Researchers release proof-of-concept for attack on Windows' ActiveSync 4.0

Dark Reading Staff, Dark Reading

September 30, 2008

2 Min Read

Careful when you sync your mobile handset with your PC: Researchers have found a way to hack their way into a PC that runs Microsoft’s ActiveSync 4.0.

White Wolf Security has released proof-of-concept code called ActiveSink that demonstrates how an attacker could use ActiveSync 4.0 to hack into a PC via an attached Windows Mobile device. “The vulnerability is that all an attacker needs to do is plug in a Windows Mobile device to a PC with ActiveSync installed -- in its default mode -- and the mobile device will establish a direct TCP/IP connection to the host PC. This happens whether or not the users account is locked,” says Seth Fogie, chief security officer at White Wolf Security and vice president of Airscanner Corp. “Once the connection is established, then it is a matter of penetration testing and exploitation.”

Fogie says it’s basically yet another method of bypassing a firewall. He contacted Microsoft about the vulnerability over a month ago, and was told someone would get back with him, but so far, no word.

At the heart of the problem is the so-called Remote Network Driver Interface Specification (RNDIS) Microsoft added to version 4.0 of the syncing application, which basically opens the door for an attacker, according to White Wolf’s research.

Fogie describes AppSink this way: It creates a user account on the targeted system and establishes a “reverse-shell” on it and back to the Windows Mobile device. The attacker would plug his Windows Mobile device into the targeted system and “tuck it behind” it, Fogie says, and use tools like Metasploit or Wireshark to hack into the machine wirelessly via the mobile device. Once it found the vulnerable elements, it could then exploit them or add a new account on the victim’s PC to access data on the machine, he says.

This isn’t the first sync vulnerability discovered, but previous ones mostly have been man-in-the-middle or spoofing attacks, Fogie says. This one just goes after ActiveSync 4.0’s operations. “It only takes one vulnerable PC to actively sink your network's security — even if that PC is kept offline and/or behind a corporate firewall,” he wrote in a recent report.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights