DNS, problem goes away...
carveone is offline  
Thanks from:
Post Reply

Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline

Insert Image
Wrap [QUOTE] tags around selected text
 
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search



Share Tweet