RE: IRFTP possible woes

["Brewis, Mark" <mark.brewis () eds com>]

Hi,

See: Infrared Vulns on laptops
http://www.securityfocus.com/archive/101/333323/2003-08-08/2003-08-14/1
for a previous discussion on this.

As a means of hacking, IR has some serious limitations.  

<SNIP>

> > [RECENTLY] I ran across what I believe is an irftp based worm. While
> > cleaning two laptops one day (one connected to a secure VLAN 
> > the other not
> > connected), I noticed the connected machine flash its irftp sensor and
> > task manager showed it was running. Few seconds later the connected
> > machine stopped beeping, the disconnected one started, and it 
> > too showed
> > irftp sessions. After checking around the premises for infrared
> > *anything*, I dug up all I could from both machines. The disconneted
> > machine had already been cleaned, and the connected one was 
> > infected with
> > all sorts of SDBOT worms, Spyware, *crapware*foo*.
> >
> > Something to think about if you're sitting in the park one 
> > day disconneted
> > from any network and someone's infected machine sends you via 
> > IRFTP some
> > crap.
> >
> > irftp C:\evil_at_script \\victim\C:\WINDOWS\run_me
> >
> > Where some at script would run something like:
> >
> > net user luzer something /ADD /FULLNAME:"Admin Account" 
> > /COMMENT:"Admin" /h
> >
> > I'm almost positive something like this is what happened. I 
> > believe its
> > possible to have that machine run whatever you would want it 
> > to, and since
> > IRFTP has no authentication (that I know of) what is needed to perform
> > such nonsense. A machine name, share name, not that big of a deal.
<SNIP>