Re: White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
Dear Seth Fogie,
In a same way you can plug an USB Ethernet network adapter with
notebook attached. No active sync required at all. This is a question
of physical security.
--Tuesday, September 30, 2008, 6:08:05 PM, you wrote to
bugtraq@xxxxxxxxxxxxxxxxx:
SF> White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
SF> Product: ActiveSync 4.x
SF> Platform: NA
SF> Requirements: NA
SF> Credits:
SF> Seth Fogie
SF> White Wolf Security
SF> http://www.whitewolfsecurity.com
SF> August 21, 2008
SF> Risk Level:
SF> Medium - Full TCP/IP access via RNDIS protocol over USB from
SF> Windows Mobile device.
SF> Summary:
SF> With the introduction of ActiveSync 4.x, Microsoft significantly
SF> altered how the Windows Mobile device communicates with the host PC.
SF> Specifically, ActiveSync 4.x implements RNDIS to facilitate the
SF> transmission of data between the Windows Mobile device and the host PC.
SF> The result is that a connected Windows Mobile device will have full
SF> TCP/IP access to the host PC over USB - regardless of whether or not the
SF> system is logged in or if the device is fully synced.
SF> Details:
SF> ActiveSync 4.x is the primary method by which users sync their
SF> Windows Mobile devices to their PC. In order to create a fast and stable
SF> syncing process, Microsoft incorporated RNDIS into ActiveSync, which
SF> requires a full TCP/IP connection between the mobile device and the host
SF> PC before any syncing related data is passed. Since the ability to pass
SF> TCP/IP over USB is driver level, it happens the moment a Windows Mobile
SF> device is connected to a PC with ActiveSync installed. And since
SF> ActiveSync is executed during startup, it is always running - even if
SF> the system is locked.
SF> As a result, a Windows Mobile device can be plugged into a USB
SF> port, from which an attack can be launched. In addition, if the device
SF> has never been synced to the host PC, any wireless card will remain
SF> enabled. As a result, an attacker can connect a device into a PC's USB
SF> port, hide it nearby, establish a wireless connection and remotely
SF> control the device.
SF> An example attack scenario is as follows: connect USB device,
SF> perform port scan with vxUtil, locate open ports, determine potential
SF> vulnerabilities based on open ports, prepare exploit code, setup netcat
SF> listener on remote host or on the Windows Mobile device itself (Netcat
SF> for CE), attempt to exploit system. If the target host is vulnerable to
SF> a particular attack, exploit code will be executed. This scenario is
SF> demonstrated in video using a DCOM exploit (ms03-026) from a Windows
SF> Mobile device to get a reverse-shell back to the mobile device. PoC
SF> includes DCOM exploit to illustrate the effectiveness of this attack vector.
SF> More details are located at:
SF> http://www.informit.com/guides/content.aspx?g=security&seqNum=326
SF> PoC, video, and links to component of attack are located at:
SF> http://www.whitewolfsecurity.com/security/080922-1.php
SF> Workaround: Disable the USB syncing option in the settings and only
SF> enable when needed.
SF> Vendor Response: Vendor was notified.
SF> Copyright 2008 White Wolf Security
SF> Permission is granted for the redistribution of this alert
SF> electronically. It may not be edited in any way without the express
SF> written consent of White Wolf Security. If you wish to reprint the
SF> whole, or any part, of this alert in any other medium other than
SF> electronically, please contact White Wolf Security for permission.
SF> Disclaimer: The information in this advisory is believed to be accurate
SF> at the time of publishing, based on currently available information. Use
SF> of the information constitutes acceptance for use on an AS IS condition.
SF> There are no warranties with regard to this information. Neither the
SF> author nor the publisher accepts any liability for any direct, indirect,
SF> or consequential loss or damage arising from use of, or reliance on,
SF> this information.
--
~/ZARAZA http://securityvulns.com/
Òàêèì îáðàçîì îí óìèðàåò â øåñòîé ðàç - è îïÿòü íà íîâîì ìåñòå. (Òâåí)