CVE-2016-6564
Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
Los dispositivos Android con código de Ragentek contienen un binario privilegiado que realiza comprobaciones de actualizaciones OTA (over-the-air). Además, hay múltiples técnicas en uso para ocultar la ejecución de este binario. El comportamiento podría describirse como rootkit. Este binario, que reside como /system/bin/debugs, se ejecuta con privilegios root y no se comunica mediante un canal cifrado. Se ha mostrado que el binario se comunica con tres hosts mediante HTTP: oyag[.]lhzbdvm[.]com, oyag[.]prugskh[.]net y oyag[.]prugskh[.]com. Las respuestas del servidor a las peticiones enviadas por el binario debugs incluyen funcionalidades para ejecutar comandos arbitrarios como root, instalar aplicaciones o actualizar configuraciones. Ejemplos de una petición enviada por el binario del cliente: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close Un ejemplo de respuesta del servidor podría ser: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} Se ha informado que este binario está presente en los siguientes dispositivos: BLU Studio G, BLU Studio G Plus, BLU Studio 6.0 HD, BLU Studio X, BLU Studio X Plus, BLU Studio C HD, Infinix Hot X507, Infinix Hot 2 X510, Infinix Zero X506, Infinix Zero 2 X509, DOOGEE Voyager 2 DG310, LEAGOO Lead 5, LEAGOO Lead 6, LEAGOO Lead 3i, LEAGOO Lead 2S, LEAGOO Alfa 6, IKU Colorful K45i, Beeline Pro 2 y XOLO Cube 5.0.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-03 CVE Reserved
- 2018-07-13 CVE Published
- 2024-06-22 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-494: Download of Code Without Integrity Check
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://www.kb.cert.org/vuls/id/624539 | Third Party Advisory | |
https://www.securityfocus.com/bid/94393 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack | 2024-08-06 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Infinixauthority Search vendor "Infinixauthority" | Hot X507 Firmware Search vendor "Infinixauthority" for product "Hot X507 Firmware" | - | - |
Affected
| in | Infinixauthority Search vendor "Infinixauthority" | Hot X507 Search vendor "Infinixauthority" for product "Hot X507" | - | - |
Safe
|
Infinixauthority Search vendor "Infinixauthority" | Hot 2 X510 Firmware Search vendor "Infinixauthority" for product "Hot 2 X510 Firmware" | - | - |
Affected
| in | Infinixauthority Search vendor "Infinixauthority" | Hot 2 X510 Search vendor "Infinixauthority" for product "Hot 2 X510" | - | - |
Safe
|
Infinixauthority Search vendor "Infinixauthority" | Zero X506 Firmware Search vendor "Infinixauthority" for product "Zero X506 Firmware" | - | - |
Affected
| in | Infinixauthority Search vendor "Infinixauthority" | Zero X506 Search vendor "Infinixauthority" for product "Zero X506" | - | - |
Safe
|
Infinixauthority Search vendor "Infinixauthority" | Zero 2 X509 Firmware Search vendor "Infinixauthority" for product "Zero 2 X509 Firmware" | - | - |
Affected
| in | Infinixauthority Search vendor "Infinixauthority" | Zero 2 X509 Search vendor "Infinixauthority" for product "Zero 2 X509" | - | - |
Safe
|
Bluproducts Search vendor "Bluproducts" | Studio G Firmware Search vendor "Bluproducts" for product "Studio G Firmware" | - | - |
Affected
| in | Bluproducts Search vendor "Bluproducts" | Studio G Search vendor "Bluproducts" for product "Studio G" | - | - |
Safe
|
