CVE-2016-6564

Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

Los dispositivos Android con código de Ragentek contienen un binario privilegiado que realiza comprobaciones de actualizaciones OTA (over-the-air). Además, hay múltiples técnicas en uso para ocultar la ejecución de este binario. El comportamiento podría describirse como rootkit. Este binario, que reside como /system/bin/debugs, se ejecuta con privilegios root y no se comunica mediante un canal cifrado. Se ha mostrado que el binario se comunica con tres hosts mediante HTTP: oyag[.]lhzbdvm[.]com, oyag[.]prugskh[.]net y oyag[.]prugskh[.]com. Las respuestas del servidor a las peticiones enviadas por el binario debugs incluyen funcionalidades para ejecutar comandos arbitrarios como root, instalar aplicaciones o actualizar configuraciones. Ejemplos de una petición enviada por el binario del cliente: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close Un ejemplo de respuesta del servidor podría ser: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} Se ha informado que este binario está presente en los siguientes dispositivos: BLU Studio G, BLU Studio G Plus, BLU Studio 6.0 HD, BLU Studio X, BLU Studio X Plus, BLU Studio C HD, Infinix Hot X507, Infinix Hot 2 X510, Infinix Zero X506, Infinix Zero 2 X509, DOOGEE Voyager 2 DG310, LEAGOO Lead 5, LEAGOO Lead 6, LEAGOO Lead 3i, LEAGOO Lead 2S, LEAGOO Alfa 6, IKU Colorful K45i, Beeline Pro 2 y XOLO Cube 5.0.

*Credits: Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability.

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-08-03 CVE Reserved
2018-07-13 CVE Published
2024-06-22 EPSS Updated
2024-08-06 CVE Updated
2024-08-06 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls
CWE-494: Download of Code Without Integrity Check

CAPEC

References (3)

URL	Tag	Source
https://www.kb.cert.org/vuls/id/624539	Third Party Advisory
https://www.securityfocus.com/bid/94393	Third Party Advisory

URL	Date	SRC
https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack	2024-08-06

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Infinixauthority Search vendor "Infinixauthority"	Hot X507 Firmware Search vendor "Infinixauthority" for product "Hot X507 Firmware"	-	-	Affected	in	Infinixauthority Search vendor "Infinixauthority"	Hot X507 Search vendor "Infinixauthority" for product "Hot X507"	-	-	Safe
Infinixauthority Search vendor "Infinixauthority"	Hot 2 X510 Firmware Search vendor "Infinixauthority" for product "Hot 2 X510 Firmware"	-	-	Affected	in	Infinixauthority Search vendor "Infinixauthority"	Hot 2 X510 Search vendor "Infinixauthority" for product "Hot 2 X510"	-	-	Safe
Infinixauthority Search vendor "Infinixauthority"	Zero X506 Firmware Search vendor "Infinixauthority" for product "Zero X506 Firmware"	-	-	Affected	in	Infinixauthority Search vendor "Infinixauthority"	Zero X506 Search vendor "Infinixauthority" for product "Zero X506"	-	-	Safe
Infinixauthority Search vendor "Infinixauthority"	Zero 2 X509 Firmware Search vendor "Infinixauthority" for product "Zero 2 X509 Firmware"	-	-	Affected	in	Infinixauthority Search vendor "Infinixauthority"	Zero 2 X509 Search vendor "Infinixauthority" for product "Zero 2 X509"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	Studio G Firmware Search vendor "Bluproducts" for product "Studio G Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	Studio G Search vendor "Bluproducts" for product "Studio G"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	Studio G Plus Firmware Search vendor "Bluproducts" for product "Studio G Plus Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	Studio G Plus Search vendor "Bluproducts" for product "Studio G Plus"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	Studio 6.0 Hd Firmware Search vendor "Bluproducts" for product "Studio 6.0 Hd Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	Studio 6.0 Hd Search vendor "Bluproducts" for product "Studio 6.0 Hd"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	Studio X Firmware Search vendor "Bluproducts" for product "Studio X Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	Studio X Search vendor "Bluproducts" for product "Studio X"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	Studio X Plus Firmware Search vendor "Bluproducts" for product "Studio X Plus Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	Studio X Plus Search vendor "Bluproducts" for product "Studio X Plus"	-	-	Safe
Bluproducts Search vendor "Bluproducts"	Studio C Hd Firmware Search vendor "Bluproducts" for product "Studio C Hd Firmware"	-	-	Affected	in	Bluproducts Search vendor "Bluproducts"	Studio C Hd Search vendor "Bluproducts" for product "Studio C Hd"	-	-	Safe
Xolo Search vendor "Xolo"	Cube 5.0 Firmware Search vendor "Xolo" for product "Cube 5.0 Firmware"	-	-	Affected	in	Xolo Search vendor "Xolo"	Cube 5.0 Search vendor "Xolo" for product "Cube 5.0"	-	-	Safe
Beeline Search vendor "Beeline"	Pro 2 Firmware Search vendor "Beeline" for product "Pro 2 Firmware"	-	-	Affected	in	Beeline Search vendor "Beeline"	Pro 2 Search vendor "Beeline" for product "Pro 2"	-	-	Safe
Iku-mobile Search vendor "Iku-mobile"	Colorful K45i Firmware Search vendor "Iku-mobile" for product "Colorful K45i Firmware"	-	-	Affected	in	Iku-mobile Search vendor "Iku-mobile"	Colorful K45i Search vendor "Iku-mobile" for product "Colorful K45i"	-	-	Safe
Leagoo Search vendor "Leagoo"	Lead 5 Firmware Search vendor "Leagoo" for product "Lead 5 Firmware"	-	-	Affected	in	Leagoo Search vendor "Leagoo"	Lead 5 Search vendor "Leagoo" for product "Lead 5"	-	-	Safe
Leagoo Search vendor "Leagoo"	Lead 6 Firmware Search vendor "Leagoo" for product "Lead 6 Firmware"	-	-	Affected	in	Leagoo Search vendor "Leagoo"	Lead 6 Search vendor "Leagoo" for product "Lead 6"	-	-	Safe
Leagoo Search vendor "Leagoo"	Lead 3i Firmware Search vendor "Leagoo" for product "Lead 3i Firmware"	-	-	Affected	in	Leagoo Search vendor "Leagoo"	Lead 3i Search vendor "Leagoo" for product "Lead 3i"	-	-	Safe
Leagoo Search vendor "Leagoo"	Lead 2s Firmware Search vendor "Leagoo" for product "Lead 2s Firmware"	-	-	Affected	in	Leagoo Search vendor "Leagoo"	Lead 2s Search vendor "Leagoo" for product "Lead 2s"	-	-	Safe
Leagoo Search vendor "Leagoo"	Alfa 6 Firmware Search vendor "Leagoo" for product "Alfa 6 Firmware"	-	-	Affected	in	Leagoo Search vendor "Leagoo"	Alfa 6 Search vendor "Leagoo" for product "Alfa 6"	-	-	Safe
Doogee Search vendor "Doogee"	Voyager 2 Dg310i Firmware Search vendor "Doogee" for product "Voyager 2 Dg310i Firmware"	-	-	Affected	in	Doogee Search vendor "Doogee"	Voyager 2 Dg310i Search vendor "Doogee" for product "Voyager 2 Dg310i"	-	-	Safe