RNDIS exploit in ActiveSync provides command line access to PCs


Ruh-roh Shaggy. From the clues provided it looks like having ActiveSync installed on your Windows XP machine is a crime. Unless you like leaving your computer open to be exploited that is. Apparently, the addition of RNDIS or Remote Network Driver Interface Specification in AS 4.x was meant to be used only for good. It allows you to sync data through IP packets over USB, for example. That’s good. Turns out that RNDIS can be used for bad, bad, bad things too.White Wolf Security was able to exploit the use of RNDIS to gain control of a Windows XP computer with their own Windows Mobile device. In fact, a user could have logged out or locked their PC, but it wouldn’t matter if ActiveSync is installed. They created a proof-of-concept application appropriately named ActiveSinc and… well, you be the judge. I sure wouldn’t want anyone to have command line access to my desktop or notebook through their Windows Mobile device. I’ll stick with over-the-air synchronization, thank you.



The exploit’s explained in a bit more detail at the tool writer’s homepage. He captured a network attack and replayed it across the network using the Activesync exploit. So this specific exploit works because he captured a DCOM attack to replay. But really, any network attack that you could capture to replay against the target should potentially work.
At least, that’s the way it looked to me.


This is Windoze, what do you expect. The most hacker-friendly OS in the history of computing.
If security is a big issue for a customer I would suggest looking into a Unix/Linux OS. There is a reason why Microsoft has re-written their TCP/IP stack at least 5 TIMES from the ground up and they still haven’t got it right. LOL


So, basically, same status as always… if you’re not installing Windows Updates on a monthly basis, you’re probably an idiot?


I followed the link and towards the bottom it says:
The specific ActiveSink exploit apparently requires copies of Windows XP that have not been patched to eliminate the DCOM vulnerability in order to operate. For more information on the operating system patch, which was first released in July 2003, see Microsoft’s website, see here.

Wow! not patched since July 2003 is this really an exploit or just publicity stunt?

Comments are closed.