CVE-2016-6564
Last modified
CVE-2016-6564 is a vulnerability of currently unknown severity. Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. EPSS estimates a 2.66% chance of exploitation in the next 30 days.
Description
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Infinixauthority | Hot X507 Firmware | All versions |
| Infinixauthority | Hot 2 X510 Firmware | All versions |
| Infinixauthority | Zero X506 Firmware | All versions |
| Infinixauthority | Zero 2 X509 Firmware | All versions |
| Bluproducts | Studio G Firmware | All versions |
| Bluproducts | Studio G Plus Firmware | All versions |
| Bluproducts | Studio 6.0 Hd Firmware | All versions |
| Bluproducts | Studio X Firmware | All versions |
| Bluproducts | Studio X Plus Firmware | All versions |
| Bluproducts | Studio C Hd Firmware | All versions |
| Xolo | Cube 5.0 Firmware | All versions |
| Beeline | Pro 2 Firmware | All versions |
| Iku-Mobile | Colorful K45i Firmware | All versions |
| Leagoo | Lead 5 Firmware | All versions |
| Leagoo | Lead 6 Firmware | All versions |
| Leagoo | Lead 3i Firmware | All versions |
| Leagoo | Lead 2s Firmware | All versions |
| Leagoo | Alfa 6 Firmware | All versions |
| Doogee | Voyager 2 Dg310i Firmware | All versions |
References
- https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attackExploit, Third Party Advisory
- https://www.kb.cert.org/vuls/id/624539Third Party Advisory, US Government Resource
- https://www.securityfocus.com/bid/94393/Third Party Advisory, VDB Entry
- https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attackExploit, Third Party Advisory
- https://www.kb.cert.org/vuls/id/624539Third Party Advisory, US Government Resource
- https://www.securityfocus.com/bid/94393/Third Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-6564?
How severe is CVE-2016-6564?
How do I fix CVE-2016-6564?
Are you affected by CVE-2016-6564?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST