Dear Seth Fogie, In a same way you can plug an USB Ethernet network adapter with notebook attached. No active sync required at all. This is a question of physical security. --Tuesday, September 30, 2008, 6:08:05 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: SF> White Wolf Labs #080922-1: Exploitation Through ActiveSync 4.x SF> Product: ActiveSync 4.x SF> Platform: NA SF> Requirements: NA SF> Credits: SF> Seth Fogie SF> White Wolf Security SF> http://www.whitewolfsecurity.com SF> August 21, 2008 SF> Risk Level: SF> Medium - Full TCP/IP access via RNDIS protocol over USB from SF> Windows Mobile device. SF> Summary: SF> With the introduction of ActiveSync 4.x, Microsoft significantly SF> altered how the Windows Mobile device communicates with the host PC. SF> Specifically, ActiveSync 4.x implements RNDIS to facilitate the SF> transmission of data between the Windows Mobile device and the host PC. SF> The result is that a connected Windows Mobile device will have full SF> TCP/IP access to the host PC over USB - regardless of whether or not the SF> system is logged in or if the device is fully synced. SF> Details: SF> ActiveSync 4.x is the primary method by which users sync their SF> Windows Mobile devices to their PC. In order to create a fast and stable SF> syncing process, Microsoft incorporated RNDIS into ActiveSync, which SF> requires a full TCP/IP connection between the mobile device and the host SF> PC before any syncing related data is passed. Since the ability to pass SF> TCP/IP over USB is driver level, it happens the moment a Windows Mobile SF> device is connected to a PC with ActiveSync installed. And since SF> ActiveSync is executed during startup, it is always running - even if SF> the system is locked. SF> As a result, a Windows Mobile device can be plugged into a USB SF> port, from which an attack can be launched. In addition, if the device SF> has never been synced to the host PC, any wireless card will remain SF> enabled. As a result, an attacker can connect a device into a PC's USB SF> port, hide it nearby, establish a wireless connection and remotely SF> control the device. SF> An example attack scenario is as follows: connect USB device, SF> perform port scan with vxUtil, locate open ports, determine potential SF> vulnerabilities based on open ports, prepare exploit code, setup netcat SF> listener on remote host or on the Windows Mobile device itself (Netcat SF> for CE), attempt to exploit system. If the target host is vulnerable to SF> a particular attack, exploit code will be executed. This scenario is SF> demonstrated in video using a DCOM exploit (ms03-026) from a Windows SF> Mobile device to get a reverse-shell back to the mobile device. PoC SF> includes DCOM exploit to illustrate the effectiveness of this attack vector. SF> More details are located at: SF> http://www.informit.com/guides/content.aspx?g=security&seqNum=326 SF> PoC, video, and links to component of attack are located at: SF> http://www.whitewolfsecurity.com/security/080922-1.php SF> Workaround: Disable the USB syncing option in the settings and only SF> enable when needed. SF> Vendor Response: Vendor was notified. SF> Copyright 2008 White Wolf Security SF> Permission is granted for the redistribution of this alert SF> electronically. It may not be edited in any way without the express SF> written consent of White Wolf Security. If you wish to reprint the SF> whole, or any part, of this alert in any other medium other than SF> electronically, please contact White Wolf Security for permission. SF> Disclaimer: The information in this advisory is believed to be accurate SF> at the time of publishing, based on currently available information. Use SF> of the information constitutes acceptance for use on an AS IS condition. SF> There are no warranties with regard to this information. Neither the SF> author nor the publisher accepts any liability for any direct, indirect, SF> or consequential loss or damage arising from use of, or reliance on, SF> this information. -- ~/ZARAZA http://securityvulns.com/ Òàêèì îáðàçîì îí óìèðàåò â øåñòîé ðàç - è îïÿòü íà íîâîì ìåñòå. (Òâåí)
