Disclosure: Vulnerable setuid binaries on Evo 4G and HTC Hero

Affected Devices

  • HTC EVO 4G
  • HTC Hero

Description of vulnerabilities

Team unrevoked has discovered a potentially-rogue binary present on the HTC EVO 4G (“Supersonic”) and HTC Hero (“HeroC”) devices. These devices ship with a setuid root binary named skyagent in the /system/bin directory. This binary, among other tasks, can be used to escalate privileges on these devices.

Another insecure binary is also present on Supersonic: hstools is also present in /system/bin.

We do not believe that either of these vulnerabilities reflect malicious intent on the part of Sprint or HTC. At this time, we believe that skyagent was a debugging binary left over from manufacture. We have been consistently impressed with the actions taken by Google, Sprint, and HTC to expeditiously resolve this issue.

Analysis

On Supersonic, the properties of the binaries are as follows:

-rwsr-sr-x root     root       715141 2010-05-07 04:55 skyagent
-rwsr-sr-x root     root         5628 2010-04-29 05:47 hstools

The Skyagent binary

The binary is executable by any user; no authentication or privileges are necessary. Further, during the program's initialization, there are numerous instances in which a buffer overflow can overwrite stack or bss memory; similarly, the program passes user controlled arguments unsanitized as a format string to a sprintf, also leading to memory being overwritten. We believe that these can only be exploited to the point of a denial of service, not to the end of arbitrary code execution. However, this appears to be by chance, not by design.

However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user's knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:

  • sending and monitor user tap and drag input (“PentapHook”),
  • sending key events (“InputCapture”),
  • dumping the framebuffer (“captureScreen”),
  • listing processes (“GetProc”),
  • rebooting the device immediately,
  • and executing arbitrary shell commands as root (“LaunchChild”)

We do not believe that skyagent could ever be invoked remotely.

We have documented our knowledge of the protocol in the attached PDF file: skyagent_protocol_description.pdf

The hstools binary

The hstools executable is another setuid root binary; the intent does not appear malicious. Commands are passed in as command-line arguments. Some available commands take in an arbitrary string as an identifier. However, these identifiers are not sanitized before they are passed to the system function, and thus can be used to pass arbitrary input to the shell with root permissions.

Proof of Concept

A proof of concept exploit is available in the form of unrevoked1, available from this site.

Credits

  • Matt Mastracci
  • Joshua Wise
  • Eric Smaxwill
  • Matthew Fogle

Time table

  • 31 May 2010 23:53:08 EDT: Google security notified about skyagent
  • 01 Jun 2010 03:53:30 UTC: Automated Google response
  • 01 Jun 2010 16:45:46 UTC: Response from Google Security Team
  • 02 Jun 2010 23:18:31 EDT: Sprint security contacted about skyagent
  • 03 Jun 2010 01:18:58 CDT: Sprint response
  • 04 Jun 2010: Sprint OTA update removing skyagent binary.
  • 30 Jun 2010: Sprint OTA update patching hstools vulnerability.
 
public/unrevoked1_disclosure.txt · Last modified: 2011/03/30 23:16 by ozzeh
 
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki