White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x
Product: ActiveSync 4.x
White Wolf Security
August 21, 2008
Medium - Full TCP/IP access via RNDIS protocol over USB from
Windows Mobile device.
With the introduction of ActiveSync 4.x, Microsoft significantly
altered how the Windows Mobile device communicates with the host PC.
Specifically, ActiveSync 4.x implements RNDIS to facilitate the
transmission of data between the Windows Mobile device and the host PC.
The result is that a connected Windows Mobile device will have full
TCP/IP access to the host PC over USB - regardless of whether or not the
system is logged in or if the device is fully synced.
ActiveSync 4.x is the primary method by which users sync their
Windows Mobile devices to their PC. In order to create a fast and stable
syncing process, Microsoft incorporated RNDIS into ActiveSync, which
requires a full TCP/IP connection between the mobile device and the host
PC before any syncing related data is passed. Since the ability to pass
TCP/IP over USB is driver level, it happens the moment a Windows Mobile
device is connected to a PC with ActiveSync installed. And since
ActiveSync is executed during startup, it is always running - even if
the system is locked.
As a result, a Windows Mobile device can be plugged into a USB
port, from which an attack can be launched. In addition, if the device
has never been synced to the host PC, any wireless card will remain
enabled. As a result, an attacker can connect a device into a PC's USB
port, hide it nearby, establish a wireless connection and remotely
control the device.
An example attack scenario is as follows: connect USB device,
perform port scan with vxUtil, locate open ports, determine potential
vulnerabilities based on open ports, prepare exploit code, setup netcat
listener on remote host or on the Windows Mobile device itself (Netcat
for CE), attempt to exploit system. If the target host is vulnerable to
a particular attack, exploit code will be executed. This scenario is
demonstrated in video using a DCOM exploit (ms03-026) from a Windows
Mobile device to get a reverse-shell back to the mobile device. PoC
includes DCOM exploit to illustrate the effectiveness of this attack vector.
More details are located at:
PoC, video, and links to component of attack are located at:
Workaround: Disable the USB syncing option in the settings and only
enable when needed.
Vendor Response: Vendor was notified.
Copyright 2008 White Wolf Security
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of White Wolf Security. If you wish to reprint the
whole, or any part, of this alert in any other medium other than
electronically, please contact White Wolf Security for permission.
Disclaimer: The information in this advisory is believed to be accurate
at the time of publishing, based on currently available information. Use
of the information constitutes acceptance for use on an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,