Unchecked Buffer in Windows 2000 IrDA Driver

Reported August 21, 2001, by Microsoft.


·         Windows 2000


An unchecked buffer exists in the Infrared Data Association (IrDA) driver that can cause a Denial of Service (DoS) condition. A system running Win2K with infrared support turned on can crash when it receives an IrDA test frame from a Linux system that is using the irdaping utility.



Paul Millar, who discovered the vulnerability, posted the following scenario as proof-of-concept:



  1. Startup laptops. My setup was: victim running Windows, protagonist

     running GNU/Linux. The Linux kernel must have IrDA support

     compiled in.

  2. Under GNU/Linux, make sure irda-utils-0.9.10-9 is installed, other

     versions are untested, but will probably work too.

  3. Do "irattach /dev/ttyS1 -s" or equivalent to activate the IrDA


  4. Check the GNU/Linux side its working correctly by running the

     "irdadump" command. You should see repetitive output similar to:


07:28:17.790903 xid:cmd 4d274896 > ffffffff S=6 s=0 (14)

07:28:17.880849 xid:cmd 4d274896 > ffffffff S=6 s=1 (14)

07:28:17.970845 xid:cmd 4d274896 > ffffffff S=6 s=2 (14)

07:28:18.060858 xid:cmd 4d274896 > ffffffff S=6 s=3 (14)

07:28:18.150840 xid:cmd 4d274896 > ffffffff S=6 s=4 (14)

07:28:18.240861 xid:cmd 4d274896 > ffffffff S=6 s=5 (14)

07:28:18.330859 xid:cmd 4d274896 > ffffffff S=6 s=* rattusrattus hint=0400 \[ Computer \] (28)


  5. Place laptops so the infrared ports are aligned and within IrDA

     distance, irdadump should reflect new machine. The Windows

     machine should also respond, usually by making a sound.

  6. Run irdaping. The destination address ("0x4d274896"

     for above example) is required, but actual value doesn't matter.


The vulnerable system at this point will either crash with a blue screen or will reboot, depending upon the system’s configuration.




The vendor, Microsoft, has released security bulletin MS01-046 to address this vulnerability and recommends that affected users apply the patch mentioned in the bulletin.


Discovered by Paul Millar.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.