Bluproducts Search vendor "Bluproducts" | Studio G Plus Firmware Search vendor "Bluproducts" for product "Studio G Plus Firmware" | - | - |
Affected
| in | Bluproducts Search vendor "Bluproducts" | Studio G Plus Search vendor "Bluproducts" for product "Studio G Plus" | - | - |
Safe
|
Bluproducts Search vendor "Bluproducts" | Studio 6.0 Hd Firmware Search vendor "Bluproducts" for product "Studio 6.0 Hd Firmware" | - | - |
Affected
| in | Bluproducts Search vendor "Bluproducts" | Studio 6.0 Hd Search vendor "Bluproducts" for product "Studio 6.0 Hd" | - | - |
Safe
|
Bluproducts Search vendor "Bluproducts" | Studio X Firmware Search vendor "Bluproducts" for product "Studio X Firmware" | - | - |
Affected
| in | Bluproducts Search vendor "Bluproducts" | Studio X Search vendor "Bluproducts" for product "Studio X" | - | - |
Safe
|
Bluproducts Search vendor "Bluproducts" | Studio X Plus Firmware Search vendor "Bluproducts" for product "Studio X Plus Firmware" | - | - |
Affected
| in | Bluproducts Search vendor "Bluproducts" | Studio X Plus Search vendor "Bluproducts" for product "Studio X Plus" | - | - |
Safe
|
Bluproducts Search vendor "Bluproducts" | Studio C Hd Firmware Search vendor "Bluproducts" for product "Studio C Hd Firmware" | - | - |
Affected
| in | Bluproducts Search vendor "Bluproducts" | Studio C Hd Search vendor "Bluproducts" for product "Studio C Hd" | - | - |
Safe
|
Xolo Search vendor "Xolo" | Cube 5.0 Firmware Search vendor "Xolo" for product "Cube 5.0 Firmware" | - | - |
Affected
| in | Xolo Search vendor "Xolo" | Cube 5.0 Search vendor "Xolo" for product "Cube 5.0" | - | - |
Safe
|
Beeline Search vendor "Beeline" | Pro 2 Firmware Search vendor "Beeline" for product "Pro 2 Firmware" | - | - |
Affected
| in | Beeline Search vendor "Beeline" | Pro 2 Search vendor "Beeline" for product "Pro 2" | - | - |
Safe
|
Iku-mobile Search vendor "Iku-mobile" | Colorful K45i Firmware Search vendor "Iku-mobile" for product "Colorful K45i Firmware" | - | - |
Affected
| in | Iku-mobile Search vendor "Iku-mobile" | Colorful K45i Search vendor "Iku-mobile" for product "Colorful K45i" | - | - |
Safe
|
Leagoo Search vendor "Leagoo" | Lead 5 Firmware Search vendor "Leagoo" for product "Lead 5 Firmware" | - | - |
Affected
| in | Leagoo Search vendor "Leagoo" | Lead 5 Search vendor "Leagoo" for product "Lead 5" | - | - |
Safe
|
Leagoo Search vendor "Leagoo" | Lead 6 Firmware Search vendor "Leagoo" for product "Lead 6 Firmware" | - | - |
Affected
| in | Leagoo Search vendor "Leagoo" | Lead 6 Search vendor "Leagoo" for product "Lead 6" | - | - |
Safe
|
Leagoo Search vendor "Leagoo" | Lead 3i Firmware Search vendor "Leagoo" for product "Lead 3i Firmware" | - | - |
Affected
| in | Leagoo Search vendor "Leagoo" | Lead 3i Search vendor "Leagoo" for product "Lead 3i" | - | - |
Safe
|
Leagoo Search vendor "Leagoo" | Lead 2s Firmware Search vendor "Leagoo" for product "Lead 2s Firmware" | - | - |
Affected
| in | Leagoo Search vendor "Leagoo" | Lead 2s Search vendor "Leagoo" for product "Lead 2s" | - | - |
Safe
|
Leagoo Search vendor "Leagoo" | Alfa 6 Firmware Search vendor "Leagoo" for product "Alfa 6 Firmware" | - | - |
Affected
| in | Leagoo Search vendor "Leagoo" | Alfa 6 Search vendor "Leagoo" for product "Alfa 6" | - | - |
Safe
|
Doogee Search vendor "Doogee" | Voyager 2 Dg310i Firmware Search vendor "Doogee" for product "Voyager 2 Dg310i Firmware" | - | - |
Affected
| in | Doogee Search vendor "Doogee" | Voyager 2 Dg310i Search vendor "Doogee" for product "Voyager 2 Dg310i" | - | - |
Safe
|