Vulnerability Development: Synaptics TouchPad, strange packets.

["Valerio B." <support () selnet org>]

My firewall captured a packet outgoing from my laptop, originated by the
Synaptics TouchPad program, to a destination address that has nothing to do
with the Synaptics network. I verified that the destination address is an
host located in Finland.
I now blocked the Synaptics TouchPad program. As you can see the checksums
are incorrect.
I currently don't have the tools to do analysis on my own, and I found my
laptop being free from known viruses, so I am submitting this for analysis
by the community.

Valerio B.


The packet decode is included below:
******************************************
File Version :  5.0.62 13Mar00
File Description : Synaptics TouchPad Enhancements
File Path :  C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
Process ID :  FFFDEA69 (Heximal) 4294830697 (Decimal)

Connection origin : local initiated
Protocol :  UDP
Local Address :  xxx.xx.xxx.xxx
Local Port :  17697
Remote Name :
Remote Address : xxx.xxx.xxx.x
Remote Port :   65280

Ethernet packet details:
Ethernet II (Packet Length: 64)
 Destination:  xx-xx-xx-xx-xx-xx
 Source:  xx-xx-xx-xx-xx-xx
Type: IP (0x0800)
Internet Protocol
 Version: 4
 Header Length: 20 bytes
 Flags:
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
 Fragment offset:69
 Time to live: 128
 Protocol: 0x11 (UDP - User Datagram Protocol)
 Header checksum: 0xf8eb (Correct)
 Source: xxx.xx.xxx.xxx
 Destination: xxx.xxx.xxx.x
User Datagram Protocol
 Source port: 17697
 Destination port: 65280
 Length: 8
 Checksum: 0x52f9 (Incorrect - Checksum should be 0x396b)
Data (38509 Bytes)

Binary dump of the packet:
0000:  xx xx xx xx xx xx xx xx : xx xx xx xx 08 00 45 00 |  SRC..DEST....E.
0010:  00 32 9D D3 00 45 80 11 : EB F8 D4 0F A2 F0 C1 A6 | .2...E..........
0020:  78 03 45 21 FF 00 96 6D : F9 52 B9 57 29 C8 0A B9 | x.E!...m.R.W)...
0030:  04 60 E6 99 54 48 B4 1A : 00 4A 28 03 FF D9 FF FF | .`..TH...J(.....
******************************************