[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IRFTP possible woes



Hi,

See: Infrared Vulns on laptops
http://www.securityfocus.com/archive/101/333323/2003-08-08/2003-08-14/1
for a previous discussion on this.

As a means of hacking, IR has some serious limitations.  

<SNIP>

>>[RECENTLY] I ran across what I believe is an irftp based worm. While
>>cleaning two laptops one day (one connected to a secure VLAN 
>>the other not
>>connected), I noticed the connected machine flash its irftp sensor and
>>task manager showed it was running. Few seconds later the connected
>>machine stopped beeping, the disconnected one started, and it 
>>too showed
>>irftp sessions. After checking around the premises for infrared
>>*anything*, I dug up all I could from both machines. The disconneted
>>machine had already been cleaned, and the connected one was 
>>infected with
>>all sorts of SDBOT worms, Spyware, *crapware*foo*.
>>
>>Something to think about if you're sitting in the park one 
>>day disconneted
>>from any network and someone's infected machine sends you via 
>>IRFTP some
>>crap.
>>
>>irftp C:\evil_at_script \\victim\C:\WINDOWS\run_me
>>
>>Where some at script would run something like:
>>
>>net user luzer something /ADD /FULLNAME:"Admin Account" 
>>/COMMENT:"Admin" /h
>>
>>I'm almost positive something like this is what happened. I 
>>believe its
>>possible to have that machine run whatever you would want it 
>>to, and since
>>IRFTP has no authentication (that I know of) what is needed to perform
>>such nonsense. A machine name, share name, not that big of a deal.
>>
<SNIP>