Careful when you sync your mobile handset with your PC: Researchers have found a way to hack their way into a PC that runs Microsofts ActiveSync 4.0.
White Wolf Security has released proof-of-concept code called ActiveSink that demonstrates how an attacker could use ActiveSync 4.0 to hack into a PC via an attached Windows Mobile device. The vulnerability is that all an attacker needs to do is plug in a Windows Mobile device to a PC with ActiveSync installed -- in its default mode -- and the mobile device will establish a direct TCP/IP connection to the host PC. This happens whether or not the users account is locked, says Seth Fogie, chief security officer at White Wolf Security and vice president of Airscanner Corp. Once the connection is established, then it is a matter of penetration testing and exploitation.
Fogie says its basically yet another method of bypassing a firewall. He contacted Microsoft about the vulnerability over a month ago, and was told someone would get back with him, but so far, no word.
At the heart of the problem is the so-called Remote Network Driver Interface Specification (RNDIS) Microsoft added to version 4.0 of the syncing application, which basically opens the door for an attacker, according to White Wolfs research.
Fogie describes AppSink this way: It creates a user account on the targeted system and establishes a reverse-shell on it and back to the Windows Mobile device. The attacker would plug his Windows Mobile device into the targeted system and tuck it behind it, Fogie says, and use tools like Metasploit or Wireshark to hack into the machine wirelessly via the mobile device. Once it found the vulnerable elements, it could then exploit them or add a new account on the victims PC to access data on the machine, he says.
This isnt the first sync vulnerability discovered, but previous ones mostly have been man-in-the-middle or spoofing attacks, Fogie says. This one just goes after ActiveSync 4.0s operations. It only takes one vulnerable PC to actively sink your network's security even if that PC is kept offline and/or behind a corporate firewall, he wrote in a recent report.
Kelly Jackson Higgins, Senior Editor, Dark Reading