[NT] Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart

From: support@securiteam.com
Date: 08/30/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart
Message-Id: <20010830162016.CC154138BF@mail.der-keiler.de>
Date: Thu, 30 Aug 2001 18:20:16 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Access Violation in Windows 2000 IRDA Driver Can Cause System to Restart
------------------------------------------------------------------------

SUMMARY

Microsoft Windows 2000 provides support for infrared-based connectivity.
This support is provided through protocols developed by the Infrared Data
Association (IrDA). Because of this, they are often called IrDA devices.
These devices can be used to share files and printers with other
IrDA-device capable systems. The software that handles IrDA devices in
Windows 2000 contains an unchecked buffer in the code that handles certain
IrDA packets.

A security vulnerability results because it is possible for a malicious
user to send a specially crafted IrDA packet to the victim's system. This
could enable the attacker to conduct a buffer overflow attack and cause an
access violation on the system, forcing a reboot.

DETAILS

Affected Software:
 * Microsoft Windows 2000

Mitigating factors:
 * The attack would require that an attacker's machine be within range of
the victim's IrDA device, usually within arm's length.
 * The attack would require that an attacker's machine's IrDA port have
either a direct line of sight to the victim's machine, or be able to
transmit the IrDA packets through reflection directly to the victim's IrDA
port.
 * Apparently, this cannot be used to run malicious code on the user's
system.

Patch availability:
Download locations for this patch
 * Microsoft Windows 2000:
   
<http://www.microsoft.com/windows2000/downloads/critical/q252795/default.asp> http://www.microsoft.com/windows2000/downloads/critical/q252795/default.asp

What's the scope of the vulnerability?
This buffer overflow vulnerability results in a denial of service that
could allow an attacker to disrupt a Windows 2000 user's session. It would
automatically restart their machine.

The vulnerability would not allow the attacker to load or run malicious
code on the user's system. It would only allow an attacker to disrupt the
user's current computing session.

This vulnerability is unusual because it could only be exploited if the
user was in close physical proximity to the attacker. It cannot be
remotely exploited from the network. It also cannot be locally exploited
from the console. Any attempt to maliciously exploit this vulnerability
would require that the attacker be within a clear line of site of the
victim's machine or be able to transmit the IrDA packets through
reflection directly to the victim's IrDA port and that the attacker have a
machine with him to exploit the vulnerability.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the software
that handles information from the IrDA device. By sending a specially
formed IrDA packet, an attacker could cause an unhandled exception that in
turn would cause the system to fail with an access violation.

What is IrDA?
IrDA refers to a group of short-range, high speed, bidirectional wireless
infrared protocols established by the Infrared Data Association. IrDA
allows a variety of devices to communicate with each other such as
cameras, printers, portable computers, desktop computers, and personal
digital assistants (PDAs).

Windows 2000 supports IrDA protocols that enable data transfer over
infrared connections. This allows other devices and programs to
communicate with Windows 2000 through the IrDA interface for activities
such as file and print sharing.

How can I tell if I have an IrDA device on my system?
If you have an IrDA device on your system the Wireless Link icon will
appear in the Control Panel. If you do not see a Wireless Link icon in the
Control Panel, then you do not have an IrDA device on your system and you
are not vulnerable to this issue.

What's wrong with IrDA in Windows 2000?
The software that handles IrDA devices in Windows 2000 contains an
unchecked buffer when handling a certain type of IrDA packet. When a
specially formed IrDA packet of this type is received, it causes an access
violation, causing Windows 2000 to restart automatically.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by sending a specially
crafted IrDA packet from their machine to the intended victim's machine.
Because of the nature of IrDA, this would have to be performed within the
range of the potential victim's IrDA port, usually within arm's length.
The attacker's machine would also have to either have a clear line of
sight to the potential victim's IrDA port, or be able to deliver the
malicious packet through a carefully targeted reflection attack that
successfully pinpointed the victim's IrDA port.

Is there any other way for an attacker to exploit this vulnerability?
No. The attack would have to come from another machine's IrDA port and
target directly to the victim's IrDA port. It could not be exploited
remotely across a network and could not be exploited locally on the
victim's machine.

What could an attacker do if they maliciously exploited this
vulnerability?
An attacker could cause the victims machine to experience an access
violation and reboot automatically.

How long would the attack last?
The attack would last as long as it took the victim's machine to reboot.
However, the attacker could levy another attack at the victim's machine
once the machine had successfully rebooted, if they remained within range
and were able to launch another formed packet at the victim's IrDA port.

How would someone mount an attack?
Because this is related to the infrared support, an attack would have to
be mounted from a machine that could transmit infrared packets to the
potential victim's machine. In practical terms, this means that an
attacker would most likely be in line-of-sight with a machine, making it
very difficult to mount an attack without being noticed.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input
checking in the IrDA device handler.

Do all Windows 2000 users need to apply the patch?
No, only those who have systems with IrDA capabilities need to apply the
patch.

ADDITIONAL INFORMATION

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages