FKIE_CVE-2016-10138

Vulnerability from fkie_nvd - Published: 2017-01-13 09:59 - Updated: 2025-04-20 01:37
Severity ?
7.8 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore, any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app, utilizing the WriteCommandReceiver, can perform the following actions: call a phone number, factory reset the device, take pictures of the screen, record the screen in a video, install applications, inject events, obtain the Android log, and others. In addition, the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP, it is vulnerable to a MITM attack.
References
cve@mitre.orghttp://www.securityfocus.com/bid/96853
cve@mitre.orghttps://www.kryptowire.com/adups_security_analysis.htmlTechnical Description, Third Party Advisory
cve@mitre.orghttps://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.htmlPress/Media Coverage
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/96853
af854a3a-2127-422b-91ae-364da2661108https://www.kryptowire.com/adups_security_analysis.htmlTechnical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.htmlPress/Media Coverage
Impacted products
Vendor Product Version
adups adups_fota -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:adups:adups_fota:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8B2E488-EEE4-4C16-B1F6-BD5847A0DE1A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app\u0027s AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore, any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app, utilizing the WriteCommandReceiver, can perform the following actions: call a phone number, factory reset the device, take pictures of the screen, record the screen in a video, install applications, inject events, obtain the Android log, and others. In addition, the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP, it is vulnerable to a MITM attack."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 un problema en los dispositivos BLU Advance 5.0 y BLU R1 HD con software Shanghai Adups. La aplicaci\u00f3n com.adups.fota.sysoper est\u00e1 instalada como una aplicaci\u00f3n del sistema y no puede ser deshabilitada por el usuario. En el archivo AndroidManifest.xml de la aplicaci\u00f3n com.adups.fota.sysoper, establece el atributo android: sharedUserId en un valor de android.uid.system que lo hace ejecutar como el usuario del sistema, el cual es un usuario muy privilegiado en el dispositivo. La aplicaci\u00f3n tiene un receptor de difusi\u00f3n exportado llamado com.adups.fota.sysoper.WriteCommandReceiver con el que cualquier aplicaci\u00f3n del dispositivo puede interactuar. Por lo tanto, cualquier aplicaci\u00f3n puede enviar un comando incrustado en un intento que ser\u00e1 ejecutado por el componente WriteCommandReceiver que se est\u00e1 ejecutando como usuario del sistema. La aplicaci\u00f3n de terceros, utilizando el WriteCommandReceiver, puede realizar las siguientes acciones: llamar a un n\u00famero de tel\u00e9fono, restablecer el dispositivo de f\u00e1brica, tomar im\u00e1genes de la pantalla, grabar la pantalla en un v\u00eddeo, instalar aplicaciones, inyectar eventos, obtener el registro de Android y otros. Adem\u00e1s, el componente com.adups.fota.sysoper.TaskService har\u00e1 una solicitud a una URL de http://rebootv5.adsunflower.com/ps/fetch.do donde los comandos en el array String con una clave de sf en el objeto JSON enviado de vuelta por el servidor se ejecutar\u00e1 como el usuario del sistema. Dado que la conexi\u00f3n se realiza a trav\u00e9s de HTTP, es vulnerable a un ataque MITM."
    }
  ],
  "id": "CVE-2016-10138",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.2,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-01-13T09:59:00.263",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/96853"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://www.kryptowire.com/adups_security_analysis.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/96853"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://www.kryptowire.com/adups_security_analysis.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.