CVE-2016-6564

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:infinixauthority:hot_x507_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:infinixauthority:hot_x507:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:infinixauthority:hot_2_x510:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:infinixauthority:zero_x506_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:infinixauthority:zero_x506:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:infinixauthority:zero_2_x509:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:bluproducts:studio_g_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:studio_g:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:studio_g_plus:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:studio_6.0_hd:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:bluproducts:studio_x_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:studio_x:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:studio_x_plus:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:bluproducts:studio_c_hd:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:xolo:cube_5.0_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:xolo:cube_5.0:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:beeline:pro_2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:beeline:pro_2:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:iku-mobile:colorful_k45i:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:leagoo:lead_5_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:leagoo:lead_5:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:leagoo:lead_6_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:leagoo:lead_6:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:leagoo:lead_3i_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:leagoo:lead_3i:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:leagoo:lead_2s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:leagoo:lead_2s:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:leagoo:alfa_6_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:leagoo:alfa_6:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:doogee:voyager_2_dg310i:-:*:*:*:*:*:*:*

History

21 Nov 2024, 02:56

Type Values Removed Values Added
References () https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack - Exploit, Third Party Advisory () https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack - Exploit, Third Party Advisory
References () https://www.kb.cert.org/vuls/id/624539 - Third Party Advisory, US Government Resource () https://www.kb.cert.org/vuls/id/624539 - Third Party Advisory, US Government Resource
References () https://www.securityfocus.com/bid/94393/ - Third Party Advisory, VDB Entry () https://www.securityfocus.com/bid/94393/ - Third Party Advisory, VDB Entry

Information

Published : 2018-07-13 20:29

Updated : 2024-11-21 02:56


NVD link : CVE-2016-6564

Mitre link : CVE-2016-6564

CVE.ORG link : CVE-2016-6564


JSON object : View

Products Affected

leagoo

  • lead_2s_firmware
  • lead_2s
  • lead_6
  • alfa_6
  • lead_5_firmware
  • lead_3i
  • alfa_6_firmware
  • lead_6_firmware
  • lead_3i_firmware
  • lead_5

bluproducts

  • studio_x
  • studio_x_plus
  • studio_g_plus
  • studio_g
  • studio_c_hd
  • studio_g_firmware
  • studio_g_plus_firmware
  • studio_6.0_hd
  • studio_x_plus_firmware
  • studio_6.0_hd_firmware
  • studio_x_firmware
  • studio_c_hd_firmware

infinixauthority

  • hot_x507
  • zero_2_x509_firmware
  • hot_2_x510_firmware
  • zero_2_x509
  • zero_x506_firmware
  • zero_x506
  • hot_2_x510
  • hot_x507_firmware

beeline

  • pro_2_firmware
  • pro_2

iku-mobile

  • colorful_k45i
  • colorful_k45i_firmware

doogee

  • voyager_2_dg310i
  • voyager_2_dg310i_firmware

xolo

  • cube_5.0
  • cube_5.0_firmware
CWE
CWE-494

Download of Code Without Integrity Check

CWE-264

Permissions, Privileges, and Access Controls