Vulnerability Development mailing list archives
RE: IRFTP possible woes
From: "Brewis, Mark" <mark.brewis () eds com>
Date: Fri, 3 Dec 2004 09:53:54 -0000
Hi, See: Infrared Vulns on laptops http://www.securityfocus.com/archive/101/333323/2003-08-08/2003-08-14/1 for a previous discussion on this. As a means of hacking, IR has some serious limitations. <SNIP>
[RECENTLY] I ran across what I believe is an irftp based worm. While cleaning two laptops one day (one connected to a secure VLAN the other not connected), I noticed the connected machine flash its irftp sensor and task manager showed it was running. Few seconds later the connected machine stopped beeping, the disconnected one started, and it too showed irftp sessions. After checking around the premises for infrared *anything*, I dug up all I could from both machines. The disconneted machine had already been cleaned, and the connected one was infected with all sorts of SDBOT worms, Spyware, *crapware*foo*. Something to think about if you're sitting in the park one day disconneted from any network and someone's infected machine sends you via IRFTP some crap. irftp C:\evil_at_script \\victim\C:\WINDOWS\run_me Where some at script would run something like: net user luzer something /ADD /FULLNAME:"Admin Account" /COMMENT:"Admin" /h I'm almost positive something like this is what happened. I believe its possible to have that machine run whatever you would want it to, and since IRFTP has no authentication (that I know of) what is needed to perform such nonsense. A machine name, share name, not that big of a deal.
<SNIP>
Current thread:
- IRFTP possible woes J. Oquendo (Dec 02)
- <Possible follow-ups>
- RE: IRFTP possible woes Brewis, Mark (Dec 03)