Airscanner Mobile Security Advisory: Remote Password Compromise of Microsoft Active Sync 3.7.1
Product:
Microsoft Active Sync 3.7.1
Platform:
Tested on Windows XP Professional SP-2 and Windows Mobile Pocket PC 2003
Requirements:
Windows XP Professional with Active Sync 3.7.1
Credits:
Seth Fogie
Airscanner Mobile Security
www.airscanner.com
July 22, 2005
Risk Level:
Low for denial of service attacks. Medium for password collection attack.
Summary:
”Active Sync” is Microsoft’s default connectivity program that keeps a desktop PC and a handheld Pocket PC synchronized. It also includes various other features, such as debugging ability, file transfer, etc.
Details:
When a Pocket PC device attempts to sync to a PC, it will send three initial packets to the Active Sync program on port 5679. The following outlines the contents of the packets:
packet1[] = "\x00\x00\x00\x00";
packet2[] = "\x98\x00\x00\x00"; //SIZE OF NEXT PACKET
packet3[] =
"\x28\x00\x00\x00"
"\x04\x15\x40\x04"
"\x11\x0a\x00\x00" //2577 (AUTORUN?)
"\x05\x00\x00\x00"
"\x59\x29\x6d\x46" //EQUIP ID
"\x00\x00\x00\x00"
"\x28\x00\x00\x00" //LINK TO POCKET_PC1 TEXT
"\x3e\x00\x00\x00" //LINK TO POCKETPC TEXT
"\x5c\x00\x00\x00" //LINK TO SSKD TEXT
"\x78\x00\x00\x00" //LINK TO AXIM X50 TEXT
"\x50\x00\x6f\x00" //TEXT IN UNICODE
"\x63\x00\x6b\x00\x65\x00\x74\x00\x5f\x00\x50\x00\x43\x00\x31\x00\x00\x00\x50\x00"
"\x6f\x00\x63\x00\x6b\x00\x65\x00\x74\x00\x50\x00\x43\x00\x00\x00"
"\x53\x00\x53\x00\x44\x00\x4b\x00\x00\x00\x00\x00\x44\x00\x65\x00"
"\x6c\x00\x6c\x00\x20\x00\x41\x00\x78\x00\x69\x00\x6d\x00\x20\x00"
"\x58\x00\x35\x00\x30\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00"
"\x04\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00";
If the equipment ID value is valid, the PC will respond with a x12345678. If the equipment ID is not correct, the response will be x03. With this static response, it is trivial to brute force the valid equipment ID value. The reason this is important is because if you change the value in packet1 to x00000001 to the correct corresponding PID, a prompt will appear on the PC asking for a PIN value (figure 1). If a target enters a password, the information will be passed back to the remote, requesting client. If a value other than x01 is sent, that value will be XORed with the response to pseudo-'encrypt' the password. This method of information gathering is possible from over a network and does work over the Internet. From a quick nmap scan, we found about roughly 10 computers with this port open per 50 class C subnets.
Figure 1: Active Sync Password Dialog
Finally, we discovered that if numerous attempts were made to initialize with a PC running Active Sync, after about four attempts the Active Sync process freezes. In addition, if a user attempts to sync while a brute force equipment ID attempt is underway, the sync will usually fail.
Workaround:
Block Internet and LAN access to port 5679 using a firewall until this issue is patched.
Vendor Response
Waiting response.
Related
Hi,
I am trying to develop an application with both PC and Pocket PC components.
The PC and PPC need to exchange data whilst the PPC (eg XDA) has an active GPRS connection.
I first tried using evc and RAPI to allow the PC and PPC components to talk to each other. However RAPI relies on ActiveSync and it seems you cant have an ActiveSync connection to the PC (eg over USB) at the same time as a GPRS connection.
So
1)Am I right that ActiveSync at same time as GPRS is impossible? (And hence RAPI...)
2)What is the easiest way to do PC<->PPC comms without ActiveSync, on the widest variety of PPC devices?
3)Is there a way to do this without writing PC and PPC sides for all of
i) Bluetooth
ii) USB
iii) Serial
It seems like a lot of hardwork to reimplement all these, but some models have BT, some only USB etc etc
Any help appreciated...
Regards,
Giles.
hey,
im also trying to write some client -> server software for my mda/pc. Ive managed to narrow it down to two technologies (excluding activesync cos it needs to be portable)
- Web Services
- Client Server Model (tcpclient and tcplistener)
webservices are good as they will run on any net connection with port80 open, pretty fast and versetile but have some bad flaws. u need some back end data store (like a mysql database) as data is not persistant on then... also u cannot "push" from the server to the device (this may or may not be an issue)
the tcpclient model is starting to appeal to me in a number of ways. u can define your own light-weight protol (SOAP has a nasty habbit of bulking the objects out and GPRS costs!)... i started to write some little test apps and so far its looking good. Ive wrote a very tiny server that runs on windows and has a thin client running a threaded tcplistener and a mysql backend datastore. The test mobie simply constructs a tcpclient object and writes a string "hello world" to the port, which the server picks up and displays in a messagebox... so far this concept is working really well, and i have more control over the serialisation and communication of the objects and types.
i hope ive helped u in some way hehe
Will
First Post. And just wanted to help
I finally found the solution to an ongoing issue on my machine
"The server could not be reached. This can be caused by temporary network conditions. Support Code:80072efd"
I have a t-mobile mda with K-AM_WWE_216901_2169101_020710_ship rom installed and a windows xp sp 2 machine; I also have an exchange server sp2. I have been testing this phone big-time to rollout for numerous clients.
