{"containers":{"cna":{"affected":[{"product":"Android software","vendor":"Ragentek","versions":[{"status":"unknown","version":"N/A"}]}],"credits":[{"lang":"en","value":"Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability."}],"datePublic":"2016-11-17T00:00:00.000Z","descriptions":[{"lang":"en","value":"Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={\"name\":\"c_regist\",\"details\":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {\"code\": \"01\", \"name\": \"push_commands\", \"details\": {\"server_id\": \"1\" , \"title\": \"Test Command\", \"comments\": \"Test\", \"commands\": \"touch /tmp/test\"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-494","description":"CWE-494","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2018-07-13T19:57:01.000Z","orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc"},"references":[{"name":"VU#624539","tags":["third-party-advisory","x_refsource_CERT-VN"],"url":"https://www.kb.cert.org/vuls/id/624539"},{"tags":["x_refsource_MISC"],"url":"https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack"},{"name":"94393","tags":["vdb-entry","x_refsource_BID"],"url":"https://www.securityfocus.com/bid/94393/"}],"source":{"discovery":"UNKNOWN"},"title":"Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges","x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cert@cert.org","ID":"CVE-2016-6564","STATE":"PUBLIC","TITLE":"Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Android software","version":{"version_data":[{"affected":"?","version_affected":"?","version_value":"N/A"}]}}]},"vendor_name":"Ragentek"}]}},"credit":[{"lang":"eng","value":"Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability."}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={\"name\":\"c_regist\",\"details\":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {\"code\": \"01\", \"name\": \"push_commands\", \"details\": {\"server_id\": \"1\" , \"title\": \"Test Command\", \"comments\": \"Test\", \"commands\": \"touch /tmp/test\"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-494"}]}]},"references":{"reference_data":[{"name":"VU#624539","refsource":"CERT-VN","url":"https://www.kb.cert.org/vuls/id/624539"},{"name":"https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack","refsource":"MISC","url":"https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack"},{"name":"94393","refsource":"BID","url":"https://www.securityfocus.com/bid/94393/"}]},"source":{"discovery":"UNKNOWN"}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-06T01:36:28.064Z"},"title":"CVE Program Container","references":[{"name":"VU#624539","tags":["third-party-advisory","x_refsource_CERT-VN","x_transferred"],"url":"https://www.kb.cert.org/vuls/id/624539"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack"},{"name":"94393","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"https://www.securityfocus.com/bid/94393/"}]}]},"cveMetadata":{"assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","assignerShortName":"certcc","cveId":"CVE-2016-6564","datePublished":"2018-07-13T20:00:00.000Z","dateReserved":"2016-08-03T00:00:00.000Z","dateUpdated":"2024-08-06T01:36:28.064Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}