CVE-2016-6564 Information

Description

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary which resides as /system/bin/debugs runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root install applications or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data=\name:\c_regist\details:… HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK \code\

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack https://www.kb.cert.org/vuls/id/624539 https://www.securityfocus.com/bid/94393/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1