This vulnerability was reported by Natalia Melnikova
(Hataha at yandex.ru)
Vulnerability: Microsoft ActiveSync information leak and spoofing
Software: Active Sync 3.8
Author: Natalia Melnikova
Related Russian article:
"Microsoft ActiveSync (In)Security"
Microsoft ActiveSync clear text password
Microsoft ActiveSync is widely used to synchronies Windows based PDAs
and smartphones with desktop computer. PDA can connect to PC via
COM/USB/IR or LAN. Before synchronization user on PC must setup
"partnership" to allow synchronization. If PDA is protected with
password user on PC should provide password before he can access the
Synchronization over LAN has some design weakness.
1. All data, including initial "authentication", is transmitted in clear
text. This is OK in case COM/USB and other physical protected
communication, but LAN (Wi-Fi in most cases) is very sensitive for
2. Even if PDA is password protected, ActiveSync doesn't ask password in
case of network synchronization. I=92m not sure, what is it - security bug
or feature, because password is transmitted in clear text over USB.
3. ActiveSync doesn't use any form of authentication for server (PC) or
client (PDA), so fake server or fake client attack is possible.
Discover Activesync with LAN synchronization allowed
nmap -p 5679 192.168.0.*
It is easy to build fake server attack without special software. All you
need are ActiveSync, sniffer and any MitM condition.
1. Install ActiveSync on fake server. Enable network synchronization
2. Realize MitM condition.
3. Launch you favorite sniffer and set filter to save TCP packets on port 5679.
4. Wait for PDA connection.
5. Open sniffer and check second data packet from PDA. At offset 0x14 and 0x18 you can see partnerships ids. Activesync can support up to 2 PC and as you can see, PDA send both IDs in the "handshake"
6. Import template in registry. Change key HKEY_CURRENT_USER\Software\Microsoft\Windows CE Services\Partners\