47 vulnerabilidades encontradas en diferentes modelos android


La semana pasada, en la conferencia de seguridad DEF CON celebrada en Las Vegas, los investigadores de seguridad presentaron detalles sobre 47 vulnerabilidades en el firmware y las aplicaciones predeterminadas de 25 modelos de teléfonos inteligentes Android, 11 de los cuales también se venden en los EE. UU.

Estas vulnerabilidades, integradas en su totalidad en la tabla al final de este artículo, van desde fallas simples que bloquean los dispositivos hasta errores peligrosos que otorgan a los atacantes la capacidad de obtener acceso de administrador en los dispositivos de los usuarios.

Algunas de las más peligrosas de estas vulnerabilidades permiten a un atacante recuperar o enviar mensajes de texto SMS desde el teléfono del usuario, tomar capturas de pantalla o grabar videos de la pantalla del teléfono, recuperar la lista de contactos del usuario y forzar la instalación de aplicaciones arbitrarias de terceros sin el usuario conocimiento o consentimiento, o incluso borrar los datos del usuario del dispositivo.

Algunas grandes marcas OEM listadas

Estas vulnerabilidades se descubrieron tanto en las aplicaciones predeterminadas que vienen preinstaladas en algunos dispositivos de forma predeterminada (y que a veces no se pueden quitar), como en el firmware de los controladores del dispositivo central que no se pueden eliminar sin perder parte de la funcionalidad del teléfono, sino acceso al dispositivo como un todo.

Kryptowire, firma de seguridad móvil e IoT de EE. UU., Descubrió estas vulnerabilidades como parte de una subvención otorgada por el Departamento de Seguridad Nacional (DHS).

Las marcas de teléfonos inteligentes (OEM) incluidas en la lista de Kryptowire incluyen grandes nombres como ZTE, Sony, Nokia, LG, Asus y Alcatel, pero también compañías más pequeñas como Vivo, SKY, Plum, Orbic, Oppo, MXQ, Leagoo, Essential, Doogee y Coolpad.

“Con los cientos de marcas y modelos de teléfonos móviles en el mercado y miles de versiones de firmware, las pruebas y evaluaciones manuales de mejor esfuerzo simplemente no pueden escalar para abordar el problema de identificación de vulnerabilidades en aplicaciones y firmware preinstalados para teléfonos móviles”, dijo Angelos. Stavrou, CEO de Kryptowire, en un comunicado de prensa que también anuncia el lanzamiento de una nueva plataforma orientada a la empresa para probar automáticamente el firmware y las aplicaciones de los dispositivos móviles Android.

 

Algunos nombres antiguos en la lista

Algunas de las marcas OEM son viejas conocidas. Por ejemplo, ZTE. Leagoo y Doogee se han enumerado en informes anteriores sobre los fabricantes de dispositivos Android inseguros. Los dispositivos de estos dos proveedores se encontraron en dos ocasiones diferentes [1, 2] para venir preinstalados con troyanos bancarios.

En noviembre de 2016, Kryptowire también descubrió un mecanismo de puerta trasera en el sistema de software de actualización FOTA (Firmware Over The Air) producido por la firma china Adups. Ese sistema FOTA se incluyó en el firmware de muchos fabricantes de teléfonos Android, y un año después se descubrió que aún estaba activo, a pesar de la divulgación pública.

A continuación están las vulnerabilidades descubiertas por el equipo de Kryptowire, y presentadas la semana pasada en DEF CON.

 

 

