Security Vulnerability #2 On HTC Devices (PoC #2) – WiMax Leaks
I know that it has been a few weeks already, but we finally have green light to keep on going with our exclusive series of security holes on HTC’s latest devices. In case you just tuned in on the whole issue, we will be talking about vulnerabilities found on HTC handsets across the globe, particularly on the EVO family of devices as well as some of the newer ones like the HTC Sensation and Kingdom. XDA Recognized Developer TrevE has been doing a fantastic job in uncovering the holes one by one, and after much testing, he found some rather interesting results of things that could easily be obtained from your device(s) due to pieces of code inside of the manufacturer’s handsets that are exclusively in charge of collecting data and information about you, your usage, and many other things that you don’t want to see floating around on the internet. We are happy to report that HTC got their act together with the first vulnerability and got rid of the code responsible for the threat (htcloggers.apk).
As it was agreed between TrevE and HTC, our dev has been giving HTC head starts (5 working days) on virtually all issues before publicly disclosing them. Well, HTC has been making good use of their time for issue #2 as they are currently working towards a solution, but we will go ahead and let you know what this one is about. Those of you who enjoy the speeds of WiMax on their 4G enabled devices are doing so with an inherent risk. It turns out that WiMax is even more open than the HTC logger app. The more technical details are basically that an attacker who gains control over this can potentially manipulate data connectivity and to go even as far as being able to completely reprogram your device’s CDMA parameters remotely! This is done through two open ports that basically require no authentication and just as before, the only thing required for a malicious app to do anything is INTERNET permission. The other interesting thing that came out of this discovery is that apparently you can also send commands to the radio via the WiMaxmonitoring port, and sending a single coma can create an “out of bounds range exception” basically crashing your device. Here is a more detailed explanations of the whole thing:
Vulnerability: Android Security Elevation/Wimax Information Leak/Out of Bounds Crash
Products Affected: Any HTC device with wimax services running on ports 7773/7774/7775/7776
Vulnerability reported By: TrevE
Attached is a proof of concept showing manipulating wimax data connectivity. Reading will only be demonstrated, but if someone was clever a few different attacks could be performed from stealing below information, to reprogramming with bogus/destructive values, possibly MITM data connections and more. WimaxMonitoring port also is able to crash the device if a comma is sent, it creates an index out of range exception. The following services are able to be read and written by a malicious app with only permission INTERNETnetstat:
tcp 0 0 ::ffff:127.0.0.1:7775 :::* LISTEN 4327/system_server
tcp 0 0 127.0.0.1:7776 0.0.0.0:* LISTEN 4230/wimaxDaemonsystem_server (port 7775) is a Wimax Monitoring socket. Not all commands are known at this time outside of:
isReleaseKey/system/bin/wimaxDaemon (port 7776) Not all commands are known at this time outside of:
allows standard users read/write to root only file /data/wimax/wimax_properties used to manipulate wimax data connectivity (4g radio) by sending commands to TCP ports 7773/7774 with no authentication. Netstat:
tcp 0 0 127.0.0.1:7773 0.0.0.0:* LISTEN 4210/setWiMAXPropDaemon
tcp 0 0 127.0.0.1:7774 0.0.0.0:* LISTEN 4211/getWiMAXPropDaemon
File Accessed by method proving it should not be read from other than root or written at all:
-r–r—– 1 root root 1048576 Oct 5 23:25 wimax_properties
Props able to be read/written:
Now, according to TrevE there are a few things that simply stand out as big “Why”‘s in here. Why is there a need for a WiMax monitoring port that can gather every single bit of information about your device and that can easily grant access to the device? This monitoring port also can check what you are running on your device (release keys) and finally it can check on the tethered state of the device. Secondly, and while this could be a simple coincidence, the timing from Sprint to limit the previously unlimited 4G seems a little odd. There could be a correlation between the existence of this reporting port to the usage of 4G in the network, which if TRUE, would mean that Sprint has been playing rather dirty all along, all that while putting our privacies at risk.
Well folks, there you have it. The holes in the different areas seem to have rather large implications if they are not taken care of soon enough. That being said, we have always been a proactive bunch when it comes to fixing broken code. Let’s get our heads together to ensure that HTC gets it done right the first time around, and as an added bonus for HTC, TrevE has been kind enough to provide a patch that completely eliminates this, which can be found here. Also, here is a description if you would rather apply this by hand:
To use edit init.shooter.rc to appear as below (or wherever binaries are started in ramdisk) and manually start them when you are going on 4g with attached app.
service wimaxDaemon /system/bin/wimaxDaemon
# setWMXPropd daemon
service setWMXPropd /system/bin/setWiMAXPropDaemond
oneshot# getWMXPropd daemon
service getWMXPropd /system/bin/
And remember, there are still more vulnerabilities to come, so please stay tuned for more.
You can find more information in the original thread ( http://forum.xda-developers.com/showthread.php?t=1322437) and here ( http://infectedrom.com/showthread.php/600-Vunerability-2-WiMax-Connectivity-Reprogramming)
Want something published in the Portal? Contact any News Writer.
Thanks TrevE for everything!