+ Post New Thread
Results 1 to 2 of 2
Netbooks, PDA and Phones Thread, Massive security vulnerability found in HTC Android devices in Technical; I thought this might be worth posting since I haven't seen any other threads about it. Links androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/ infectedrom.com/showthread.php/559-Vunerability-1-Android-Security-Elevation ----------------------------------------------------------------------------------------------------------- ...
  1. #1


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,709
    Thank Post
    220
    Thanked 2,615 Times in 1,926 Posts
    Rep Power
    777

    Massive security vulnerability found in HTC Android devices

    I thought this might be worth posting since I haven't seen any other threads about it.

    Links
    androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/
    infectedrom.com/showthread.php/559-Vunerability-1-Android-Security-Elevation



    -----------------------------------------------------------------------------------------------------------
    Threat Vulnerability: Android Security Elevation/Information Leak
    Products Affected: Any device with HTCLogger.apk running htcloggerd binary
    Release to HTC date: 24/09/2011
    Release to Public date: 30/09/2011 (per RFP - http://en.wikipedia.org/wiki/RFPolicy)
    Vulnerability reported By: TrevE
    -----------------------------------------------------------------------------------------------------------

    Details:
    HTCLogger allows any app that has access to android.permission.INTERNET on devices such as the evo3d to obtain full access to query sensitive info such as network/appusagestats/meid/esn/phone#/past 10 location broadcasts and last known locations/and more. Root is not required, for this demo I will show completely stock cdma htc evo 3d running version 2.08.561.2, but it will also work on rooted phones and expose more info (wimax dumps, etc). This is available to any application ONLY having permission internet. Htcloggers essentially allows any app to bypass the following permissions (and more):

    [...]

    How this works at a high level:
    htcloggerd binds to 127.0.0.1:65511 and listens for commands. The base port can only control services, but the dependant services such as logctl will gladly dump private info when anybody asks for it.

    The demo app attached proves how any app can interface with htcloggers. This proof of concept queries port 65511 with :getservices: and gets the port of logctl. It then connects to this port and sends any command in the app. I have put some stock commands in, along with a custom command :getimportantinfo: that provides a proof of concept on how to use regex to parse the output to return sensitive data to an application. While stuff is processing it will appear hung there are no statuses/wait messages, again its just a proof of concept.

    What data is accessible/why this is important:
    Almost everything. How long you use apps, phone identity information, radio/logcat/event logs, ip addresses, mobile network/wifi/bluetooth around you, gps location, etc. All it needs is permission internet which MANY market apps use (think admob, etc). While my app is doing it in the foreground and only grepping a few key pieces with button presses putting it in a background thread would take 2 seconds and since sockets are already allowed this data could easily be sent anywhere. A list of what is contained in the reports and therefore visible to any application is below

    Code:
    Dumpstate Contains - 
    Phone Software info
    Mem info
    CPU Info
    Procrank
    vmstat
    vmallocinfo
    slabinfo
    zoneinfo
    buddyinfo
    kmemleak
    syslog/mainlog (logcat -v time -d *:v)
    /data/anr/traces.txt
    event log (logcat -b events -v time -d *:v)
    radio log (logcat -b radio -v time -d *:v)
    netcfg
    network routes
    arp cache
    wifi firmare log (su root dhdutil -i eth0 upload /data/local/tmp/wlan_crash.dump)
    System Properties
    Kernel log (dmesg)
    wakelocks
    cpufreq
    vold dump (vdc dump)
    secure containers (vdc asec list)
    process list (ps -P)
    processes and threads (ps -t -p -P)
    librank
    /sys/kernel/debug/binder/failed_transaction_log
    /sys/kernel/debug/binder/transaction_log
    /sys/kernel/debug/binder/transactions
    /sys/kernel/debug/binder/stats
    /sys/kernel/debug/binder/state
    disk space (df)
    full output of /data/system/packages.xml
    /data/system/uiderrors.txt
    last kmsg
    /proc/last_radio_log
    /data/dontpanic/apanic_console
    /data/dontpanic/apanic_threads
    BLOCKED PROCESS WAIT-CHANNELS
    backlight data
    ANR history
    
    DUMPSYS:
    Currently running services
    Dump of all currently running services (full battery info, bluetooth dumps, clipboard dumps, connectivity, cpu info, device policy info, location along with past 10 and last known positions, usagestats, wifi bssids, etc) 
    Services in Current Activity Manager State:
    PendingIntents in Current Activity Manager State:
    Activities in Current Activity Manager State:
    Processes in Current Activity Manager State:

  2. #2


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,709
    Thank Post
    220
    Thanked 2,615 Times in 1,926 Posts
    Rep Power
    777

SHARE:
+ Post New Thread

Similar Threads

  1. Perpetual Adobe vulnerability thread in the security forum?
    By pete in forum Comments and Suggestions
    Replies: 1
    Last Post: 2nd November 2010, 11:48 AM
  2. [Android] How to make proxies work on Android devices
    By Dos_Box in forum Netbooks, PDA and Phones
    Replies: 4
    Last Post: 27th September 2010, 03:39 PM
  3. New security flaw found in IE
    By Gibbo in forum IT News
    Replies: 0
    Last Post: 16th December 2008, 10:46 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •