| Summary | Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0 |
|---|---|
| Publication Date | July 14, 2018, 5:29 a.m. |
| Registration Date | Jan. 26, 2021, 2:15 p.m. |
| Last Update | Nov. 21, 2024, 11:56 a.m. |
| CVSS3.0 : HIGH | |
| スコア | 8.1 |
|---|---|
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 高 |
| 攻撃に必要な特権レベル(PR) | 不要 |
| 利用者の関与(UI) | 不要 |
| 影響の想定範囲(S) | 変更なし |
| 機密性への影響(C) | 高 |
| 完全性への影響(I) | 高 |
| 可用性への影響(A) | 高 |
| CVSS2.0 : HIGH | |
| Score | 9.3 |
|---|---|
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
| 攻撃元区分(AV) | ネットワーク |
| 攻撃条件の複雑さ(AC) | 中 |
| 攻撃前の認証要否(Au) | 不要 |
| 機密性への影響(C) | 高 |
| 完全性への影響(I) | 高 |
| 可用性への影響(A) | 高 |
| Get all privileges. | いいえ |
| Get user privileges | いいえ |
| Get other privileges | いいえ |
| User operation required | いいえ |
| Configuration1 | or higher | or less | more than | less than | |
| cpe:2.3:o:infinixauthority:hot_x507_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:infinixauthority:hot_x507:-:*:*:*:*:*:*:* | ||||
| Configuration2 | or higher | or less | more than | less than | |
| cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:infinixauthority:hot_2_x510:-:*:*:*:*:*:*:* | ||||
| Configuration3 | or higher | or less | more than | less than | |
| cpe:2.3:o:infinixauthority:zero_x506_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:infinixauthority:zero_x506:-:*:*:*:*:*:*:* | ||||
| Configuration4 | or higher | or less | more than | less than | |
| cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:infinixauthority:zero_2_x509:-:*:*:*:*:*:*:* | ||||
| Configuration5 | or higher | or less | more than | less than | |
| cpe:2.3:o:bluproducts:studio_g_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:bluproducts:studio_g:-:*:*:*:*:*:*:* | ||||
| Configuration6 | or higher | or less | more than | less than | |
| cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:bluproducts:studio_g_plus:-:*:*:*:*:*:*:* | ||||
| Configuration7 | or higher | or less | more than | less than | |
| cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:bluproducts:studio_6.0_hd:-:*:*:*:*:*:*:* | ||||
| Configuration8 | or higher | or less | more than | less than | |
| cpe:2.3:o:bluproducts:studio_x_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:bluproducts:studio_x:-:*:*:*:*:*:*:* | ||||
| Configuration9 | or higher | or less | more than | less than | |
| cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:bluproducts:studio_x_plus:-:*:*:*:*:*:*:* | ||||
| Configuration10 | or higher | or less | more than | less than | |
| cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:bluproducts:studio_c_hd:-:*:*:*:*:*:*:* | ||||
| Configuration11 | or higher | or less | more than | less than | |
| cpe:2.3:o:xolo:cube_5.0_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:xolo:cube_5.0:-:*:*:*:*:*:*:* | ||||
| Configuration12 | or higher | or less | more than | less than | |
| cpe:2.3:o:beeline:pro_2_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:beeline:pro_2:-:*:*:*:*:*:*:* | ||||
| Configuration13 | or higher | or less | more than | less than | |
| cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:iku-mobile:colorful_k45i:-:*:*:*:*:*:*:* | ||||
| Configuration14 | or higher | or less | more than | less than | |
| cpe:2.3:o:leagoo:lead_5_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:leagoo:lead_5:-:*:*:*:*:*:*:* | ||||
| Configuration15 | or higher | or less | more than | less than | |
| cpe:2.3:o:leagoo:lead_6_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:leagoo:lead_6:-:*:*:*:*:*:*:* | ||||
| Configuration16 | or higher | or less | more than | less than | |
