CVE-2016-6564

Published on: 07/13/2018 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:12 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Pro 2 from Beeline contain the following vulnerability:

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0

  • CVE-2016-6564 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: Ragentek - Android software version N/A

CVSS3 Score: 8.1 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 9.3 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
COMPLETE COMPLETE COMPLETE

CVE References

Description Tags Link
Vulnerability Note VU#624539 - Ragentek Android OTA update mechanism vulnerable to MITM attack Third Party Advisory
US Government Resource
www.kb.cert.org
text/html
URL Logo CERT-VN VU#624539
Multiple Android Products CVE-2016-6564 Man in the Middle Security Bypass Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 94393
GhostPush Android Botnet Exploit
Third Party Advisory
www.bitsighttech.com
text/html
URL Logo MISC www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
Multiple Android Products CVE-2016-6564 Man in the Middle Security Bypass Vulnerability cve.report (archive)
text/html
URL Logo BID 94393

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
HardwareBeelinePro 2-AllAllAll
HardwareBeelinePro 2-AllAllAll
Operating
System
BeelinePro 2 Firmware-AllAllAll
Operating
System
BeelinePro 2 Firmware-AllAllAll
HardwareBluproductsStudio 6.0 Hd-AllAllAll
HardwareBluproductsStudio 6.0 Hd-AllAllAll
Operating
System
BluproductsStudio 6.0 Hd Firmware-AllAllAll
Operating
System
BluproductsStudio 6.0 Hd Firmware-AllAllAll
HardwareBluproductsStudio C Hd-AllAllAll
HardwareBluproductsStudio C Hd-AllAllAll
Operating
System
BluproductsStudio C Hd Firmware-AllAllAll
Operating
System
BluproductsStudio C Hd Firmware-AllAllAll
HardwareBluproductsStudio G-AllAllAll
HardwareBluproductsStudio G-AllAllAll
Operating
System
BluproductsStudio G Firmware-AllAllAll
Operating
System
BluproductsStudio G Firmware-AllAllAll
HardwareBluproductsStudio G Plus-AllAllAll
HardwareBluproductsStudio G Plus-AllAllAll
Operating
System
BluproductsStudio G Plus Firmware-AllAllAll
Operating
System
BluproductsStudio G Plus Firmware-AllAllAll
HardwareBluproductsStudio X-AllAllAll
HardwareBluproductsStudio X-AllAllAll
Operating
System
BluproductsStudio X Firmware-AllAllAll
Operating
System
BluproductsStudio X Firmware-AllAllAll
HardwareBluproductsStudio X Plus-AllAllAll
HardwareBluproductsStudio X Plus-AllAllAll
Operating
System
BluproductsStudio X Plus Firmware-AllAllAll
Operating
System
BluproductsStudio X Plus Firmware-AllAllAll
HardwareDoogeeVoyager 2 Dg310i-AllAllAll
HardwareDoogeeVoyager 2 Dg310i-AllAllAll
Operating
System
DoogeeVoyager 2 Dg310i Firmware-AllAllAll
Operating
System
DoogeeVoyager 2 Dg310i Firmware-AllAllAll
HardwareIku-mobileColorful K45i-AllAllAll
HardwareIku-mobileColorful K45i-AllAllAll
Operating
System
Iku-mobileColorful K45i Firmware-AllAllAll
Operating
System
Iku-mobileColorful K45i Firmware-AllAllAll
HardwareInfinixauthorityHot 2 X510-AllAllAll
HardwareInfinixauthorityHot 2 X510-AllAllAll
Operating
System
InfinixauthorityHot 2 X510 Firmware-AllAllAll
Operating
System
InfinixauthorityHot 2 X510 Firmware-AllAllAll
HardwareInfinixauthorityHot X507-AllAllAll
HardwareInfinixauthorityHot X507-AllAllAll
Operating
System
InfinixauthorityHot X507 Firmware-AllAllAll
Operating
System
InfinixauthorityHot X507 Firmware-AllAllAll
HardwareInfinixauthorityZero 2 X509-AllAllAll
HardwareInfinixauthorityZero 2 X509-AllAllAll
Operating
System
InfinixauthorityZero 2 X509 Firmware-AllAllAll
Operating
System
InfinixauthorityZero 2 X509 Firmware-AllAllAll
HardwareInfinixauthorityZero X506-AllAllAll
HardwareInfinixauthorityZero X506-AllAllAll
Operating
System
InfinixauthorityZero X506 Firmware-AllAllAll
Operating
System
InfinixauthorityZero X506 Firmware-AllAllAll
HardwareLeagooAlfa 6-AllAllAll
HardwareLeagooAlfa 6-AllAllAll
Operating
System
LeagooAlfa 6 Firmware-AllAllAll
Operating
System
LeagooAlfa 6 Firmware-AllAllAll
HardwareLeagooLead 2s-AllAllAll
HardwareLeagooLead 2s-AllAllAll
Operating
System
LeagooLead 2s Firmware-AllAllAll
Operating
System
LeagooLead 2s Firmware-AllAllAll
HardwareLeagooLead 3i-AllAllAll
HardwareLeagooLead 3i-AllAllAll
Operating
System
LeagooLead 3i Firmware-AllAllAll
Operating
System
LeagooLead 3i Firmware-AllAllAll
HardwareLeagooLead 5-AllAllAll
HardwareLeagooLead 5-AllAllAll
Operating
System
LeagooLead 5 Firmware-AllAllAll
Operating
System
LeagooLead 5 Firmware-AllAllAll
HardwareLeagooLead 6-AllAllAll
HardwareLeagooLead 6-AllAllAll
Operating
System
LeagooLead 6 Firmware-AllAllAll
Operating
System
LeagooLead 6 Firmware-AllAllAll
HardwareXoloCube 5.0-AllAllAll
HardwareXoloCube 5.0-AllAllAll
Operating
System
XoloCube 5.0 Firmware-AllAllAll
Operating
System
XoloCube 5.0 Firmware-AllAllAll
  • cpe:2.3:h:beeline:pro_2:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:beeline:pro_2:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:beeline:pro_2_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:beeline:pro_2_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_6.0_hd:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_6.0_hd:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_c_hd:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_c_hd:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_g:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_g:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_g_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_g_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_g_plus:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_g_plus:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_x:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_x:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_x_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_x_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_x_plus:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:bluproducts:studio_x_plus:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:doogee:voyager_2_dg310i:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:doogee:voyager_2_dg310i:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:iku-mobile:colorful_k45i:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:iku-mobile:colorful_k45i:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:hot_2_x510:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:hot_2_x510:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:hot_x507:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:hot_x507:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:hot_x507_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:hot_x507_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:zero_2_x509:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:zero_2_x509:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:zero_x506:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:infinixauthority:zero_x506:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:zero_x506_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:infinixauthority:zero_x506_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:alfa_6:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:alfa_6:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:alfa_6_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:alfa_6_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_2s:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_2s:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_2s_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_2s_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_3i:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_3i:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_3i_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_3i_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_5:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_5:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_5_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_5_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_6:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:leagoo:lead_6:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_6_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:leagoo:lead_6_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:xolo:cube_5.0:-:*:*:*:*:*:*:*:
  • cpe:2.3:h:xolo:cube_5.0:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:xolo:cube_5.0_firmware:-:*:*:*:*:*:*:*:
  • cpe:2.3:o:xolo:cube_5.0_firmware:-:*:*:*:*:*:*:*:

Discovery Credit

Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability.