Vulnerability Details : CVE-2016-6564
Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks. Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit. This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel. The binary has been shown to communicate with three hosts via HTTP: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations. Examples of a request sent by the client binary: POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1 Host: 114.80.68.223 Connection: Close An example response from the server could be: HTTP/1.1 200 OK {"code": "01", "name": "push_commands", "details": {"server_id": "1" , "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}} This binary is reported to be present in the following devices: BLU Studio G BLU Studio G Plus BLU Studio 6.0 HD BLU Studio X BLU Studio X Plus BLU Studio C HD Infinix Hot X507 Infinix Hot 2 X510 Infinix Zero X506 Infinix Zero 2 X509 DOOGEE Voyager 2 DG310 LEAGOO Lead 5 LEAGOO Lead 6 LEAGOO Lead 3i LEAGOO Lead 2S LEAGOO Alfa 6 IKU Colorful K45i Beeline Pro 2 XOLO Cube 5.0
Products affected by CVE-2016-6564
- cpe:2.3:o:xolo:cube_5.0_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:hot_x507_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:hot_2_x510_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:zero_x506_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:infinixauthority:zero_2_x509_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_g_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_g_plus_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_6.0_hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_x_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_x_plus_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:studio_c_hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:beeline:pro_2_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:iku-mobile:colorful_k45i_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_5_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_6_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_3i_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:lead_2s_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:leagoo:alfa_6_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:doogee:voyager_2_dg310i_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-6564
4.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-6564
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2016-6564
-
Assigned by: nvd@nist.gov (Primary)
-
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.Assigned by: cret@cert.org (Secondary)
References for CVE-2016-6564
-
https://www.kb.cert.org/vuls/id/624539
VU#624539 - Ragentek Android OTA update mechanism vulnerable to MITM attackThird Party Advisory;US Government Resource
-
https://www.bitsighttech.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
Ragentek Android OTA Update Mechanism Vulnerable To MITM AttackExploit;Third Party Advisory
-
https://www.securityfocus.com/bid/94393/
Multiple Android Products CVE-2016-6564 Man in the Middle Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to