• 5,786,825
    REGISTERED
  • 41,660
    ONLINE NOW

Security Vulnerability #2 On HTC Devices (PoC #2) – WiMax Leaks

Difficulty:
3

I know that it has been a few weeks already, but we finally have green light to keep on going with our exclusive series of security holes on HTC’s latest devices. In case you just tuned in on the whole issue, we will be talking about vulnerabilities found on HTC handsets across the globe, particularly on the EVO family of devices as well as some of the newer ones like the HTC Sensation and Kingdom. XDA Recognized Developer TrevE has been doing a fantastic job in uncovering the holes one by one, and after much testing, he found some rather interesting results of things that could easily be obtained from your device(s) due to pieces of code inside of the manufacturer’s handsets that are exclusively in charge of collecting data and information about you, your usage, and many other things that you don’t want to see floating around on the internet. We are happy to report that HTC got their act together with the first vulnerability and got rid of the code responsible for the threat (htcloggers.apk).

As it was agreed between TrevE and HTC, our dev has been giving HTC head starts (5 working days) on virtually all issues before publicly disclosing them. Well, HTC has been making good use of their time for issue #2 as they are currently working towards a solution, but we will go ahead and let you know what this one is about. Those of you who enjoy the speeds of WiMax on their 4G enabled devices are doing so with an inherent risk. It turns out that WiMax is even more open than the HTC logger app. The more technical details are basically that an attacker who gains control over this can potentially manipulate data connectivity and to go even as far as being able to completely reprogram your device’s CDMA parameters remotely! This is done through two open ports that basically require no authentication and just as before, the only thing required for a malicious app to do anything is INTERNET permission. The other interesting thing that came out of this discovery is that apparently you can also send commands to the radio via the WiMaxmonitoring port, and sending a single coma can create an “out of bounds range exception” basically crashing your device. Here is a more detailed explanations of the whole thing:

——————————————————————————

Vulnerability: Android Security Elevation/Wimax Information Leak/Out of Bounds Crash
Products Affected: Any HTC device with wimax services running on ports 7773/7774/7775/7776
Vulnerability reported By: TrevE
——————————————————————————
Attached is a proof of concept showing manipulating wimax data connectivity.  Reading will only be demonstrated, but if someone was clever a few different attacks could be performed from stealing below information, to reprogramming with bogus/destructive values, possibly MITM data connections and more. WimaxMonitoring port also is able to crash the device if a comma is sent, it creates an index out of range exception.  The following services are able to be read and written by a malicious app with only permission INTERNETnetstat:
tcp        0      0 ::ffff:127.0.0.1:7775   :::*                    LISTEN      4327/system_server
tcp        0      0 127.0.0.1:7776          0.0.0.0:*               LISTEN      4230/wimaxDaemonsystem_server (port 7775) is a Wimax Monitoring socket. Not all commands are known at this time outside of:
getNaiDecoration
isDunMode
isReleaseKey/system/bin/wimaxDaemon (port 7776) Not all commands are known at this time outside of:
getMac
dumpMacTreeFromFlash
saveMacTreeToFlash
lockMacTree
unlockMacTree/system/bin/(get|set)WiMAXPropDaemon:
allows standard users read/write to root only file /data/wimax/wimax_properties used to manipulate wimax data connectivity (4g radio) by sending commands to TCP ports 7773/7774 with no authentication. Netstat:
tcp        0      0 127.0.0.1:7773          0.0.0.0:*               LISTEN      4210/setWiMAXPropDaemon
tcp        0      0 127.0.0.1:7774          0.0.0.0:*               LISTEN      4211/getWiMAXPropDaemon

File Accessed by method proving it should not be read from other than root or written at all:

-r–r—–    1 root     root       1048576 Oct  5 23:25 wimax_properties

Props able to be read/written:

persist.wimax.Cold_Boot_Flag 
persist.wimax.STANDBY_TIME 
persist.wimax.SCAN_RATE 
persist.wimax.Realm 
persist.wimax.CenterFrequency 
persist.wimax.Bandwidth 
persist.wimax.0.Man 
persist.wimax.0.Mod 
persist.wimax.0.FwV 
persist.wimax.0.HwV 
persist.wimax.0.SwV
persist.wimax.0.MAC 
persist.wimax.0.TO-FUMO-REF ./FUMO
persist.wimax.TO-WiMAX-REF ./WiMAXSupp
persist.wimax.IPv4 
persist.wimax.IPv6 
persist.wimax.ServerInitiated 
persist.wimax.CLInit.PollSuprt 
persist.wimax.CLInit.PollIntrvl
persist.wimax.WorkMode
persist.wimax.Session_Conti
persist.wimax.Scan_Timeout
persist.wimax.Scan_Retry
persist.wimax.Idle_Sleep
persist.wimax.Entry_RX 
persist.wimax.Entry_CINR
persist.wimax.Entry_Delay
persist.wimax.Exit_CINR
persist.wimax.Exit_Delay
persist.wimax.0.H-NSP-ID 
persist.wimax.OperatorName 
persist.wimax.PollingInterval 
persist.wimax.Primary.Name 
persist.wimax.Primary.Activated 
persist.wimax.0.METHOD-TYPE 
persist.wimax.0.VENDOR-ID 
persist.wimax.0.VENDOR-TYPE 
persist.wimax.0.USER-IDENTITY 
persist.wimax.0.PSEUDO-IDENTITY 
persist.wimax.0.PASSWORD 
persist.wimax.0.REALM 
persist.wimax.0.USE-PRIVACY 
persist.wimax.0.ENCAPS 
persist.wimax.0.VFY-SRVR-REALM 
persist.wimax.0.S-RLM.0.S-RLM 
persist.wimax.0.To-IP-REF ./IP  

 

 

 

 

Now, according to TrevE there are a few things that simply stand out as big “Why”‘s in here. Why is there a need for a WiMax monitoring port that can gather every single bit of information about your device and that can easily grant access to the device? This monitoring port also can check what you are running on your device (release keys) and finally it can check on the tethered state of the device. Secondly, and while this could be a simple coincidence, the timing from Sprint to limit the previously unlimited 4G seems a little odd. There could be a correlation between the existence of this reporting port to the usage of 4G in the network, which if TRUE, would mean that Sprint has been playing rather dirty all along, all that while putting our privacies at risk.

Well folks, there you have it. The holes in the different areas seem to have rather large implications if they are not taken care of soon enough. That being said, we have always been a proactive bunch when it comes to fixing broken code. Let’s get our heads together to ensure that HTC gets it done right the first time around, and as an added bonus for HTC, TrevE has been kind enough to provide a patch that completely eliminates this, which can be found here. Also, here is a description if you would rather apply this by hand:

To use edit init.shooter.rc to appear as below (or wherever binaries are started in ramdisk) and manually start them when you are going on 4g with attached app. 
———————-
service wimaxDaemon /system/bin/wimaxDaemon
   user root
   group root
    disabled
    oneshot

# setWMXPropd daemon
service setWMXPropd /system/bin/

setWiMAXPropDaemond
    user root
    group root
    disabled
    oneshot# getWMXPropd daemon
service getWMXPropd /system/bin/getWiMAXPropDaemond
    user root
    group root
    disabled
    oneshot

 

And remember, there are still more vulnerabilities to come, so please stay tuned for more.

You can find more information in the original thread ( http://forum.xda-developers.com/showthread.php?t=1322437) and here ( http://infectedrom.com/showthread.php/600-Vunerability-2-WiMax-Connectivity-Reprogramming)

Want something published in the Portal? Contact any News Writer.

Thanks TrevE for everything!

_________
Want something on the XDA Portal? Send us a tip! -- Join us for xda:devcon 2014!
Advertisment
Advertisement

XDA TV: Most Recent Video

Buy/Sell on Swappa

  • Nexus 5 (Unlocked) buy | sell
  • Galaxy Note 3 (T-Mobile) buy | sell
  • HTC One M7 (Verizon) buy | sell
  • Galaxy S 5 (Unlocked) buy | sell
  • Nexus 7 2013 buy | sell
  • Swappa is the official marketplace of XDA