OEM Model OS Version Description Attack Requirements Build Fingerprint
ZTE ZMAX Pro 6.0.1 Send text messages Local app on the device without any permissions ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE ZMAX Pro 6.0.1 Obtain all the text messages of the user and also insert, modify, and delete text messages Local app on the device without any permissions ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE ZMAX Champ 6.0.1 A pre-installed app allows any app on the device to cause the device to get stuck in an unfixable recovery bootloop. Local app on the device without any permissions ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
ZTE ZMAX Champ 6.0.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device without any permissions ZTE/Z917VL/fortune:6.0.1/MMB29M/20170327.120922:user/release-keys
ZTE ZMAX Pro 6.0.1 Obtain the numbers of contacts and numbers of people that the user has texted Local app on the device without any permissions ZTE/P895T20/urd:6.0.1/MMB29M/20170418.114928:user/release-keys
ZTE Blade Spark 7.1.1 Obtain the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard ZTE/Z971/peony:7.1.1/NMF26V/20171129.143111:user/release-keys
ZTE Blade Vantage 7.1.1 A pre-installed app allows any app on the device to make the system write the modem log to the sdcard. This contains the send and received text messages and the call data. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard ZTE/Z839/sweet:7.1.1/NMF26V/20180120.095344:user/release-keys
Vivo V7 7.1.2 Record the screen and write it to app’s private directory. A notification and floating icon pop up initiatlly, but these can be quickly removed. Local app on the device that does not require any permissions vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Vivo V7 7.1.2 Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. This does leave a sticky notification. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Vivo V7 7.1.2 Provides the capability to set system properties as the com.android.phone user. With this and vulnerability above, you can caputre the input of the user (where they touch the screen) and the bluetooth snoop log. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys
Sony Xperia L1 7.0 Take screenshot of the screen which can be used to examine the user’s notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys
SKY Elite 6.0L+ 6.0 Command execution as the system user via old version of Adups software Local app on the device that does not require any permissions SKY/x6069_trx_l601_sky/x6069_trx_l601_sky:6.0/MRA58K/1482897127:user/release-keys
Plum Compass 6.0 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions PLUM/c179_hwf_221/c179_hwf_221:6.0/MRA58K/W16.51.5-22:user/release-keys
Orbic Wonder 7.1 Pairing with the vulnerability above, the user can get the body of text messages and call data since the default messaging apps is in debug mode, so the telephony data is written to the log. The log is written to the sdcard so any app can use the vulnerability above to get this data. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Orbic Wonder 7.1.2 A pre-installed app allows the user to obtain the logcat log that get written to the sdcard continuosly. The logcat log is not available to third-party apps since it contains sensitive user data. The user can start the app with so it will not show up in the recent apps list and then dismiss it by going to the home screen so it will not be accessible to the user. It will continuosly write the log file to the sdcard. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Orbic Wonder 7.1.2 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys
Oppo F5 7.1.1 Surreptitiously audio record the user and write it to the sdcard. This does require the command execution as system user to copy the recording file. Local app on the device without any permissions OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
Oppo F5 7.1.1 Command execution as the system user Local app on the device without any permissions OPPO/CPH1723/CPH1723:7.1.1/N6F26Q/1513597833:user/release-keys
Nokia 6 TA-1025 7.1.1 Take screenshot of the screen which can be used to examine the user’s notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar Nokia/TA-1025_00WW/PLE:7.1.1/NMF26F/00WW_3_32F:user/release-keys
MXQ TV Box 4.4.2 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
MXQ TV Box 4.4.2 Make the device non-functional. The device will not boot properly even after a factory reset. The device can likely be recovered by placing clean firmware images on the sdcard and flashing them. Local app on the device that does not require any permissions MBX/m201_N/m201_N:4.4.2/KOT49H/20160106:user/test-keys
LG G6 7.0 Can lock a user out of their own phone (even in safe mode) and the user will be forced to factory reset in recovery mode. The user may be able to unlock the device if they have ADB enabled prior to the locking of the screen and can figure out how to unlock it hich may be difficult for the average user. This acts as a Denial of Service attack and results in data loss if a factory reset occurs. Local app on the device that does not require any permissions lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
LG G6 7.0 Obtain the logcat logs continuosly which are not available to third party apps since they leak senstive user data. The log file can be written to the app’s private directory by using path traversal. Local app on the device and INTERNET permission to send out the data. lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
LG G6 7.0 Obtain the kernel log and also the logcat log which get written to the sdcard. This can be mined for user data. It also creates a file on the sdcard containing the phone IMEI and serial number. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard lge/lucye_nao_us_nr/lucye:7.0/NRD90U/17265155644e4:user/release-keys
