From: Brewis, Mark (mark.brewiseds.com)
Date: Fri Dec 03 2004 - 03:53:54 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

See: Infrared Vulns on laptops
http://www.securityfocus.com/archive/101/333323/2003-08-08/2003-08-14/1
for a previous discussion on this.

As a means of hacking, IR has some serious limitations.

<SNIP>

>>[RECENTLY] I ran across what I believe is an irftp based worm. While
>>cleaning two laptops one day (one connected to a secure VLAN
>>the other not
>>connected), I noticed the connected machine flash its irftp sensor and
>>task manager showed it was running. Few seconds later the connected
>>machine stopped beeping, the disconnected one started, and it
>>too showed
>>irftp sessions. After checking around the premises for infrared
>>*anything*, I dug up all I could from both machines. The disconneted
>>machine had already been cleaned, and the connected one was
>>infected with
>>all sorts of SDBOT worms, Spyware, *crapware*foo*.
>>
>>Something to think about if you're sitting in the park one
>>day disconneted
>>from any network and someone's infected machine sends you via
>>IRFTP some
>>crap.
>>
>>irftp C:\evil_at_script \\victim\C:\WINDOWS\run_me
>>
>>Where some at script would run something like:
>>
>>net user luzer something /ADD /FULLNAME:"Admin Account"
>>/COMMENT:"Admin" /h
>>
>>I'm almost positive something like this is what happened. I
>>believe its
>>possible to have that machine run whatever you would want it
>>to, and since
>>IRFTP has no authentication (that I know of) what is needed to perform
>>such nonsense. A machine name, share name, not that big of a deal.
>>
<SNIP>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]