ZTE Score: Privilege of Escalation in a Nutshell

Contributor: Branko Spasojevic

A recent post on Pastebin revealed that a simple command can provide root access to the ZTE Score mobile device. This escalation of privilege can give you full control of a ZTE Score M phone running Android 2.3.4 (Gingerbread). We analyzed both the MetroPCS and Cricket Wireless versions of the device and we were able to reproduce the privilege escalation.

The Android security model sandboxes applications so they cannot interact with other applications nor directly perform system level commands without specific authorization preventing undesired affects. The privilege escalation allows one to bypass the default Android security model and run any code on the device and make any modifications unchecked.

The privilege escalation was not a bug in code on the device, but instead likely a design feature for carrier administration purposes or troubleshooting. Unfortunately, irrespective of the reason this code was included, by allowing any application to gain a root shell (system level privileges), malicious applications can also utilize the root shell performing malicious actions normally prevented by the Android security model.

Telecommunications manufacturer ZTE has confirmed that there is a patch for this issue, to be delivered remotely in the near future.

The issue exists in an installed executable that contains functionality which executes a system shell (/system/bin/sh) with superuser privileges. The executable will first check that the first part of the argument is equal to "ztex". If that check is passed, it will then check that the second part of the user argument (argument[4:]) is equal to number "1609523". If the second check also passes, it will then execute a "su" command with "/system/bin/sh" as an argument by calling execvp(). This will present the user with a root privileged shell session. There are no further restrictions to what can be executed from the root shell.

The analysis below shows how easy it can be to gain root access on the ZTE Score device.

In a terminal session, the command “sync_agent ztex1609523” is issued at the command line. The # symbol indicates we have root access. We type id to verify access:


We are presented with User ID and Group ID information:


To be sure we have root access, we try to enter the root directory as a non-root user and then as a root user. As a root user, we are able to access the directory:


While the above manual demonstration is done with physical access to the phone, the same can be done automatically and programmatically, hence the attacker doesn’t need physical access to the device to abuse this privilege escalation flaw. The worst-case scenario here is an attacker who tricks the user into installing a malicious application that takes advantage of this privilege escalation flaw. Once the application has full access to the device, the attacker can install, delete, monitor, and modify the device to their own desire from anywhere in the world.

If you own a ZTE Score M device, be sure to install the patch once it is released.  In the meantime, following general security best practices can help mitigate the risk of your device becoming compromised. In particular, download and install only reputable and trusted applications, only use reputable and trusted marketplaces, and read and understand all security warnings and application terms and agreements.

Digital Rights Groups Defend Antenna-Based Internet TV Service

Tens of thousands of these tiny antennas are housed in a Brooklyn data center. They capture over-the-air TV broadcasts, which are then streamed over the internet to Aereo customers in New York. Photo: Aereo

Two digital rights groups urged a federal court Wednesday not to shut down an upstart technology company that streams over-the-air broadcasts to New Yorkers.

Public Knowledge and the Electronic Frontier Foundation, in a friend-of-the-court brief, said the courts should not shutter Aereo, as broadcasters are asking, simply because there is no federal licensing scheme yet for internet streaming of over-the-air broadcasts (one exists for cable companies).

Aereo’s New York customers basically rent two tiny antennas, each about the size of a dime. Tens of thousands of the antennas are housed in a Brooklyn data center. One antenna — unique to a customer — is used when a customer wants to watch a program in real time from a computer, tablet or mobile phone. The other works with a DVR service to record programs for later online viewing.

Aereo, which offers the service free but plans to charge about $12 monthly, does not divulge the number of its customers.

The broadcasters said Aereo is practicing “technological gimmickry” to skirt paying them licensing fees. Aereo’s business model, they said, “usurps their right to decide how and on what terms to make available and license content over new internet distribution media.”

But just because there’s no licensing mechanism doesn’t mean the unique service Aereo offers amounts to copyright infringement, the rights groups countered.

“Plaintiffs list particular examples of harms allegedly brought about by Aereo’s conduct, and claim them as being irreparable and substantial. However, the only cognizable harms amount to Aereo’s failing to pay licensing fees plaintiffs presume that they are entitled to,” the groups wrote the New York judge presiding over the case.

Shuttering the service, which the groups contend does not infringe the copyrights of ABC, CBS, NBC, Fox and other local broadcasters, “would deny to the public the benefit of advances in technology, contrary to the purpose of the Copyright Act.”

A hearing on whether the upstart, backed by financier Barry Diller, should be shut down is set to be heard in a New York federal courtroom next week.

In our earlier analysis of the case, we noted that, if Aereo were a cable or satellite company, it could transmit publicly available broadcast signals to its customers — under a complicated licensing-fee structure. Copyright holders in the programs being re-broadcasted have no say in the matter, under what is known as compulsory licensing. Congress adopted the licensing structure for cable and satellite following Supreme Court decisions in the ’60s and ’70s that allowed cable companies to hijack over-the-air broadcasts and include them in their primitive television packages.

