Title:

	"Remote Denial of service against Microsoft ActiveSynch
	Service 3.1" (Official Advisory 2001-01)

Severity:

	Low.

So, what is activesynch?

	- Activesynch is a data synchronisation program for
	WindowsCE devices (i.e. PocketPC)


Affected Systems?

	- Any system running/interfacing with Activesynch 3.1.

Impact?

	Communications disruption, untill restart of program.

	- Activesynch program crashes due to improper string
	parsing. Any data up to and including 7 bytes are
	sucessfully processed (i.e. typing), but 8 bytes and
	above crashes the app. Even remote attack is possible
	since it listens on all interfaces (Why?)

	(Is it so hard to get a fixed number of bytes from a
	 socket and discard the rest? Apparently...)

Exploit?

	1. Copy 8 (any) characters to the clipboard i.e. "GARBAGE!"
	2. Start telnet.exe, connect to port 5679
	3. PASTE text using the menu in telnet (Edit/Paste)
	4. Now, try to reconnect.
	5. [Bzzzzzzzp!] Wont work!

	...or use the proof of concept tool here.

Solution?

	For now: Just exit windows (logout) and login again and it
	will resume serving.

	Ask MS for a fix, i didn't notify them, it's not a critical
	piece of software.

Status?

	Well, it's not fixed right now, it's not the end of the world,
	since Activesynch isn't THAT widely used + the system remains
	unaffected + it's only serving one user at a time.

Time?
	Research: 30 min, Writeup: 30 min == 1 hour.

(To Microsoft: Please rename "your" Urlscan to something else. How would
 you feel if i wrote a firewall and named it ISA Server?)

(C) 2001 Ichinin{at}suespammers{dot}org - May be redistributed if unaltered.