[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x



Dear Seth Fogie,

 In  a  same  way  you  can  plug  an  USB Ethernet network adapter with
 notebook  attached.  No active sync required at all. This is a question
 of physical security.

--Tuesday, September 30, 2008, 6:08:05 PM, you wrote to 
bugtraq@xxxxxxxxxxxxxxxxx:

SF> White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x

SF> Product: ActiveSync 4.x

SF> Platform: NA

SF> Requirements: NA

SF> Credits:

SF>      Seth Fogie
SF>      White Wolf Security
SF>      http://www.whitewolfsecurity.com
SF>      August 21, 2008

SF> Risk Level:

SF>      Medium - Full TCP/IP access via RNDIS protocol over USB from
SF> Windows Mobile device.

SF> Summary:

SF>      With the introduction of ActiveSync 4.x, Microsoft significantly
SF> altered how the Windows Mobile device communicates with the host PC.
SF> Specifically, ActiveSync 4.x implements RNDIS to facilitate the
SF> transmission of data between the Windows Mobile device and the host PC.
SF> The result is that a connected Windows Mobile device will have full
SF> TCP/IP access to the host PC over USB - regardless of whether or not the
SF> system is logged in or if the device is fully synced.

SF> Details:

SF>      ActiveSync 4.x is the primary method by which users sync their
SF> Windows Mobile devices to their PC. In order to create a fast and stable
SF> syncing process, Microsoft incorporated RNDIS into ActiveSync, which
SF> requires a full TCP/IP connection between the mobile device and the host
SF> PC before any syncing related data is passed. Since the ability to pass
SF> TCP/IP over USB is driver level, it happens the moment a Windows Mobile
SF> device is connected to a PC with ActiveSync installed. And since
SF> ActiveSync is executed during startup, it is always running - even if
SF> the system is locked.

SF>      As a result, a Windows Mobile device can be plugged into a USB
SF> port, from which an attack can be launched. In addition, if the device
SF> has never been synced to the host PC, any wireless card will remain
SF> enabled. As a result, an attacker can connect a device into a PC's USB
SF> port, hide it nearby, establish a wireless connection and remotely
SF> control the device.

SF>      An example attack scenario is as follows: connect USB device,
SF> perform port scan with vxUtil, locate open ports, determine potential
SF> vulnerabilities based on open ports, prepare exploit code, setup netcat
SF> listener on remote host or on the Windows Mobile device itself (Netcat
SF> for CE), attempt to exploit system. If the target host is vulnerable to
SF> a particular attack, exploit code will be executed. This scenario is
SF> demonstrated in video using a DCOM exploit (ms03-026) from a Windows
SF> Mobile device to get a reverse-shell back to the mobile device. PoC
SF> includes DCOM exploit to illustrate the effectiveness of this attack vector.

SF> More details are located at:
SF> http://www.informit.com/guides/content.aspx?g=security&seqNum=326

SF> PoC, video, and links to component of attack are located at:
SF> http://www.whitewolfsecurity.com/security/080922-1.php

SF> Workaround: Disable the USB syncing option in the settings and only
SF> enable when needed.

SF> Vendor Response: Vendor was notified.

SF> Copyright 2008 White Wolf Security

SF> Permission is granted for the redistribution of this alert
SF> electronically. It may not be edited in any way without the express
SF> written consent of White Wolf Security. If you wish to reprint the
SF> whole, or any part, of this alert in any other medium other than
SF> electronically, please contact White Wolf Security for permission.

SF> Disclaimer: The information in this advisory is believed to be accurate
SF> at the time of publishing, based on currently available information. Use
SF> of the information constitutes acceptance for use on an AS IS condition.
SF> There are no warranties with regard to this information. Neither the
SF> author nor the publisher accepts any liability for any direct, indirect,
SF> or consequential loss or damage arising from use of, or reliance on,
SF> this information.





-- 
~/ZARAZA http://securityvulns.com/
Òàêèì îáðàçîì îí óìèðàåò â øåñòîé ðàç - è îïÿòü íà íîâîì ìåñòå. (Òâåí)