The problem came in after I had push mail working and went to sync locally over USB or Bluetooth. Active sync 4.1 would give me the error.
The solution was as follows for me
My mx record points to mail.domain.com but my server name is server.domain.com so I entered an "A" record in dns on my dns server named mail to point at the local ip address.
All was solved
I also ran into a problem on push mail early on where it would sync once and then not again, the issue was as easy in the default web page I turned on "enable keep alives" and changed the timeout to 1800 seconds.
I hope this helps.
ActiveSync version 4.2 made a change to how it interacts with the Windows networking stack to use Layered Service Providers (LSPs) on outgoing Desktop-Pass-Through connections. This allows for improved compatibility & policy compliance in environments where connections to the internet must be passed through these LSPs (ISA Proxy is one such example).
Unfortunately, it appears this change has caused some issues for a small segment of users who have LSPs that interfere with ActiveSync communication.
There is a registry key which can be created to essentially remove this change & revert to ActiveSync 4.1 behaviour. This key is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
"AllowLSP"=dword:0
This posting is provided "AS IS" with no warranties, and confers no rights.
Original post: http://blogs.msdn.com/jasonlan/archive/2006/07/07/659348.aspx
Thanks win_user
win_user's post was instant fix. Been looking for this for a while. Thanks
i have still the same problem. do i have to create the REG_WORD Key as binary, decimal or hexadecimal?
To create it is necessary key DWORD - in both systems of calculation equally "0"
Thanks to win_user--solved the problem perfectly.
http://www.pocketpcfaq.com/faqs/activesync/exchange_errors.php
Check my device below.
My desktop PC is Windows Professional 2003 SP4
I have zone alarm security suite. I can turn zone alarm off while testing.
1) how do I determine the IP address of my desktop PC
2) how do I determince the IP address of my PPC
3) how do I setup my desktop pc operating system to receive ppc ping and remote control from PPC.
So how do i get this "Terminal service client " working ?
Is my data access safe ?
mmm you have windows 2000 SP4 or windows 2003 SP2? witch one is it. (doesn't matter )
first. remote desktop uses port 3389 and the pocketPC client can't handle any other port. So if you are behind a firewall or router let this port have access! (use a static IP for you PC if you use portforwarding on a router)
goto www.whatismyip.com and the number you see there is your IP. (if you use it a lot make a free dyndns.org account you can make your own domain name like nick.mine.nu instead of xxx.xxx.xxx.xxx)
Goto your windows server to account management. make you user active in the group remote desktop (or something similar)
that would be all. just give a user access-right on a windows PC, and make sure the portforwarding and firewall are configured OK.
if any more questions buy a book windows for dummies
..."Goto your windows server to account management. make you user active in the group remote desktop (or something similar) "...
Is this the PPC owners name, as the user in Windows 2000 Prof SP4 for remote access.
In windows 2000, do I "make a new connection" and select "accept incoming connections" or do I "connect to a private netwrok through the internet" ( VPN )...
Are the any web pages on this, I have been google for a while.
Been playing with a couple of T-Mobile Wing devices for evaluation as an offered product for our corporate customers...
My team has found a few flaws right out of the box everyone should be aware of:
1. Attachments sent from Outlook 2003 to a POP email account accessed by the Wing will not show up on the wing unless the user who created the message and the attachment selects "Plain Text" in Outlook. Very annoying for all Outlook based companies.
2. File Explorer will not connect to any network resource via Wi-Fi even if the user puts in an explicit IP address and share name as follows: \\10.0.0.7\SharedDrive
Permissions on the shared folder do need to be set to Everyone and Full Access if the device accessing the share is not a domain user. None the less, the Wing will respond with "The network path cannot be found" despite being pingable from the device hosting the share.
3. Synchronizing contacts and email to Outlook via ActiveSync and a USB cable has been quite reliable with no observed limitations however synchronizing a calendar for 3 months forward & back is simply not possible. It'll hang ActiveSync (wcescomm) on the host PC every time even with as few as 20 calendar entries in Outlook behind and ahead of the current date. This was tested very thoroughly on Windows XP, 2000 Pro and Vista with multiple Wing devices as it was a deal killer for our customers.
So far we're holding off on allowing these or recommending these to our users. We still recommend the XDA IIs for people that really need this type of functionality.
When you are setting up a new server source in AS, it has some options for doing things automatically (I assume based on our email domain name). This has never worked for me (I am the sys admin for our Windows network). Do I have to be running Exch2007 to get this functionality, or is it some sort of DNS issue that is making this fail? The front-end server that we use is not mail.domain.com We use webmail.domain.com.
Any thoughts are appreciated. We are going to be allowing our users to bring their own service and devices to our cell phone mix, and I want to make connecting with WM devices as easy as possible. I'm trying to reduce the number of blackberry devices we use.
Thanks!
Brandon
Microsoft Exchange 2007 Autodiscovery
Autodiscovery allows a user to enter their email address and password into Outlook 2007 or Windows Mobile 6 Pocket Outlook to have their profile or activesync relationship automatically configured to access an Exchange 2007 server.
In short, you add a DNS record for the host "autodiscover" in the domain you want to use Autodiscovery in. If you want it to work internally just add it to your company's DNS server. If you want it to work externally you have to add it to your external DNS server.
One important note is that you must have a multi-domain SSL certificate from a known public provider. This is because you need 4-hosts on the certificate (2-domains with 2-hosts each) I purchased a multi-domain certificate from GoDaddy.com for $58 for 1-year.
Search keywords: +Exchange +2007 +Autodiscover