White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x Product: ActiveSync 4.x Platform: NA Requirements: NA Credits: Seth Fogie White Wolf Security http://www.whitewolfsecurity.com August 21, 2008 Risk Level: Medium - Full TCP/IP access via RNDIS protocol over USB from Windows Mobile device. Summary: With the introduction of ActiveSync 4.x, Microsoft significantly altered how the Windows Mobile device communicates with the host PC. Specifically, ActiveSync 4.x implements RNDIS to facilitate the transmission of data between the Windows Mobile device and the host PC. The result is that a connected Windows Mobile device will have full TCP/IP access to the host PC over USB - regardless of whether or not the system is logged in or if the device is fully synced. Details: ActiveSync 4.x is the primary method by which users sync their Windows Mobile devices to their PC. In order to create a fast and stable syncing process, Microsoft incorporated RNDIS into ActiveSync, which requires a full TCP/IP connection between the mobile device and the host PC before any syncing related data is passed. Since the ability to pass TCP/IP over USB is driver level, it happens the moment a Windows Mobile device is connected to a PC with ActiveSync installed. And since ActiveSync is executed during startup, it is always running - even if the system is locked. As a result, a Windows Mobile device can be plugged into a USB port, from which an attack can be launched. In addition, if the device has never been synced to the host PC, any wireless card will remain enabled. As a result, an attacker can connect a device into a PC's USB port, hide it nearby, establish a wireless connection and remotely control the device. An example attack scenario is as follows: connect USB device, perform port scan with vxUtil, locate open ports, determine potential vulnerabilities based on open ports, prepare exploit code, setup netcat listener on remote host or on the Windows Mobile device itself (Netcat for CE), attempt to exploit system. If the target host is vulnerable to a particular attack, exploit code will be executed. This scenario is demonstrated in video using a DCOM exploit (ms03-026) from a Windows Mobile device to get a reverse-shell back to the mobile device. PoC includes DCOM exploit to illustrate the effectiveness of this attack vector. More details are located at: http://www.informit.com/guides/content.aspx?g=security&seqNum=326 PoC, video, and links to component of attack are located at: http://www.whitewolfsecurity.com/security/080922-1.php Workaround: Disable the USB syncing option in the settings and only enable when needed. Vendor Response: Vendor was notified. Copyright 2008 White Wolf Security Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of White Wolf Security. If you wish to reprint the whole, or any part, of this alert in any other medium other than electronically, please contact White Wolf Security for permission. Disclaimer: The information in this advisory is believed to be accurate at the time of publishing, based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.