Team unrevoked has discovered a potentially-rogue binary present on the HTC EVO 4G (“Supersonic”) and HTC Hero (“HeroC”) devices. These devices ship with a setuid root binary named skyagent in the /system/bin directory. This binary, among other tasks, can be used to escalate privileges on these devices.
Another insecure binary is also present on Supersonic: hstools is also present in /system/bin.
We do not believe that either of these vulnerabilities reflect malicious intent on the part of Sprint or HTC. At this time, we believe that skyagent was a debugging binary left over from manufacture. We have been consistently impressed with the actions taken by Google, Sprint, and HTC to expeditiously resolve this issue.
On Supersonic, the properties of the binaries are as follows:
-rwsr-sr-x root root 715141 2010-05-07 04:55 skyagent -rwsr-sr-x root root 5628 2010-04-29 05:47 hstools
The binary is executable by any user; no authentication or privileges are necessary. Further, during the program's initialization, there are numerous instances in which a buffer overflow can overwrite stack or bss memory; similarly, the program passes user controlled arguments unsanitized as a format string to a sprintf, also leading to memory being overwritten. We believe that these can only be exploited to the point of a denial of service, not to the end of arbitrary code execution. However, this appears to be by chance, not by design.
However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user's knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:
We do not believe that skyagent could ever be invoked remotely.
We have documented our knowledge of the protocol in the attached PDF file: skyagent_protocol_description.pdf
The hstools executable is another setuid root binary; the intent does not appear malicious. Commands are passed in as command-line arguments. Some available commands take in an arbitrary string as an identifier. However, these identifiers are not sanitized before they are passed to the system function, and thus can be used to pass arbitrary input to the shell with root permissions.
A proof of concept exploit is available in the form of unrevoked1, available from this site.
skyagentskyagentskyagent binary.hstools vulnerability.