Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1957
HistoryAug 22, 2001 - 12:00 a.m.

IrDA semiremote vulnerability

2001-08-2200:00:00
vulners.com
32
JSON

----[ Win2k semi-remote DoS via IrDA

Synopsis:
There exists a "semi-remote" vulnerability against Windows machines
via the IrDA port. The result of exploiting this vulnerability is
the computer will crash, displaying a "Blue Screen of Death" (BSOD),
shortly followed by rebooting. As IrDA ports are mostly found on
laptops, these machines are more likely to be exploitable. Limited
test data suggests this attack is successful against Windows 2000
Professional machines, but not successful against machines running
Windows 98. Other OS versions have not been tested.

Symptom:
Machine crashes with BSOD. After a few seconds machine reboots.

Trigger:
Receiving an IrDA test frame. These can be generated by the irdaping
utility under GNU/Linux

Affected:
Windows 2000 Professional

Not affected:
Windows 98

Work-around:
Disable the IrDA port under the Device Manager. The truely paranoid
can place Insulation/PVC tape over the port to prevent abuse.

Recreate:

  1. Startup laptops. My setup was: victim running Windows, protagonist
    running GNU/Linux. The Linux kernel must have IrDA support
    compiled in.
  2. Under GNU/Linux, make sure irda-utils-0.9.10-9 is installed, other
    versions are untested, but will probably work too.
  3. Do "irattach /dev/ttyS1 -s" or equivalent to activate the IrDA
    port.
  4. Check the GNU/Linux side its working correctly by running the
    "irdadump" command. You should see repetitive output similar to:

07:28:17.790903 xid:cmd 4d274896 > ffffffff S=6 s=0 (14)
07:28:17.880849 xid:cmd 4d274896 > ffffffff S=6 s=1 (14)
07:28:17.970845 xid:cmd 4d274896 > ffffffff S=6 s=2 (14)
07:28:18.060858 xid:cmd 4d274896 > ffffffff S=6 s=3 (14)
07:28:18.150840 xid:cmd 4d274896 > ffffffff S=6 s=4 (14)
07:28:18.240861 xid:cmd 4d274896 > ffffffff S=6 s=5 (14)
07:28:18.330859 xid:cmd 4d274896 > ffffffff S=6 s=* rattusrattus hint=0400 [
Computer ] (28)

  1. Place laptops so the infrared ports are aligned and within IrDA
    distance, irdadump should reflect new machine. The windows
    machine should also respond, usually by making a sound.
  2. Run irdaping. The destination address ("0x4d274896"
    for above example) is required, but actual value doesn't matter.
  3. Victim machine should display the BSOD at this point and reboot.

Systems tested that were vulnerable:
[] OEM laptop, Windows 2000 Professional service pack 2 v5.00.2195,
National Semiconductor IrDA.
Options:
Infrared Trans. A: HP HSDL-1100/2100,
Infrared Trans. B SIR Transceiver,
Max Con. Rate: 4Mbps.
Driver National Semiconductor 9/8/1999 v1.0.0.0 (signed MS 2000
Publisher)

[] Toshiba Satellite Pro 4000, Windows 2000 Professional service pack 2
v5.00.2195, SMC IrCC IrDA.
Options:
Fast Infrared Port: Infrared
Transceiver Type: auto,
Min. Turn-Around Time: 1.0mS,
Speed Limit: 4 Mbps,
Driver: SMC 22/10/2000 v4.10.1999.5 (signed MS comp).

[] Acer TravelMate 527TE P3-700MHz, Windows 2000 Professional

Systems tested that were not vulnerable:
[] Dell Inspiron 3200 D233XT TS30H, Windows 98 SE 4.10.1998 32Mb P2,
IrDA driver (Microsoft 5-11-1998)
[Thanks Jen!]

[] IBM ThinkPad T21, Windows 98 SE 4.10.2222 A 128Mb P3, IrDA driver
(Microsoft 4-23-1999)

Discussion:
After discovering the problem, a quick searched using Google
revealed that Kevin Gottsman reported the same effect [1] back in
December 2000 but only to "The Pasta Projects Linux-IrDA Forum"
mailing list. The problem didn't appear on the vulnerabilities
database at SecurityFocus [2], or on Microsoft's own website [3].

Microsoft were notified on July 4th 2001 and were able to quickly
verify the problem. Their investigation suggests that the problem
is driver specific (as Kevin suggested) and that it cannot cause
remote code execution.

A patch has been developed, see Microsoft bulletin MS01-046 [4] for
details.

From limited experimentation, disabling communication via the IrDA
software does not prevent the vulnerability, the whole device must
be disabled under the Device Manager to prevent the system from
crashing.

Acknowledgments:
Thanks are due (in no particular order) to jools }B->, Tom How,
Ritchie, Jen and Graham Woan for providing the cannon fodder:
Windows isn't really my thing.

[1] http://www.pasta.cs.uit.no/pipermail/linux-irda/2000-December/002144.html
[2] http://www.securityfocus.com/
[3] http://www.microsoft.com/technet/security/
(following URL wraps)
[4] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/bulletin/MS01-046.asp

This vulnerability description is (c) 2001 Paul Millar
([email protected] – please remember the `m'). Reproduction,
either partial or complete is permitted provided either this copyright
notice is reproduced in its entirety, or provision is make to direct
future readers to an instance of the complete copyright notice. This
does not affect `fair usage'.

JSON