UnPlug n' Pray

softtitledonwloadlinkhomepagecontactlicenceSoftware Title: UnPlug n’ Pray
Download Link: https://www.grc.com/UnPnP/UnPnP.htm
Homepage: https://www.grc.com/
Contact Them: sales2016@grc.com
License: More great Freeware Software!

Note: The FBI’s NIPC (National Infrastructure Protection Center) has apparently reversed their original opinion. They no longer assert that Microsoft’s Universal Plug & Play services should be disabled for extra protection. The most recent update to their previous two notices — which did advise users to disable the UPnP services — no longer includes this advice.

As you will see below, we believe that the FBI’s original security advice was correct. Leaving unneeded and potentially vulnerable Internet services running makes no sense. Doing so is foolhardy, pointless, and insecure. Why would you?

What is all the fuss about?
On Thursday, December 20, 2001 Microsoft revealed that the hackers at eEye had discovered multiple critical security flaws in all versions of Windows using Universal Plug and Play:

Quoting from eEye’s press release:

“eEye has discovered three vulnerabilities within Microsoft’s UPnP implementation: a remotely exploitable buffer overflow that allows an attacker gain SYSTEM level access to any default installation of Windows XP, a Denial of Service (DoS) attack, and a Distributed Denial of Service (DDoS) attack. eEye would like to stress the extreme seriousness of this vulnerability. Network administrators are urged to immediately install the patch released by Microsoft at http://www.microsoft.com/technet/security/bulletin/MS01-059.asp

“The most serious of the three Windows XP vulnerabilities is the remotely exploitable buffer overflow. It is possible for an attacker to write custom exploit code that will allow them to execute commands with SYSTEM level access, the highest level of access within Windows XP.”

“The other two vulnerabilities are types of denial of service attacks. The first is a fairly straightforward denial of service attack, which allows an attacker to remotely crash any Windows XP system. The crash will require Windows XP users to physically power down their machines and start them up again before the system will function. The second denial of service attack is a distributed denial of service attack. This vulnerability allows attackers to remotely command many Windows XP systems at once in an effort to make them flood/attack a single host.”

Translating eEye’s and Microsoft’s statements into consequences, this means that without the security update patch, and with the Universal Plug and Play (UPnP) system in its default “enabled” state, any of the many millions of Internet-connected UPnP-equipped Windows systems could be remotely commandeered and forced to download and run any malicious code of a hacker’s design. This includes using the machine to launch potent Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

This means that extremely damaging CodeRed and Nimda-style worms can now be written for millions of Windows machines. Whereas the Microsoft IIS server worms of 2001 found and infested ‘only’ several hundred thousand IIS servers, a Windows “Universal Plug and Play” worm would have more than ten million XP systems, in addition to many more Windows 98/ME systems, upon which to prey today.


How is UnPnP used?
UnPnP’s management of your system’s Universal Plug & Play system is “sticky”. Nothing is installed or left running in your machine, and after its use you can freely delete the utility.

Simply download this small (22k byte) Windows application, then run it to display and optionally alter the current state of your system’s UPnP services. Once this work has been done, everything is set and you no longer need this UnPnP utility. You may wish to keep it around in the event that you need to re-enable your system’s UPnP system someday, but you will always be able to grab a fresh copy from our web site.

If you should ever need to re-enable your system’s UPnP system, simply rerun this UnPlug n’ Play utility.
What, exactly, does UnPnP do?
Under Windows XP, the Universal Plug & Play system is supported by two service processes, the “SSDP Discovery Service” (SSDPDS) and the “Universal Plug and Play Device Host” (UPNPDH). Although both services are started upon demand, the SSDP service is started when Windows XP is booted. The SSDPDS service is the Internet server component which opens and exposes Windows XP to the global Internet. The UPNPDH service is only started when needed and its operation is dependent upon SSDPDS.

PLEASE NOTE: There is a great deal of confusion being caused by Microsoft’s non-obvious naming of the two UPnP services. This situation is exacerbated by the FBI’s NIPC web site, which has unfortunately posted wrong information over the holidays. People are led to believe that disabling the service named “Universal Plug and Play Device Host” disables the UPnP system. But it does not. That service is not even running by default. The correct action is to STOP then DISABLE the service named “SSDP Discovery Service”.

You can demonstrate this for yourself by issuing the command “netstat -an” at a command prompt. While the SSDP Discovery service is running, Netstat will show that TCP port 5000 is in the listening state and UDP port 1900 is accepting inbound datagrams. After the SSDP Discovery Service has been stopped those Netstat lines will disappear.

