Threat Level: Infocon green
Internet Storm Center
phpbb and sql errors asp sqlserver odbc sql errors

Today´s Diary

If you have more information or corrections regarding our diary, please share.


ZTE Score M Android Phone backdoor

Published: 2012-05-18,
Last Updated: 2012-05-18 11:41:11 UTC
by Johannes Ullrich (Version: 1)

2 comment(s)

The ZTE Score M phone, apparently available via Metro PCS in the US, comes with a special suid backdoor. The backdoor for a change does not use a fixed "secret" root password. But instead, the suid binary "sync_agent" has to be called with a special parameter.

If you do have an Android phone, take a look if you have this application in "/systen/bin". At this point, only this one particular model is reported to have this application present, but it would be odd to not have ZTE use the same backdoor on other models. 

Cataloging and limiting suid applications should be a standard unix hardening step. The simplest way in my opinion to find suid binaries is to use this find command:

find / -x -type f -perm +u=s

Files with the suid bit set will run as the user owning the file, not as the user executing the file. This is typically used to allow normal users to execute particular administrative tasks. So verify if you need or don't need to execute a particular binary as normal user before removing the suid bit.

Update: The file has also been found on the ZTE Skate.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: android backdoor zte
2 comment(s)
Top of page

ISC StormCast for Friday, May 18th 2012 http://isc.sans.edu/podcastdetail.html?id=2545

If you have more information or corrections regarding our diary, please share.

Diary Archive

DateAuthorTitle
2012-05-18 Johannes Ullrich ZTE Score M Android Phone backdoor
2012-05-17 Johannes Ullrich Do Firewalls make sense?
2012-05-17 Adam Swanger ISC Feature of the Week: Tools->Information Gathering
2012-05-16 Johannes Ullrich Got Packets? Odd duplicate DNS replies from 10.x IP Addresses
2012-05-16 Johannes Ullrich Reserved IP Address Space Reminder
2012-05-15 Dan Goldberg Odd DNS replies from 10 nets and RFC1323 impacting firewalls
2012-05-14 Chris Mohan Laptops at Security Conferences
2012-05-14 Mark Hofman Got packets? Interested in TCP/8909, TCP/6666, TCP/9415, TCP/27977 and UDP/7
2012-05-13 Joel Esler Exploit Kits are a mess
2012-05-12 Tony Carothers Adobe Update to Vulnerabilities
Folder Icon Complete Archive
Search Diaries:

Diary Tagslink arrow

  oracle     vulnerability assessmentcva     mozilla     rfc2181     safari     vcenter     incident     hashes     android     private key     privilege escalation     fail     google     exploitmacosxms09027a     wicd     bug fixes     ipod     iphone     isc feature     windows vista     phpthumb     challenge     security update     wireless     ddos     wardriving     ms09027     open ssid     windows     memory corruption     anti virus     apple     firefox     backdoor     flashback malware     rfc1035     java     ssl     incident response     vmware     black tuesday     rfc1918     os x     malware     windows 8     dns     antivirus malware protection     backtrack 5 r2     sysinternals     snow leopard     ipad     devices     mac os x     microsoft     useragent     privacy     adobe reader     zte     shellcode     regripper     incident management     nat     flashback trojan     scam     patches     hp procurve 5400     incident handlers     xss     adobe acrobat     javascript     samba     social networking     incident handling     wordpress     net     vista     turbo tax     bypass     hardening     flash     adobe flash player     blackhole     ios 511     firewall     md5     mcafee     patch     tools     msft     security     helpdesk     incident response team     fda     spam     ntp     adobe     laptop     sha     wireshark     php     cve 20122110     patch tuesday     medical malware     tns listener     openssl     packets     flashback     logs     cryptography  
site/port/ip search:

ISC Polllink arrow

Which security patch delivery schedule do you prefer?

Latest RR Paperslink arrow

Risk Assessment of Social Media

Shedding Light on Security Incidents Using Network Flows

In-house Penetration Testing for PCI DSS

A Regular Expression Search Primer for Forensic Analysts

Diskless Cluster Computing: Security Benefit of oneSIS and Git

World Map

world map

Trends

trend graph

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

ZTE Score M Android Phone backdoor - by: Johannes Ullrich (2012-05-18)

Do Firewalls make sense? - by: Johannes Ullrich (2012-05-17)

ISC Feature of the Week: Tools->Information Gathering - by: Adam Swanger (2012-05-17)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute