egzthunder1 · Oct 27, 2011 at 06:48 pm

Security Vulnerability #2 On HTC Devices (PoC #2) – WiMax Leaks

I know that it has been a few weeks already, but we finally have green light to keep on going with our exclusive series of security holes on HTC’s latest devices. In case you just tuned in on the whole issue, we will be talking about vulnerabilities found on HTC handsets across the globe, particularly on the EVO family of devices as well as some of the newer ones like the HTC Sensation and Kingdom. XDA Recognized Developer TrevE has been doing a fantastic job in uncovering the holes one by one, and after much testing, he found some rather interesting results of things that could easily be obtained from your device(s) due to pieces of code inside of the manufacturer’s handsets that are exclusively in charge of collecting data and information about you, your usage, and many other things that you don’t want to see floating around on the internet. We are happy to report that HTC got their act together with the first vulnerability and got rid of the code responsible for the threat (htcloggers.apk).

As it was agreed between TrevE and HTC, our dev has been giving HTC head starts (5 working days) on virtually all issues before publicly disclosing them. Well, HTC has been making good use of their time for issue #2 as they are currently working towards a solution, but we will go ahead and let you know what this one is about. Those of you who enjoy the speeds of WiMax on their 4G enabled devices are doing so with an inherent risk. It turns out that WiMax is even more open than the HTC logger app. The more technical details are basically that an attacker who gains control over this can potentially manipulate data connectivity and to go even as far as being able to completely reprogram your device’s CDMA parameters remotely! This is done through two open ports that basically require no authentication and just as before, the only thing required for a malicious app to do anything is INTERNET permission. The other interesting thing that came out of this discovery is that apparently you can also send commands to the radio via the WiMaxmonitoring port, and sending a single coma can create an “out of bounds range exception” basically crashing your device. Here is a more detailed explanations of the whole thing:

——————————————————————————

Vulnerability: Android Security Elevation/Wimax Information Leak/Out of Bounds Crash
Products Affected: Any HTC device with wimax services running on ports 7773/7774/7775/7776
Vulnerability reported By: TrevE
——————————————————————————
Attached is a proof of concept showing manipulating wimax data connectivity.  Reading will only be demonstrated, but if someone was clever a few different attacks could be performed from stealing below information, to reprogramming with bogus/destructive values, possibly MITM data connections and more. WimaxMonitoring port also is able to crash the device if a comma is sent, it creates an index out of range exception.  The following services are able to be read and written by a malicious app with only permission INTERNETnetstat:
tcp        0      0 ::ffff:127.0.0.1:7775   :::*                    LISTEN      4327/system_server
tcp        0      0 127.0.0.1:7776          0.0.0.0:*               LISTEN      4230/wimaxDaemonsystem_server (port 7775) is a Wimax Monitoring socket. Not all commands are known at this time outside of:
getNaiDecoration
isDunMode
isReleaseKey/system/bin/wimaxDaemon (port 7776) Not all commands are known at this time outside of:
getMac
dumpMacTreeFromFlash
saveMacTreeToFlash
lockMacTree
unlockMacTree/system/bin/(get|set)WiMAXPropDaemon:
allows standard users read/write to root only file /data/wimax/wimax_properties used to manipulate wimax data connectivity (4g radio) by sending commands to TCP ports 7773/7774 with no authentication. Netstat:
tcp        0      0 127.0.0.1:7773          0.0.0.0:*               LISTEN      4210/setWiMAXPropDaemon
tcp        0      0 127.0.0.1:7774          0.0.0.0:*               LISTEN      4211/getWiMAXPropDaemon

File Accessed by method proving it should not be read from other than root or written at all:

-r–r—–    1 root     root       1048576 Oct  5 23:25 wimax_properties

Props able to be read/written:

persist.wimax.Cold_Boot_Flag 
persist.wimax.STANDBY_TIME 
persist.wimax.SCAN_RATE 
persist.wimax.Realm 
persist.wimax.CenterFrequency 
persist.wimax.Bandwidth 
persist.wimax.0.Man 
persist.wimax.0.Mod 
persist.wimax.0.FwV 
persist.wimax.0.HwV 
persist.wimax.0.SwV
persist.wimax.0.MAC 
persist.wimax.0.TO-FUMO-REF ./FUMO
persist.wimax.TO-WiMAX-REF ./WiMAXSupp
persist.wimax.IPv4 
persist.wimax.IPv6 
persist.wimax.ServerInitiated 
persist.wimax.CLInit.PollSuprt 
persist.wimax.CLInit.PollIntrvl
persist.wimax.WorkMode
persist.wimax.Session_Conti
persist.wimax.Scan_Timeout
persist.wimax.Scan_Retry
persist.wimax.Idle_Sleep
persist.wimax.Entry_RX 
persist.wimax.Entry_CINR
persist.wimax.Entry_Delay
persist.wimax.Exit_CINR
persist.wimax.Exit_Delay
persist.wimax.0.H-NSP-ID 
persist.wimax.OperatorName 
persist.wimax.PollingInterval 
persist.wimax.Primary.Name 
persist.wimax.Primary.Activated 
persist.wimax.0.METHOD-TYPE 
persist.wimax.0.VENDOR-ID 
persist.wimax.0.VENDOR-TYPE 
persist.wimax.0.USER-IDENTITY 
persist.wimax.0.PSEUDO-IDENTITY 
persist.wimax.0.PASSWORD 
persist.wimax.0.REALM 
persist.wimax.0.USE-PRIVACY 
persist.wimax.0.ENCAPS 
persist.wimax.0.VFY-SRVR-REALM 
persist.wimax.0.S-RLM.0.S-RLM 
persist.wimax.0.To-IP-REF ./IP  

