COMMAND

    IrDA

SYSTEMS AFFECTED

    Win 2000

PROBLEM

    Paul  Millar  found  following.   There  exists  a   "semi-remote"
    vulnerability against  Windows machines  via the  IrDA port.   The
    result  of  exploiting  this  vulnerability  is  the computer will
    crash,  displaying  a  "Blue  Screen  of  Death"  (BSOD),  shortly
    followed  by  rebooting.   As  IrDA  ports  are  mostly  found  on
    laptops,  these  machines  are  more  likely  to  be  exploitable.
    Limited  test  data  suggests  this  attack  is successful against
    Windows  2000  Professional  machines,  but not successful against
    machines running Windows  98.  Machine  crashes with BSOD.   After
    a few seconds machine reboots.  Trigger is receiving an IrDA  test
    frame.   These  can  be  generated  by  the irdaping utility under
    GNU/Linux.

    To recreate:
    1. Startup   laptops.    Setup  was:   victim  running    Windows,
       protagonist  running  GNU/Linux.   The  Linux  kernel must have
       IrDA support compiled in.
    2. Under  GNU/Linux, make  sure irda-utils-0.9.10-9  is installed,
       other versions are untested, but will probably work too.
    3. Do "irattach /dev/ttyS1 -s" or equivalent to activate the  IrDA
       port.
    4. Check the GNU/Linux side  its working correctly by running  the
       "irdadump" command.  You  should see repetitive output  similar
       to:

        07:28:17.790903 xid:cmd 4d274896 > ffffffff S=6 s=0 (14)
        07:28:17.880849 xid:cmd 4d274896 > ffffffff S=6 s=1 (14)
        07:28:17.970845 xid:cmd 4d274896 > ffffffff S=6 s=2 (14)
        07:28:18.060858 xid:cmd 4d274896 > ffffffff S=6 s=3 (14)
        07:28:18.150840 xid:cmd 4d274896 > ffffffff S=6 s=4 (14)
        07:28:18.240861 xid:cmd 4d274896 > ffffffff S=6 s=5 (14)
        07:28:18.330859 xid:cmd 4d274896 > ffffffff S=6 s=*    rattusrattus hint=0400 [ Computer ] (28)

    5. Place laptops so the infrared ports are aligned and within IrDA
       distance, irdadump  should reflect  new machine.   The  windows
       machine should also respond, usually by making a sound.
    6. Run irdaping.  The destination address ("0x4d274896" for  above
       example) is required, but actual value doesn't matter.
    7. Victim machine should display the BSOD at this point and reboot.

    After  discovering  the  problem,  a  quick  searched using Google
    revealed  that  Kevin  Gottsman  reported  the same effect back in
    December 2000 but  only to "The  Pasta Projects Linux-IrDA  Forum"
    mailing list.   The problem didn't  appear on the  vulnerabilities
    database at SecurityFocus, or on Microsoft's own website.

    From limited experimentation, disabling communication via the IrDA
    software does not prevent the vulnerability, the whole device must
    be disabled under  the Device Manager  to prevent the  system from
    crashing.

SOLUTION

    Disable  the  IrDA  port  under  the  Device  Manager.  The truely
    paranoid can place  Insulation/PVC tape over  the port to  prevent
    abuse.

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin:

        http://www.microsoft.com/technet/security/bulletin/ms01-046.asp

    for information on obtaining this patch.