High Security Alert: New flaw discovered on HTC devices with WiMAX

0
5

The same developer who discovered HTCLogger.apk flaw, TrevE discovered a more conerning security vulnerability on HTC devices. This newly discovered flaw refers to WiMAX and according to XDA Forums the risk is even bigger, because a malicious person can attack the device giving him/her access  to completely reprogram your device’s CDMA parameters remotely.

This can be done easily through two open ports that basically require no authentication from a remote guest and just as before, the only requirement for a malicious app is  INTERNET permissions.

The second interesting thing is that a maliciously intended person can send commands to the radio via the WiMaxMonitoring port, and just sending a simple character such as a coma can create an “out of bounds range exception” resulting in crash of the Android device. Down below is a full disclosure of the whole flaw:

——————————————————————————

Vulnerability: Android Security Elevation/Wimax Information Leak/Out of Bounds Crash
Products Affected: Any HTC device with wimax services running on ports 7773/7774/7775/7776
Vulnerability reported By: TrevE
——————————————————————————
Attached is a proof of concept showing manipulating wimax data connectivity.  Reading will only be demonstrated, but if someone was clever a few different attacks could be performed from stealing below information, to reprogramming with bogus/destructive values, possibly MITM data connections and more. WimaxMonitoring port also is able to crash the device if a comma is sent, it creates an index out of range exception.  The following services are able to be read and written by a malicious app with only permission INTERNETnetstat:
tcp        0      0 ::ffff:127.0.0.1:7775   :::*                    LISTEN      4327/system_server
tcp        0      0 127.0.0.1:7776          0.0.0.0:*               LISTEN      4230/wimaxDaemonsystem_server (port 7775) is a Wimax Monitoring socket. Not all commands are known at this time outside of:
getNaiDecoration
isDunMode
isReleaseKey/system/bin/wimaxDaemon (port 7776) Not all commands are known at this time outside of:
getMac
dumpMacTreeFromFlash
saveMacTreeToFlash
lockMacTree
unlockMacTree/system/bin/(get|set)WiMAXPropDaemon:
allows standard users read/write to root only file /data/wimax/wimax_properties used to manipulate wimax data connectivity (4g radio) by sending commands to TCP ports 7773/7774 with no authentication. Netstat:
tcp        0      0 127.0.0.1:7773          0.0.0.0:*               LISTEN      4210/setWiMAXPropDaemon
tcp        0      0 127.0.0.1:7774          0.0.0.0:*               LISTEN      4211/getWiMAXPropDaemon

File Accessed by method proving it should not be read from other than root or written at all:

-r–r—–    1 root     root       1048576 Oct  5 23:25 wimax_properties

Props able to be read/written:

persist.wimax.Cold_Boot_Flag 
persist.wimax.STANDBY_TIME 
persist.wimax.SCAN_RATE 
persist.wimax.Realm 
persist.wimax.CenterFrequency 
persist.wimax.Bandwidth 
persist.wimax.0.Man 
persist.wimax.0.Mod 
persist.wimax.0.FwV 
persist.wimax.0.HwV 
persist.wimax.0.SwV
persist.wimax.0.MAC 
persist.wimax.0.TO-FUMO-REF ./FUMO
persist.wimax.TO-WiMAX-REF ./WiMAXSupp
persist.wimax.IPv4 
persist.wimax.IPv6 
persist.wimax.ServerInitiated 
persist.wimax.CLInit.PollSuprt 
persist.wimax.CLInit.PollIntrvl
persist.wimax.WorkMode
persist.wimax.Session_Conti
persist.wimax.Scan_Timeout
persist.wimax.Scan_Retry
persist.wimax.Idle_Sleep
persist.wimax.Entry_RX 
persist.wimax.Entry_CINR
persist.wimax.Entry_Delay
persist.wimax.Exit_CINR
persist.wimax.Exit_Delay
persist.wimax.0.H-NSP-ID 
persist.wimax.OperatorName 
persist.wimax.PollingInterval 
persist.wimax.Primary.Name 
persist.wimax.Primary.Activated 
persist.wimax.0.METHOD-TYPE 
persist.wimax.0.VENDOR-ID 
persist.wimax.0.VENDOR-TYPE 
persist.wimax.0.USER-IDENTITY 
persist.wimax.0.PSEUDO-IDENTITY 
persist.wimax.0.PASSWORD 
persist.wimax.0.REALM 
persist.wimax.0.USE-PRIVACY 
persist.wimax.0.ENCAPS 
persist.wimax.0.VFY-SRVR-REALM 
persist.wimax.0.S-RLM.0.S-RLM 
persist.wimax.0.To-IP-REF ./IP 
TrevE kindly issued a patch too and gave a 5 days heads-up to HTC to be able to fix this security hole in time before he made it public. You can download the patch from TrevE’s link here or you can do it manually followint steps below:

To use edit init.shooter.rc to appear as below (or wherever binaries are started in ramdisk) and manually start them when you are going on 4g with attached app. 
———————-
service wimaxDaemon /system/bin/wimaxDaemon
   user root
   group root
    disabled
    oneshot

# setWMXPropd daemon
service setWMXPropd /system/bin/

setWiMAXPropDaemond
    user root
    group root
    disabled
    oneshot# getWMXPropd daemon
service getWMXPropd /system/bin/getWiMAXPropDaemond
    user root
    group root
    disabled
    oneshot
Whats even worringly is that at the article written by egzthunder1 on XDA Forums ends with this following line: “And remember, there are still more vulnerabilities to come, so please stay tuned for more,” meaning that more security flaws is yet to be revealed in the following weeks.
More details on WiMAX security flaw can be read here and here.
httpvh://youtu.be/Hs0BVs19LJ4
source XDA Forums
SHARE

LEAVE A REPLY

Please enter your comment!
Please enter your name here