 

 

 

 

Now, according to TrevE there are a few things that simply stand out as big “Why”‘s in here. Why is there a need for a WiMax monitoring port that can gather every single bit of information about your device and that can easily grant access to the device? This monitoring port also can check what you are running on your device (release keys) and finally it can check on the tethered state of the device. Secondly, and while this could be a simple coincidence, the timing from Sprint to limit the previously unlimited 4G seems a little odd. There could be a correlation between the existence of this reporting port to the usage of 4G in the network, which if TRUE, would mean that Sprint has been playing rather dirty all along, all that while putting our privacies at risk.

Well folks, there you have it. The holes in the different areas seem to have rather large implications if they are not taken care of soon enough. That being said, we have always been a proactive bunch when it comes to fixing broken code. Let’s get our heads together to ensure that HTC gets it done right the first time around, and as an added bonus for HTC, TrevE has been kind enough to provide a patch that completely eliminates this, which can be found here. Also, here is a description if you would rather apply this by hand:

To use edit init.shooter.rc to appear as below (or wherever binaries are started in ramdisk) and manually start them when you are going on 4g with attached app. 
———————-
service wimaxDaemon /system/bin/wimaxDaemon
   user root
   group root
    disabled
    oneshot

# setWMXPropd daemon
service setWMXPropd /system/bin/

setWiMAXPropDaemond
    user root
    group root
    disabled
    oneshot# getWMXPropd daemon
service getWMXPropd /system/bin/getWiMAXPropDaemond
    user root
    group root
    disabled
    oneshot

 

And remember, there are still more vulnerabilities to come, so please stay tuned for more.

You can find more information in the original thread ( http://forum.xda-developers.com/showthread.php?t=1322437) and here ( http://infectedrom.com/showthread.php/600-Vunerability-2-WiMax-Connectivity-Reprogramming)

Want something published in the Portal? Contact any News Writer.

Thanks TrevE for everything!


_________
Want something on the XDA Portal? Send us a tip!

egzthunder1

egzthunder1 is an editor on XDA-Developers, the largest community for Android users. I have been an active member of xda-developers since 2005 and have gone through various roles in my time here. I am Former Portal Administrator, and currently part of the administrator team while maintaining my writer status for the portal. In real life, I am a Chemical Engineer turned Realtor in the Miami area. View egzthunder1's posts and articles here.
Brian Young · Aug 2, 2015 at 09:05 pm · 2 comments

Galaxy S6 & Edge get €100 Price Cut—New Models Incoming

Samsung has dropped the price of both the Galaxy S6 and S6 Edge by €100, making the current retail price of these phones €599 and €699, respectively. Though no new prices have been announced stateside, a cut is expected soon. (more…)

XDA NEWS
Mario Tomás Serrafero · Aug 2, 2015 at 11:33 am · 1 comment

Sunday Debate: How Can We Get a No-Compromise Phone?

Join us in a fun Sunday Debate on Compromises. Come with your opinions and feel free to read some of our thoughts, then pick your side or play devil’s advocate to get your voice heard and engage in friendly discussion. You can read our food-for-thought or jump straight into the fray below!     Getting an upgrade is a big deal to us power users: it’s our little Android Christmas, where after a long time (for plenty of us, at least)...

XDA NEWS
Mario Tomás Serrafero · Aug 1, 2015 at 03:54 pm · 3 comments

PSA: You Can Optimize Your Note 4’s Recents Menu & RAM

The Note 4 never had the fastest Recents Menu, and despite its 3GB of RAM, its app-holding capabilities only got worse on Lollipop. The infamous RAM bug that plagued the S6 is indeed an annoyance on the Note 4's 5.0.X ROMs. Rumors of an update to fix all of this were confirmed with the first reports of the 5.1.1 update for the Russian Note 4, which seemingly improved the Recents Menu and RAM management. But it'll be a long time...

XDA NEWS