Re: White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x

Dear Seth Fogie,

In a same way you can plug an USB Ethernet network adapter with
notebook attached. No active sync required at all. This is a question
of physical security.

--Tuesday, September 30, 2008, 6:08:05 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx:

SF> White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x

SF> Product: ActiveSync 4.x

SF> Platform: NA

SF> Requirements: NA

SF> Credits:

SF> Seth Fogie
SF> White Wolf Security
SF> http://www.whitewolfsecurity.com
SF> August 21, 2008

SF> Risk Level:

SF> Medium - Full TCP/IP access via RNDIS protocol over USB from
SF> Windows Mobile device.

SF> Summary:

SF> With the introduction of ActiveSync 4.x, Microsoft significantly
SF> altered how the Windows Mobile device communicates with the host PC.
SF> Specifically, ActiveSync 4.x implements RNDIS to facilitate the
SF> transmission of data between the Windows Mobile device and the host PC.
SF> The result is that a connected Windows Mobile device will have full
SF> TCP/IP access to the host PC over USB - regardless of whether or not the
SF> system is logged in or if the device is fully synced.

SF> Details:

SF> ActiveSync 4.x is the primary method by which users sync their
SF> Windows Mobile devices to their PC. In order to create a fast and stable
SF> syncing process, Microsoft incorporated RNDIS into ActiveSync, which
SF> requires a full TCP/IP connection between the mobile device and the host
SF> PC before any syncing related data is passed. Since the ability to pass
SF> TCP/IP over USB is driver level, it happens the moment a Windows Mobile
SF> device is connected to a PC with ActiveSync installed. And since
SF> ActiveSync is executed during startup, it is always running - even if
SF> the system is locked.

SF> As a result, a Windows Mobile device can be plugged into a USB
SF> port, from which an attack can be launched. In addition, if the device
SF> has never been synced to the host PC, any wireless card will remain
SF> enabled. As a result, an attacker can connect a device into a PC's USB
SF> port, hide it nearby, establish a wireless connection and remotely
SF> control the device.

SF> An example attack scenario is as follows: connect USB device,
SF> perform port scan with vxUtil, locate open ports, determine potential
SF> vulnerabilities based on open ports, prepare exploit code, setup netcat
SF> listener on remote host or on the Windows Mobile device itself (Netcat
SF> for CE), attempt to exploit system. If the target host is vulnerable to
SF> a particular attack, exploit code will be executed. This scenario is
SF> demonstrated in video using a DCOM exploit (ms03-026) from a Windows
SF> Mobile device to get a reverse-shell back to the mobile device. PoC
SF> includes DCOM exploit to illustrate the effectiveness of this attack vector.

SF> More details are located at:
SF> http://www.informit.com/guides/content.aspx?g=security&seqNum=326

SF> PoC, video, and links to component of attack are located at:
SF> http://www.whitewolfsecurity.com/security/080922-1.php

SF> Workaround: Disable the USB syncing option in the settings and only
SF> enable when needed.

SF> Vendor Response: Vendor was notified.

SF> Copyright 2008 White Wolf Security

SF> Permission is granted for the redistribution of this alert
SF> electronically. It may not be edited in any way without the express
SF> written consent of White Wolf Security. If you wish to reprint the
SF> whole, or any part, of this alert in any other medium other than
SF> electronically, please contact White Wolf Security for permission.

SF> Disclaimer: The information in this advisory is believed to be accurate
SF> at the time of publishing, based on currently available information. Use
SF> of the information constitutes acceptance for use on an AS IS condition.
SF> There are no warranties with regard to this information. Neither the
SF> author nor the publisher accepts any liability for any direct, indirect,
SF> or consequential loss or damage arising from use of, or reliance on,
SF> this information.





--
~/ZARAZA http://securityvulns.com/
Òàêèì îáðàçîì îí óìèðàåò â øåñòîé ðàç - è îïÿòü íà íîâîì ìåñòå. (Òâåí)

Relevant Pages

  • [Full-disclosure] White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
    ... White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x ... altered how the Windows Mobile device communicates with the host PC. ... transmission of data between the Windows Mobile device and the host PC. ... Copyright 2008 White Wolf Security ...
    (Full-Disclosure)
  • White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
    ... White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x ... altered how the Windows Mobile device communicates with the host PC. ... transmission of data between the Windows Mobile device and the host PC. ... Copyright 2008 White Wolf Security ...
    (Bugtraq)
  • USB Serial Function Client Driver with Windows XP PC Host
    ... I have tried connection my wince device over usb to Host PC (windows ... It successfully detects as ActiveSync and loads Microsoft ... Activesync driver. ... Now i have to write an application on Host PC to get all ...
    (microsoft.public.windowsce.platbuilder)
  • Re: ActiveSync and VMWARE
    ... Disabling USB in Files->Connection ... In the ActiveSync window on the guest, ... If I try to use the host PC, ...
    (microsoft.public.windowsce.app.development)
  • Re: USB Serial Function Client Driver with Windows XP PC Host
    ... ActiveSycn installed on the host, ... I have tried connection my wince device over usb to Host PC (windows ... It successfully detects as ActiveSync and loads Microsoft ... it waits at the ReadFile() function infinitely ...
    (microsoft.public.windowsce.platbuilder)