And herein lies a 21st Century anomaly: The federally mandated licensing structure put into place is silent when it comes to internet streaming of over-the-air broadcasts that are carried over public airwaves. That’s why Aereo claims that, because of its proprietary technology that captures broadcasts and streams them to paying customers, it doesn’t need anyone’s permission to supply freely available television signals.

Pot Prosecution Goes Up in Smoke Due to Warrantless GPS Tracking

One of two GPS trackers found last year on the vehicle of a young man in California. Photo: Jon Snyder/Wired.com

A federal judge in Kentucky has ruled that 150 pounds of marijuana collected from a drug suspect’s car is not admissible evidence in court because investigators illegally used a GPS tracker without a warrant to uncover it.

U.S. District Judge Amul R. Thapar has barred prosecutors from using the marijuana stash, allegedly found in the car of 49-year-old Robert Dale Lee last year, because they had not obtained a warrant authorizing the use of the GPS tracker they placed on his vehicle as part of a multi-state drug investigation, according to the Associated Press.

A Kentucky State Police trooper allegedly found the pot when he stopped Lee’s vehicle in September 2011 after Drug Enforcement Agency investigators had tracked it from Chicago to Lexington, Kentucky. The DEA agents had reportedly placed the tracker on Lee’s car after a cooperating witness told investigators that Lee, who had prior convictions around the possession of a gun and drugs, had been transporting marijuana from Illinois to Kentucky.

“In this case, the DEA agents had their fishing poles out to catch Lee,” Judge Thapar wrote in his ruling. “Admittedly, the agents did not intend to break the law. But, they installed a GPS device on Lee’s car without a warrant in the hope that something might turn up.”

The ruling contravenes recent ones in other states, where federal judges in California, Hawaii and Iowa have found that evidence gathered through the warrantless use of covert GPS vehicle trackers can be used to prosecute suspects.

The patchwork rulings underscore a nationwide problem that has arisen in the wake of a Supreme Court decision earlier this year, which found that the use of GPS trackers on a person’s vehicle constituted a search under the Constitution, which would require, in nearly all cases, a warrant.

Because three U.S. District courts ruled prior to the Supreme Court decision that the use of GPS trackers without a warrant was lawful, federal judges in those districts — which cover 19 states as well as Guam and the Mariana Islands — have found that law enforcement agents and prosecutors in their regions can use a so-called “good faith exception” to support warrantless GPS surveillance in pending cases where data was gathered prior to the Supreme Court ruling.

Circuit courts in the 7th (covering Illinois, Wisconsin and Indiana), 8th (covering Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota and South Dakota) and 9th (covering Alaska, Arizona, California, Guam, Hawaii, Idaho, the Mariana Islands, Montana, Nevada, Oregon and Washington) all ruled prior to the Supreme Court case that warrantless GPS tracking was legal.

Last month, U.S. District Judge Mark Bennett in Iowa ruled (.pdf) that the GPS tracking evidence gathered by DEA agents against a suspected local drug trafficker prior to the Supreme Court ruling could be submitted in court. He made the ruling under a so-called “good faith” exception, because the agents were relying on what was then a binding 8th U.S. Circuit Court of Appeals precedent that authorized the use of warrantless GPS trackers for surveillance in Iowa.

Judges in two other GPS cases in California and Hawaii, both in the 9th Circuit where a precedent ruling exists, asserted the same “good faith” exception in March.

The exception comes from a 2011 Supreme Court case, Davis v. United States (.pdf), which allows a good-faith exception for searches that reasonably relied on binding precedents that were later found to be faulty.

But luckily for Lee, Kentucky, where he is being prosecuted, falls in the 6th circuit (.pdf), which had no such ruling on GPS prior to the Supreme Court case.

According to court documents, a DEA task force officer placed the GPS tracker on Lee’s car on Sept. 2, 2011 while the suspect was meeting with his federal probation officer in London, Kentucky. Three days later, DEA agents noticed that Lee had driven to Chicago and were tracking him as he returned to Kentucky. The officer tipped off a state trooper that Lee was likely transporting marijuana.

The trooper stationed himself with a drug-sniffing dog along the highway Lee was traveling, and pulled the suspect over under the premise that he was driving without a seat belt. When Lee consented to a search of the car, the drug-sniffing dog honed in on the drug stash.

Judge Thapar wrote that the DEA’s use of the GPS tracker was unlawful because the investigator had no binding court precedent he was relying on to use the device.

“Without GPS tracking data, the DEA agents would not have known that Lee traveled to Chicago (to pick up the drugs), that he was returning to Kentucky along I-75, or his exact position,” Thapur wrote.

