-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Symantec Vulnerability Research

http://www.symantec.com/research

Security Advisory

Advisory ID: SYMSA-2007-010

Advisory Title: Microsoft ActiveSync 4.x Weak Password Obfuscation

Author: Ollie Whitehouse / ollie_whitehouse (at) symantec (dot) com [email concealed]

Release Date: 15-10-2006

Application: ActiveSync 4.x

Platform: Microsoft Windows

Severity: Information Disclosure

Vendor status: Update available

CVE Number: CVE-2007-5460

Reference: http://www.securityfocus.com/bid/25976

Overview:

Microsoft ActiveSync 4.1 acts as the gateway between your Windows

powered PC and Windows Mobile powered device, enabling the transfer

of Outlook information, Office documents, pictures, music, videos and

applications from your desktop to your device.

A vulnerability has been discovered in the mechanism that Microsoft

uses to obfuscate the password when it's sent over the USB network

interface between the device and the host machine. This enables malicious

software on the host to either impersonate a device in order to obtain

the current password or, if in a position to sniff network traffic, obtain

the password for trivial decoding.

Details:

When a device is docked via USB it uses the connection like a standard

network interface. Once an IP address is obtained the device will

initially communicate via RAPI with the host on port 990/TCP. It will

go through a small handshake routine and then, if appropriate, challenge

the host for the devices PIN or Password. When the user supplies this

PIN/Password on the host it will be obfuscated via XOR with a fixed key

of E9 and then sent over the USB network connection to the device for

verification.

This process results in two vulnerabilities. Firstly, should an attacker

be in a position to sniff the host computer's network connection he will

be able to recover the PIN/Password. Secondly, an attacker can spoof the

docking process of the device in an attempt to get the user to supply

his PIN/Password.

If we take a sample packet:

0000  82 00 60 0f e8 00 80 00  60 0f e8 00 08 00 45 00   ..`..... `.....E.

0010  00 32 59 95 40 00 80 06  49 31 a9 fe 02 02 a9 fe   .2Y. (at) . (dot) . [email concealed] I1......

0020  02 01 03 de 05 d0 e8 c0  cb c0 56 2e 41 75 50 18   ........ ..V.AuP.

0030  fa 6a 91 dd 00 00 08 00  d8 e9 db e9 da e9 dd e9   .j...... ........

We can see that byte 36 is the length of the password (8 bytes) followed by

a NULL. After which is the password obfuscated with E9, this is immediately

apparent due to the use of a UNICODE string for the password so every second

byte is 0x00 XOR 0xE9 which equals 0xE9.

Vendor Response:

There is a security vulnerability that could allow for Information Disclosure.

An attacker would need to do one of two things, either tether a cable to the

USB sync cable or bind a network sniffer to the USB-RNDIS interface - requiring

administrative permissions on the workstation hosting the AS connection.

Recommendation:

Windows Mobile 5.0 Please see your handset manufacturer to obtain the update

customized for your device. This issue is fixed in Windows Mobile 6.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned

the following names to these issues.  These are candidates for

inclusion in the CVE list (http://cve.mitre.org), which standardizes

names for security problems.

CVE-2007-5460  Requested

- - -------Symantec Consulting Services Advisory Information-------

For questions about this advisory, or to report an error:

research (at) symantec (dot) com [email concealed]

For details on Symantec's Vulnerability Reporting Policy:

http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf

Consulting Services Advisory Archive:

http://www.symantec.com/research/

Symantec Vulnerability Research GPG Key:

http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc

- - -------------Symantec Product Advisory Information-------------

To Report a Security Vulnerability in a Symantec Product:

secure (at) symantec (dot) com [email concealed]

For general information on Symantec's Product Vulnerability

reporting and response:

http://www.symantec.com/security/

Symantec Product Advisory Archive:

http://www.symantec.com/avcenter/security/SymantecAdvisories.html

Symantec Product Advisory PGP Key:

http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.a
sc

- - ---------------------------------------------------------------

Copyright (c) 2007 by Symantec Corp.

Permission to redistribute this alert electronically is granted

as long as it is not edited in any way unless authorized by

Symantec Consulting Services. Reprinting the whole or part of

this alert in any medium other than electronically requires

permission from research (at) symantec (dot) com. [email concealed]

Disclaimer

The information in the advisory is believed to be accurate at the

time of publishing based on currently available information. Use

of the information constitutes acceptance for use in an AS IS

condition. There are no warranties with regard to this information.

Neither the author nor the publisher accepts any liability for any

direct, indirect, or consequential loss or damage arising from use

of, or reliance on, this information.

Symantec, Symantec products, and Symantec Consulting Services are

registered trademarks of Symantec Corp. and/or affiliated companies

in the United States and other countries. All other registered and

unregistered trademarks represented in this document are the sole

property of their respective companies/owners.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHE7Viuk7IIFI45IARAkxzAJ99akjWoHVMst4g/c8THG0b7KAfAQCgvW+3

HQclsou8+GstIMcuBfA3FGc=

=UwdB

-----END PGP SIGNATURE-----