Symantec's Analysis of the ZTE Android Backdoor Vulnerability

Thursday, May 24, 2012



Chinese telecom and mobile device manufacturer ZTE recently confirmed the presence of a backdoor vulnerability in smartphones distributed in the U.S.

The vulnerability would allow an attacker to remotely gain root access control over a device, and the password located in the /system/bin/sync_agent that accesses the backdoor has been published in the wild.

Symantec researcher Branko Spasojevic says the company has successfully applied the exploit to MetroPCS and Cricket Wireless versions of the ZTE phones.

The Android operating system is designed to "sandbox" applications and prevent them from initiating system-level commands without being granted proper authorization by the user, but the ZTE backdoor allows for unabridged privilege escalation on the devices.

The vulnerability was apparently hard coded into the ZTE Score M smartphones, an it is rumored that the vulnerability may also exist in the company's Skate devices as well, but ZTE has denied that Skate's are at risk.

"The privilege escalation was not a bug in code on the device, but instead likely a design feature for carrier administration purposes or troubleshooting. Unfortunately, irrespective of the reason this code was included, by allowing any application to gain a root shell (system level privileges), malicious applications can also utilize the root shell performing malicious actions normally prevented by the Android security model," Spasojevic writes.

ZTE was one of several Chinese firms being investigated by the House Intelligence Committee in a continuing probe into telecom firms suspected of aiding the Chinese government in spying activities and concerns regarding their relationship to the People's Liberation Army (PLA).

Central to the investigation is concerns over the potential presence of backdoors in hardware manufactured in China which could allow for data exfiltration on a large scale.

Spasojevic goes into more detail on the execution of a successful exploit of the ZTE vulnerability.

"The issue exists in an installed executable that contains functionality which executes a system shell (/system/bin/sh) with superuser privileges. The executable will first check that the first part of the argument is equal to "ztex". If that check is passed, it will then check that the second part of the user argument (argument[4:]) is equal to number "1609523". If the second check also passes, it will then execute a "su" command with "/system/bin/sh" as an argument by calling execvp(). This will present the user with a root privileged shell session. There are no further restrictions to what can be executed from the root shell," Spasojevic continued.

While Symantec's demonstration of the exploit was accomplished with physical access to the devices tested, Spasojevic says an attack "can be done automatically and programmatically, hence the attacker doesn’t need physical access to the device to abuse this privilege escalation flaw."

The biggest threat from the vulnerability would be to users who mistakenly download an unapproved application designed to compromise their ZTE device.

"The worst-case scenario here is an attacker who tricks the user into installing a malicious application that takes advantage of this privilege escalation flaw. Once the application has full access to the device, the attacker can install, delete, monitor, and modify the device to their own desire from anywhere in the world," Spasojevic postulated.

ZTE is currently working on a patch to be distributed remotely that will eliminate the potential exposure for their customers.


Possibly Related Articles:
PDAs/Smart Phones
China Symantec Mobile Devices Root Accounts Smart Phone Exploits Headlines backdoor vulnerability ZTE
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.