{"vuid":"VU#624539","idnumber":"624539","name":"Ragentek Android OTA update mechanism vulnerable to MITM attack","keywords":["CWE-494","remote comand execution","MitM","rootkit"],"overview":"Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.","clean_desc":"CWE-494: Download of Code Without Integrity Check - CVE-2016-6564 Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com\noyag[.]prugskh[.]net\noyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={\"name\":\"c_regist\",\"details\":{...}} HTTP/1. 1\nHost: 114.80.68.223\nConnection: Close An example response from the server could be: HTTP/1.1 200 OK\n{\"code\": \"01\", \"name\": \"push_commands\", \"details\": {\"server_id\": \"1\" ,\n\"title\": \"Test Command\", \"comments\": \"Test\", \"commands\": \"touch /tmp/test\"}} This binary is reported to be present in the following devices: BLU Studio G\nBLU Studio G Plus\nBLU Studio 6.0 HD\nBLU Studio X\nBLU Studio X Plus\nBLU Studio C HD\nInfinix Hot X507\nInfinix Hot 2 X510\nInfinix Zero X506\nInfinix Zero 2 X509\nDOOGEE Voyager 2 DG310\nLEAGOO Lead 5\nLEAGOO Lead 6\nLEAGOO Lead 3i\nLEAGOO Lead 2S\nLEAGOO Alfa 6\nIKU Colorful K45i\nBeeline Pro 2\nXOLO Cube 5.0","impact":"An remote, unauthenticated attacker in a position to perform man-in-the-middle attacks can execute arbitrary commands as root.","resolution":"Apply an update The reporter indicates that BLU has provided an update, which is intended to address the vulnerability, Please see the vendor status page for more details. For other devices, please check with your device vendor for updates. If you are unable to apply an update, see the following workarounds:","workarounds":"Avoid use of untrusted networks Use your device on trusted networks only, and avoid using untrusted networks such as open or public wifi.","sysaffected":"","thanks":"Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability.","author":"This document was written by Trent Novelly.","public":["http://blog.anubisnetworks.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack","https://cwe.mitre.org/data/definitions/494.html","http://www.observatoriodeseguridad.com/?p=230","https://twitter.com/timstrazz/status/689981808012828673","https://en.wikipedia.org/wiki/Rootkit"],"cveids":["CVE-2016-6564"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-08-31T19:43:18Z","publicdate":"2016-11-11T00:00:00Z","datefirstpublished":"2016-11-17T17:50:18Z","dateupdated":"2016-11-17T21:49:57Z","revision":21,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9.3","cvss_basevector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","cvss_temporalscore":"8.4","cvss_environmentalscore":"6.299215776","cvss_environmentalvector":"CDP:N/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}