Ragentek Android OTA update mechanism vulnerable to MITM attack

2016-11-17T00:00:00
ID VU:624539
Type cert
Reporter CERT
Modified 2016-11-17T00:00:00

Description

Overview

Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.

Description

CWE-494: Download of Code Without Integrity Check - CVE-2016-6564

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.

This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel.
The binary has been shown to communicate with three hosts via HTTP:

  • oyag[.]lhzbdvm[.]com
  • oyag[.]prugskh[.]net
  • oyag[.]prugskh[.]com

Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations.

Examples of a request sent by the client binary:

POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1
Host: 114.80.68.223
Connection: Close
An example response from the server could be:

HTTP/1.1 200 OK
{"code": "01", "name": "push_commands", "details": {"server_id": "1" ,
"title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}}
This binary is reported to be present in the following devices:

  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0

Impact

An remote, unauthenticated attacker in a position to perform man-in-the-middle attacks can execute arbitrary commands as root.


Solution

Apply an update