[20247] in bugtraq
Re: ActiveSync can access a locked workstation w/o unlocking
daemon@ATHENA.MIT.EDU (Melody Yoon - KF6RMW)
Tue Apr 17 02:58:10 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.21.0104161348130.437-100000@shell4.ba.best.com>
Date: Mon, 16 Apr 2001 13:51:35 -0700
Reply-To: Melody Yoon - KF6RMW <melodyy@BEST.COM>
From: Melody Yoon - KF6RMW <melodyy@BEST.COM>
X-To: "Jeff.Samples" <Jeff.Samples@TERRADON.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C9E878EC530BD4118AE60050DAB6B73220DBA1@v_king.kanawhastone.com>
Actually, did you attempt to do this with a device that doesn't have a
partnership with the desktop computer already? I just attempted to try to
sync with my ipaq using active sync with the cradle and activesync
attached, but did not do anything else since the screen "do you want to
set up a partnership" was shown on the screen once I unlocked. No data
access was possible.
I think this in itself is not a direct security issue unless the WinCE
device was stolen, or whathaveyou. My understanding of why activesync
works with this behavior is to also allow network synchronization while
the workstation is locked.
Mel
(I've included the original email for clarity reasons)
On Mon, 16 Apr 2001, Jeff.Samples wrote:
> Microsoft was notified on 3/28/2001, you may use my name when publishing
> this. I cannot register on your site, so I am trying the general e-mail
> addresses.
>
> Platforms tested:
> ===================================================
> Microsoft Windows 2000 Professional (build 2195) w/ SP1
> Microsoft ActiveSync 3.1 (tested using HP Jornada 540 Series running Windows
> PocketPC (CE v 3.0.948 Build 9357)
>
> Issue:
> ===================================================
> MS ActiveSync can access files (Outlook appts, contacts, synced files, etc)
> from a Win2K workstation even though the workstation has been locked. By
> simply dropping the HP into the dock, or hooking it up to the COM
> port(depending on which sync method is configured), it will sync and
> download data from a "locked" workstation. Yikes!
Melody Lynn Yoon melodyy+KF6RMW@best.com |Graduate '97 MSF
Unix Systems Administrator - MSN Hotmail - melody@hotmail.com |NRA Member
California OES CERT Member and American Red Cross Emergency Communication Team
- I do not accept commercial, unsolicited email | kf6rmw@w6yx.#nca.ca.usa.noam
- http://www.best.com/~melodyy/spam.policy.html | KF6RMW - Amateur Radio
