Microsoft Security Bulletin MS01-046

Technical description:

Microsoft Windows 2000 provides support for infrared-based connectivity. This support is provided through protocols developed by the Infrared Data Association (IrDA). Because of this, they are often called IrDA devices. These devices can be used to share files and printers with other IrDA-device capable systems. The software which handles IrDA devices in Windows 2000 contains an unchecked buffer in the code which handles certain IrDA packets.

A security vulnerability results because it is possible for a malicious user to send a specially crafted IrDA packet to the victim's system. This could enable the attacker to conduct a buffer overflow attack and cause an access violation on the system, forcing a reboot. To be best of our knowledge, it cannot be used to run malicious code on the user's system.

Mitigating factors: 

Vulnerability identifier: CAN-2001-0659 

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

What's the scope of the vulnerability?
This is a buffer overflow vulnerability that results in a denial of service that could allow an attacker to disrupt a Windows 2000 user's session. It would automatically restart their machine.
The vulnerability would not allow the attacker to load or run malicious code on the user's system. It would only allow an attacker to disrupt the user's current computing session.
This vulnerability is unusual because it could only be exploited if the user was in close physical proximity to the attacker. It cannot be remotely exploited from the network. It also cannot be locally exploited from the console. Any attempt to maliciously exploit this vulnerability would require that the attacker be within a clear line of site of the victim's machine or be able to transmit the IrDA packets through reflection directly to the victim's I port and that the attacker have a machine with him to exploit the vulnerability.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the software which handles information from the IrDA device. By sending a specially formed IrDA packet, an attacker could cause an unhandled exception which in turn would cause the system to fail with an access violation.

What is IrDA?
IrDA refers to a group of short-range, high speed, bidirectional wireless infrared protocols established by the Infrared Data Association. IrDA allows a variety of devices to communicate with each other such as cameras, printers, portable computers, desktop computers, and personal digital assistants (PDAs).
Windows 2000 supports IrDA protocols that enable data transfer over infrared connections. This allows other devices and programs to communicate with Windows 2000 through the IrDA interface for activities such as file and print sharing.

How can I tell if I have an IrDA device on my system?
If you have an IrDA device on your system the Wireless Link icon will appear in the Control Panel. If you do not see a Wireless Link icon in the Control Panel, then you do not have an IrDA device on your system and you are not vulnerable to this issue.

What's wrong with IrDA in Windows 2000?
The software that handles IrDA devices in Windows 2000 contains an unchecked buffer when handling a certain type of IrDA packet. When a specially formed IrDA packet of this type is received, it causes an access violation, causing Windows 2000 to restart automatically.

How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by sending a specially crafted IrDA packet from their machine to the intended victim's machine. Because of the nature of IrDA , this would have to be performed within the range of the potential victim's IrDA port, usually within arm's length. The attacker's machine would also have to have either a clear line of sight to the potential victim's IrDA port, or be able to deliver the malicious packet through a carefully targeted reflection attack that successfully pinpointed the victim's IrDA port.

Is there any other way for an attacker to exploit this vulnerability?
No. The attack would have to come from another machine's IrDA port and target directly to the victim's IrDA port. It could not be exploited remotely across a network and could not be exploited locally on the victim's machine.

What could an attacker do if they maliciously exploited this vulnerability?
An attacker could cause the victims machine to experience an access violation and reboot automatically.

How long would the attack last?
The attack would last as long as it took for the victim's machine to reboot. However, the attacker could levy another attack at the victim's machine once the machine had successfully rebooted, if they remained within range and were able to launch another formed packet at the victim's IrDA port.

How would someone mount an attack?
Because this is related to the infrared support, an attack would have to be mounted from a machine that could transmit infrared packets to the potential victim's machine. In practical terms, this means that an attacker would most likely be in line-of-sight with a machine, making it very difficult to mount an attack without being noticed.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking in the IrDA device handler.

Do all Windows 2000 users need to apply the patch?
No, only those who have systems with IrDA capabilities need to apply the patch.

Download locations for this patch

Installation platforms:

This patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2 

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation: 

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q252795.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q252795\Filelist

Caveats:

In some cases, uninstalling the patch can cause the IR subsystem to be unable to recognize devices. Reinstalling the patch returns the system to normal operation. A version of the patch without this problem will be available shortly.

Localization:

Localized versions of this patch are available. They are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section