SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft ActiveSync Vendors:   Microsoft
(Microsoft Makes Interim Response) Re: Microsoft ActiveSync Software for Portable Computing Devices Allows Portable Devices to Access Files on a Locked Server
SecurityTracker Alert ID:  1001333
SecurityTracker URL:  http://securitytracker.com/id/1001333
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2001
Impact:   Disclosure of user information

Version(s): 3.1
Description:   It is reported that Microsoft's ActiveSync allows users with portable computing devices to access files on the host when the host has been locked.

Microsoft makes the following notes in a letter addressed to the original author requesting details on the vulnerability:

"1. The desktop will only synchronize with a Pocket PC if a
partnership has previously been created, and a partnership can only
be created from the desktop side -- one can't be created by a Pocket
PC.

2. If a PIN has been selected for the Pocket PC, an attacker would be
unable to obtain any information from the device, regardless of
whether it had been synchronized.

3. Even if an attacker obtained a Pocket PC for which a partnership
already had been created, and knew the PIN for the device, he or she
could only use it to obtain information from the desktop if
ActiveSync had been configured to automatically synchronize anytime a
device is connected."

Impact:   A local user with an appropriate portable computing device can sync with the Windows host and obtain files when the host is locked.
Solution:   No solution was available at the time of this entry. However, please read the description for some information from the vendor.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 17 2001 Microsoft ActiveSync Software for Portable Computing Devices Allows Portable Devices to Access Files on a Locked Server



 Source Message Contents

Subject:  Re: ActiveSync can access a locked workstation w/o unlocking


-----BEGIN PGP SIGNED MESSAGE-----

Hi Jeff,

We've checked our records, but are unable to find any record of a
mail from you to the Security Response Center.  If you did indeed
send to secure@microsoft.com, could you send us a copy of the mail to
assist us in troubleshooting?

In regards to the behavior you described, there are three points that
are particularly important to keep in mind:

1. The desktop will only synchronize with a Pocket PC if a
partnership has previously been created, and a partnership can only
be created from the desktop side -- one can't be created by a Pocket
PC.

2. If a PIN has been selected for the Pocket PC, an attacker would be
unable to obtain any information from the device, regardless of
whether it had been synchronized. 

3. Even if an attacker obtained a Pocket PC for which a partnership
already had been created, and knew the PIN for the device, he or she
could only use it to obtain information from the desktop if
ActiveSync had been configured to automatically synchronize anytime a
device is connected.  

We'd like to make sure we've investigated the report fully.  If you
have seen cases outside of the above parameters, please let us know
immediately and we'll begin an investigation.  

Best regards,
Alex Uy
Security Program Manager
Microsoft Security Response Center

- -----Original Message-----
From: Jeff.Samples [mailto:Jeff.Samples@TERRADON.COM] 
Sent: Monday, April 16, 2001 5:06 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ActiveSync can access a locked workstation w/o unlocking


Microsoft was notified on 3/28/2001, you may use my name when
publishing this. I cannot register on your site, so I am trying the
general e-mail addresses.

Platforms tested: ===================================================
Microsoft Windows 2000 Professional (build 2195) w/ SP1 Microsoft
ActiveSync 3.1 (tested using HP Jornada 540 Series running Windows
PocketPC (CE v 3.0.948 Build 9357)

Issue:
===================================================
MS ActiveSync can access files (Outlook appts, contacts, synced
files, etc) from a Win2K workstation even though the workstation has
been locked.  By simply dropping the HP into the dock, or hooking it
up to the COM port(depending on which sync method is configured), it
will sync and download data from a "locked" workstation. Yikes!

Jeffrey A. Samples,
Vice President, Product Development
TERRADON Communications Group
<http://www.terradoncommunications.com/>
ph. - 304.755.1324
fx. - 304.755.8274

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQEVAwUBOttX3I0ZSRQxA/UrAQFthAf+PCus+UwNxYMiKN4o0wQs7a9qVQgKNT1q
0tBzXIpEl4xP+jhTBjKUNsxd7qawNrNL1U9om86Uqv2k67LdcfSyK6TexRBKXQuv
jPUqDJs/U8kyq6gu4sbGcDM0brnX12JyyBHO98yU36Cyz6+LSgHUMM9ACIGMEbUN
I9na5qAWjROtd5V25L9dgj2BT32b7wXlCccBjXdqPiDDRTbgV1DMTTo5+ORYQIP8
1ymFPa/PhyxXVQ7cLT7RLknPwKXhGJDk7+K9lblfVR7lEmHzY5OEqGtRUbY4q31B
1L47a1W5S+R/Iufc+UUDi0dQpE6lg5O9dGoaFo6lNcFxe4LG1nPsRA==
=I4p2
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC