9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.012 Low
EPSS
Percentile
85.1%
Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.
CWE-494: Download of Code Without Integrity Check - CVE-2016-6564
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.
This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel.
The binary has been shown to communicate with three hosts via HTTP:
* `oyag[.]lhzbdvm[.]com`
* `oyag[.]prugskh[.]net`
* `oyag[.]prugskh[.]com`
Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations.
Examples of a request sent by the client binary:
POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1
Host: 114.80.68.223
Connection: Close
An example response from the server could be:
HTTP/1.1 200 OK
{"code": "01", "name": "push_commands", "details": {"server_id": "1" ,
"title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}}
This binary is reported to be present in the following devices:
* BLU Studio G
* BLU Studio G Plus
* BLU Studio 6.0 HD
* BLU Studio X
* BLU Studio X Plus
* BLU Studio C HD
* Infinix Hot X507
* Infinix Hot 2 X510
* Infinix Zero X506
* Infinix Zero 2 X509
* DOOGEE Voyager 2 DG310
* LEAGOO Lead 5
* LEAGOO Lead 6
* LEAGOO Lead 3i
* LEAGOO Lead 2S
* LEAGOO Alfa 6
* IKU Colorful K45i
* Beeline Pro 2
* XOLO Cube 5.0
An remote, unauthenticated attacker in a position to perform man-in-the-middle attacks can execute arbitrary commands as root.
Apply an update
The reporter indicates that BLU has provided an update, which is intended to address the vulnerability, Please see the vendor status page for more details.
For other devices, please check with your device vendor for updates. If you are unable to apply an update, see the following workarounds:
Avoid use of untrusted networks
Use your device on trusted networks only, and avoid using untrusted networks such as open or public wifi.
624539
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: November 11, 2016
Affected
We have not received a statement from the vendor.
To check the software version of the below BLU devices users need to go to Settings > About device > Build Number
and look for the respective build numbers.`
`BLU Studio G D790
BLU_D790U_V27_GENERIC
BLU_D790L_V27_GENERIC BLU_D790U_V27_GENERIC_O
BLU_D790L_V27_GENERIC_O
BLU Studio X D750BLU_D750U_V10_GENERIC
BLU_D750L_V10_GENERIC BLU_D750U_V10_GENERIC_O
BLU_D750L_V10_GENERIC_O
BLU Studio X D770
BLU_D770U_V12_GENERIC
BLU_D770L_V12_GENERIC BLU_D770U_V12_GENERIC_O
BLU_D770L_V12_GENERIC_O
None
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23624539 Feedback>).
Updated: November 11, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 11, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 11, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 11, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 11, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 11, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: November 11, 2016
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 8.4 | E:POC/RL:ND/RC:C |
Environmental | 6.3 | CDP:N/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability.
This document was written by Trent Novelly.
CVE IDs: | CVE-2016-6564 |
---|---|
Date Public: | 2016-11-11 Date First Published: |
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.012 Low
EPSS
Percentile
85.1%