Windows Mobile devices can be used as a tool for hacking into Windows XP computers, a security researcher has warned. Via ActiveSync 4.x, an attacker can take control of an otherwise-secure desktop computer, claims Seth Fogie, chief security officer at White Wolf Security.
According to an article published by Fogie, along with "proof of concept" code called ActiveSink, a hacker can walk up to a Windows XP PC with ActiveSync 4.x installed, plug in a Windows Mobile device, and have direct TCP/IP access to the computer. This works even if the computer is locked or logged out, he adds.
Such attacks are possible because of a communication component called RNDIS (remote network driver interface specification), introduced with ActiveSync 4.x, says Fogie. The RNDIS component gives ActiveSync the ability to transfer its syncing related data via IP packets within the USB connection, he adds.
"The problem is that in order for the ActiveSync operation to perform authentication of the session, the RNDIS connection must first establish an IP connection," he writes. "Once the IP addresses are assigned and TCP/IP data can flow, the syncing process starts. In other words, a Windows Mobile device connected to a system with ActiveSync 4.x running will have direct TCP/IP access through an uncontrolled and unprotected network interface."
Fogie claims that since this is a driver-level activity, the targeted PC does not need to be running a logged-in session for the IP connection to be created. An attacker will have access to all services that are set up to run on all interfaces, such as ports 25, 80, 110, 135, 137, 139, 445, and numerous others that have nothing to do with ActiveSync, he adds.
ActiveSink can attack a Windows XP PC (left) and obtain a command prompt on the system (right) (Click either image to enlarge)
Using the Metasploit "penetration testing framework," the Wireshark sniffing tool, and the troubleshooting tool Netcat, Fogie reportedly found a way to trigger the DCOM vulnerability. He then created a proof-of-concept application, ActiveSink (shown above left), capable of launching the attack automatically. When the attack has been successfully completed, the Windows XP command prompt is usable from the PDA (above right).
"ActiveSink" launching an attack on a Windows XP desktop PC Source: White Wolf Security (click to play)
Further information
The specific ActiveSink exploit apparently requires copies of Windows XP that have not been patched to eliminate the DCOM vulnerability in order to operate. For more information on the operating system patch, which was first released in July 2003, see Microsoft's website, see here.
To read Seth Fogie's article, "Exploiting systems through ActiveSync," see the InformIT website, here. To download the ActiveSink proof-of-concept code, the required copy of Netcat for Windows Mobile, and other background information, see the Wolf Security Systems website, here.