Leagoo Z5C 6.0 Read the last text message from each conversation. The last message will containt the phone number, text body, timestamp, and the contact’s name (if any) Local app on the device that does not require any permissions sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Leagoo P1 7.0 Take screenshot of the screen which can be used to examine the user’s notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo P1 7.0 Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. Physical access to device LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo P1 7.0 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions LEAGOO/t592_otd_p1/t592_otd_p1:7.0/NRD90M/1508151212:user/release-keys
Leagoo Z5C 6.0 Send text messages Local app on the device that does not require any permissions sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Leagoo Z5C 6.0 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20180125.183848:user/release-keys
Essential Essential 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device that does not require any permissions essential/mata/mata:7.1.1/NMJ88C/464:user/release-keys & essential/mata/mata:8.1.0/OPM1.180104.166/297:user/release-keys
Doogee X5 6.0 Video record of the screen. This capability can be used in a similar way as taking screenshots by opening apps that show the user’s messages. The recording is not transparent to the user. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the INTERNET permission to send out the data DOOGEE/full_hct6580_weg_c_m/hct6580_weg_c_m:6.0/MRA58K/1479906828:user/test-keys
Coolpad Revvl Plus 7.1.1 Obtain all the text messages of the user and also insert, modify, and delete text messages Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Canvas 7.0 Provides the capability to set system properties as the com.android.phone user. Local app on the device without any permissions Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
Coolpad Defiant 7.1.1 Send text messages Local app on the device without any permissions Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Coolpad Revvl Plus 7.1.1 Provides the capability to set system properties as the com.android.phone user. Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Revvl Plus 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Revvl Plus 7.1.1 Send text messages Local app on the device without any permissions Coolpad/alchemy/alchemy:7.1.1/143.14.171129.3701A-TMO/buildf_nj_02-206:user/release-keys
Coolpad Canvas 7.0 Obtain the logcat logs, kernel logs, and tcpdump capture which are written to the sdcard. This leaves a notification active. The logs contain the body of sent and received text messages. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard Coolpad/cp3636a/cp3636a:7.0/NRD90M/093031423:user/release-keys
Coolpad Defiant 7.1.1 A pre-installed app allows any app on the device to wipe all user data via a factory reset. There is no user intervention required and it will result in data loss. Local app on the device without any permissions Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Coolpad Defiant 7.1.1 Obtain all the text messages of the user and also insert, modify, and delete text messages Local app on the device without any permissions Coolpad/cp3632a/cp3632a:7.1.1/NMF26F/099480857:user/release-keys
Asus ZenFone 3 Max 7.0 A pre-installed app with an exposed interface allows any app on the phone to obtain a bugreport (kernel log, logcat log, dump of system services (includes text of active notifications), WiFi Passwords, and other system data gets written to the sdcard. The numbers for received and placed telephone calls show up in the log, as well as the sending and receving telephone numbers for text messages. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus ZenFone 3 Max 7.0 Arbitrary app installation over the internet. Then this app can also be uninstalled after it is run using the same interface. Local app on the device without any permissions asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus ZenFone 3 Max 7.0 Take screenshot of the screen which can be used to examine the user’s notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and EXPAND_STATUS_BAR permission is needed to expand the status bar asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys
Asus ZenFone 3 Max & ZenFone V Live 7.0 Command execution as the system user Local app on the device without any permissions asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys & asus/VZW_ASUS_A009/ASUS_A009:7.1.1/NMF26F/14.0610.1709.56-20171017:user/release-keys
Alcatel A30 7.0 Take screenshot of the screen which can be used to examine the user’s notifications. Local app on the device with the READ_EXTERNAL_STORAGE permission to read from the sdcard and the EXPAND_STATUS_BAR permission is needed to expand the status bar TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys
Alcatel A30 7.0 Local root privilege escalation via ADB. The vendor allows read only properties to be modified. They could also peform this behavior to get root privileges. This was an Amazon Prime exclusive device. The user needs physical access to the device and needs to bypass the screen-lock if it exists TCL/5046G/MICKEY6US:7.0/NRD90M/J63:user/release-keys

 

Leer-->  USBHarpoon: atacando un sistemas operativos con cable usb

Have any Question or Comment?

Deja un comentario

Newsletter

¡Buenas! Ya somos

888 - Usuarios Registrados

en nuestra web. ¡No lo dudes más y regístrate!

Publicaciones mas vistas

Online Now

ofrecido por WassUp

Navegadores más usados

Sistemas operativos más usados

Top Locales

ofrecido por WassUp

Publicidad

error: Content is protected !!