CVE-2016-10138 Information

Description

An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app’s AndroidManifest.xml file it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app utilizing the WriteCommandReceiver can perform the following actions: call a phone number factory reset the device take pictures of the screen record the screen in a video install applications inject events obtain the Android log and others. In addition the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP it is vulnerable to a MITM attack.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.securityfocus.com/bid/96853 https://www.kryptowire.com/adups_security_analysis.html https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8