| cpe:2.3:o:leagoo:lead_3i_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:leagoo:lead_3i:-:*:*:*:*:*:*:* | ||||
| Configuration17 | or higher | or less | more than | less than | |
| cpe:2.3:o:leagoo:lead_2s_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:leagoo:lead_2s:-:*:*:*:*:*:*:* | ||||
| Configuration18 | or higher | or less | more than | less than | |
| cpe:2.3:o:leagoo:alfa_6_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:leagoo:alfa_6:-:*:*:*:*:*:*:* | ||||
| Configuration19 | or higher | or less | more than | less than | |
| cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:*:*:*:*:*:*:* | |||||
| execution environment | |||||
| 1 | cpe:2.3:h:doogee:voyager_2_dg310i:-:*:*:*:*:*:*:* | ||||
| Title | Ragentek 製のコードを使用した Android 端末の OTA アップデートに中間者攻撃が可能な脆弱性 |
|---|---|
| Summary | Ragentek 製の Android ソフトウェアにおける Over-The-Air (OTA) アップデートは、暗号化せずに通信が行われるため、遠隔の攻撃者が root 権限で任意のコードを実行することが可能です。 完全性未確認のコードのダウンロード (CWE-494) - CVE-2016-6564 Ragentek 製のコードを使用した Android 端末には、Over-The-Air (OTA) アップデート機能を持つプログラムが存在します。また、このプログラムの実行を隠す複数の方法が使用されおり、この挙動はもはや rootkit であるといえます。 CWE-494: Download of Code Without Integrity Check http://cwe.mitre.org/data/definitions/494.html Rootkit https://en.wikipedia.org/wiki/Rootkit /system/bin/debugs に存在するこのプログラムは root 権限で動作し、暗号化されたチャネルでの通信を行いません。 このプログラムは、HTTP 経由で次の 3つのホストと通信を行います。 oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com このプログラムから送信されたリクエストに対するサーバのレスポンスは、root 権限で任意のコマンドを実行したり、アプリケーションをインストールしたり、設定情報を更新したりする機能を備えています。 当該プログラムから送信されるリクエストの例: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close サーバからのレスポンスの例: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} |
| Possible impacts | 中間者 (man-in-the-middle) 攻撃によって、root 権限で任意のコマンドを実行される可能性があります。 |
| Solution | [アップデートする] 報告者によれば、BLU シリーズには本脆弱性の修正アップデートが提供されているとのことです。詳細は、CERT/CC Vulnerability Note VU#624539 の Vendor Information をご確認ください。 VU#624539 の Vendor Information http://www.kb.cert.org/vuls/id/624539#vendors それ以外の端末は、開発者や配布元が提供するアップデートをご確認ください。 [ワークアラウンドを実施する] 対策アップデートを適用するまでの間、本脆弱性の影響を回避するため、次のワークアラウンドを実施してください。 ・ 信頼できないネットワークや Wi-Fi アクセスポイントに接続しない |
| Publication Date | Nov. 17, 2016, midnight |
| Registration Date | Nov. 21, 2016, 11:48 a.m. |
| Last Update | July 24, 2019, 3:06 p.m. |
| (複数のベンダ) |
| (複数の製品) |
| (複数の製品) |
| LEAGOO Global Co., Limited |
| LEAGOO Alfa 6 |
| LEAGOO Alfa 6 |
| LEAGOO Lead 2S |
| LEAGOO Lead 2S |
| LEAGOO Lead 3i |
| LEAGOO Lead 3i |
| LEAGOO Lead 5 |
| LEAGOO Lead 5 |
| LEAGOO Lead 6 |
| LEAGOO Lead 6 |
| Infinix Mobile |
| Infinix Hot 2 X510 |
| Infinix Hot 2 X510 |
| Infinix Hot X507 |
| Infinix Hot X507 |
| Infinix Zero 2 X509 |
| Infinix Zero 2 X509 |
| Infinix Zero X506 |
| Infinix Zero X506 |
| BLU Products |
| BLU Studio 6.0 HD |
| BLU Studio 6.0 HD |
| BLU Studio C HD |
| BLU Studio C HD |
| BLU Studio G |
| BLU Studio G |
| BLU Studio G Plus |
| BLU Studio G Plus |
| BLU Studio X |
| BLU Studio X |
| BLU Studio X Plus |
| BLU Studio X Plus |
| XOLO |
| XOLO Cube 5.0 |
| XOLO Cube 5.0 |
| Beeline |
| Beeline Pro 2 |
| Beeline Pro 2 |
| IKU Mobile |
| IKU Colorful K45i |
| IKU Colorful K45i |
| Shenzhen DOOGEE Hengtong Technology Co., Ltd |
| DOOGEE Voyager 2 DG310 |
| DOOGEE Voyager 2 DG310 |
| No | Changed Details | Date of change |
|---|---|---|
| 1 | [2019年07月24日] 参考情報:National Vulnerability Database (NVD) (CVE-2016-6564) を追加 影響を受けるシステム:内容の更新 |
July 24, 2019, 3:10 p.m. |
| 0 | [2016年11月21日] 掲載 |
Feb. 17, 2018, 10:37 a.m. |
| 1 | [2019年07月24日] 参考情報:National Vulnerability Database (NVD) (CVE-2016-6564) を追加 影響を受けるシステム:内容の更新 |
July 24, 2019, 3:10 p.m. |
| 0 | [2016年11月21日] 掲載 |
Feb. 17, 2018, 10:37 a.m. |