 To disable the Universal Plug & Play system: UnPnP first stops the UPNPDH service if it is running, then disables its future operation. After this is done the SSDPDS service is stopped and also disabled. This shuts down Windows XP’s external Internet server to prevent exposure to any presently known or later discovered UPnP vulnerabilities.

 To re-enable the Universal Plug & Play system: UnPnP simply reverses the process. The SSDPDS service is set to start on demand, and it is then started. Then, the UPNPDH service is also set to start on demand, but it is not started. With the SSDPDS service running the Windows XP system will have TCP port 5000 open and accepting remote connections and UDP port 1900 listening for inbound datagrams.

UnPnP’s actions are completely benign and reversible. There are no known negative side effects caused by disabling the Universal Plug & Play components when they are not needed. They may easily be re-enabled if they are ever needed at any time in the future.

One important note of caution: Microsoft has a nasty and very insecure habit of “undoing” non-standard system changes that have been made to enhance the system’s security. We will update this page if we learn of anything that secretly re-enables these services. But you may want to briefly run UnPnP from time to time, especially after making extensive changes to your system, to be sure everything is still securely disabled.

JAN 3, 2002: We have received preliminary reports of the UPnP service being silently re-enabled without the users’ knowledge or permission. We hope that this is an innocent side-effect of background XP updates, but it is our position that users have the implicit right to decide how their computers operate, and what services they run.

Please keep an eye on this for a while by re-running UnPnP from time to time to check on the “disabled” status. If you find that UPnP has become silently re-enabled on your system, please drop a note to us at support2016@grc.com. If this behavior is confirmed, we will immediately enhance UnPnP to prevent this silent re-enabling. Our eMail system subscribers will then be notified of this enhancement.
What is “Universal Plug & Play” and why don’t I need it?
Universal Plug & Play is not related to the established Plug & Play hardware standard for PCs. Microsoft presumably adopted the name “Universal Plug & Play” because it is a warm and fuzzy feel-good name. A more descriptive name would have been “Network Plug & Play” since that is exactly what it is.

UPnP is a set of communications protocol standards that allow networked TCP/IP devices to announce their presence to all other devices on the network and to then inter-operate in a flexible and pre-defined fashion. There is nothing wrong with the idea, though even in the absence of security mistakes, it is not difficult to be concerned about the overall security of the system. If you want to learn more, the Universal Plug & Play Forum web site has additional information.

As for why you don’t need it; unless you actually have some UPnP devices on your local network, there is no one for the Windows UPnP system to talk to. It was bizarre and irresponsible for Microsoft to turn every Windows machine into a Universal Plug & Play Internet server, opening every machine to wide ranging Internet exploitation. It is still irresponsible today.
Will a personal firewall, like ZoneAlarm, protect my system?
If you disable the unnecessary UPnP service you will not be vulnerable to current or future UPnP exploits whether or not you have a personal firewall. Our experiments and independent reports have indicated that some personal firewalls are penetrated by the UPnP service while others are effective in protecting the machine. Our ShieldsUP! Port Probe now checks for the UPnP TCP server running on port 5000. This allows you to determine whether that UPnP port is exposed to the world. However, you should not consider this conclusive since the UPnP protocol also uses UDP datagram messages which ShieldsUP! was not designed to test.
UnPnP says that UPnP is safely disabled, but my system’s personal firewall keeps reporting UPnP traffic on port 1900.
UnPlug and Pray shuts down the UPnP server services, but it does not prevent Windows or its programs from acting as UPnP clients. Client programs like Windows itself, and later versions of Windows Messenger, periodically search the local network for a UPnP router to control. This network noise is annoying, but it does not mean that Windows’ UPnP server is still active and insecure.
Will a NAT Router, like a LinkSys, protect my system?
A non-UPnP aware NAT router makes a terrific hardware firewall since it discards unexpected and unsolicited inbound Internet packets. But as routers become UPnP-aware their behavior will need to be carefully scrutinized with regard to Internet pass-through. We can hope that they will offer explicit UPnP security to prevent external traffic from entering the internal network. But in any event, our ShieldsUP! Port Probe can always be used to quickly check your network’s external UPnP profile.
How can UnPlug n’ Pray be so small?  Only 22 kbytes?
I have been programming computers for more than three decades. There’s nothing I love more. You can see this experience and caring in every piece of software I create. I write all of my software in 100% pure assembly language — the raw native language of the Intel microprocessor. I use it because, as the actual language of the system, it requires no inefficient translation from an easier-to-use “high level” language.

Some people develop software because its their job — it’s what they do to survive. I do it for the sheer joy of creating and sharing useful, tight, efficient and effective tools. It is one of my favorite forms of communication.