Law enforcement’s use of GPS vehicle trackers came under increased scrutiny last year when the U.S. Supreme Court took up the case of United States v. Jones, which also involved the use of GPS trackers in a drug investigation.

Antoine Jones was given a life sentence by a lower court for drug trafficking, based in part on evidence gathered with a GPS vehicle tacker placed on his Jeep. A federal appeals court in Washington, D.C., later ruled that collecting data from the GPS device amounted to a search, and therefore required a warrant. Prosecutors argued that the device only collected the same information that anyone on a public street could glean from physically following the suspect. But the appellate court judge wrote in his ruling that the persistent, nonstop surveillance afforded by a GPS tracker was much different from physically tracking a suspect on a single trip.

The Obama administration called the appellate decision “vague and unworkable,” and petitioned the Supreme Court to rule that authorities did not need to obtain a warrant to use the devices. The Supreme Court justices ruled earlier this year in January that GPS tracking of a suspect’s vehicle qualified as a search under the U.S. Constitution, but stopped short of ruling that authorities needed to obtain a warrant every time they used a tracker.

The justices said that law enforcement authorities might need a probable-cause warrant from a judge, but did not say definitively whether such a search was unreasonable and required a warrant. Most legal experts, however, say the implication is that the use of such devices would require a warrant on any investigations going forward.

McAfee Labs Threat Report for Q1 2012: Threats Gone Wild

McAfee Labs has just released the McAfee Threats Report, First Quarter 2012, and I’m proud of it. I am cribbing from the intro to this quarter’s report, but it kinda says it all:


“The Greek philosopher Heraclitus, known for his doctrine of change as central to the universe, once wrote that ‘everything flows, nothing stands still.’ The first quarter of 2012 embodies Heraclitus’ doctrine in almost all areas of the threats landscape. Although we observed declines in many areas in the numbers of malware and threats at the end of 2011, this quarter is almost its polar opposite.

PC malware had its busiest quarter in recent history, and mobile malware also increased at a huge rate.

We saw growth in established rootkits as well as the emergence of several new families. Many of the familiar malware we analyze and combat rebounded this quarter, but none more so than password-stealing Trojans. In this edition of the Threats Report we introduce our tracking of new threats such as

the ZeroAccess rootkit and signed malware.”


Malicious code is on the rise again. Plain and simple. We are seeing more malware than in the recent past and you can count on that figure to rise in the coming year. In particular, mobile platforms present today’s cybercriminal with an almost irresistible target, specifically Android-based for now, but that can certainly evolve. Some highlights of the report include:


Mobile Malware Explosion


Mobile malware raced up a significant incline during the quarter, with 8,000 total mobile malware samples collected. This large increase was due in part to McAfee Labs’ advancements in the detection and accumulation of mobile malware samples.


Financial profit is one of the main motivators for spreading malware on the Android platform, as identified by McAfee Labs malware researcher Carlos Castillo in a recent blog post. Nearly 7,000 Android threats have been collected and identified through the end of the quarter, a more than 1,200 percent increase compared with the 600 Android samples collected by the end of the last quarter of 2011. Most of these threats stem from third-party app markets, and are typically not found in the official Android market.


Malware Increase in PCs and Macs


By the end of 2011, McAfee Labs collected more than 75 million malware samples. This quarter had the largest number of PC malware detected in the last four years. This increase brought the grand total to 83 million pieces of malware samples by the end of the period, up from 75 million samples at the end of 2011. Major contributors to the total were strong increases in rootkits, a stealth form of malware, as well as password stealers, which reached approximately 1 million new samples this quarter. Email continued to be a medium used for highly targeted attacks, and nearly all targeted attacks began with a spear phish.


As the Flashback Trojan began to wreak havoc among Apple Mac users in March, Mac malware had already been growing at a consistent rate. Despite the growth, Mac malware is still significantly less prevalent than PC malware, with approximately 250 new Mac malware samples, and approximately 150 new Mac fake antivirus malware samples in this period.


Spam Low, Botnets High


Global spam levels dropped to slightly more than 1 trillion monthly spam messages by the end of March. Decreases were most significant in Brazil, Indonesia, and Russia, while increases in spam were found in China, Germany, Poland, Spain, and the United Kingdom.


Botnet growth increased this quarter, reaching nearly 5 million infections at its highest point. Columbia, Japan, Poland, Spain, and the United States were areas with the largest botnet increase, while Indonesia, Portugal, and South Korea were regions that continued to decline. The most prevalent botnet of the quarter was Cutwail, with more than 2 million new infections.


The McAfee Labs report depicts the price breakdown for a botnet sold on the black market. Citadel, a Zeus variant and financial botnet, will cost a cybercriminal US$2,399 plus $125 for “rent” of a botnet builder and administration panel, with an extra $395 for automatic updates for antivirus evasion. For Darkness, by SVAS/Noncenz, a distributed denial of service botnet, options range from $450 for a minimal package to approximately $1,000 for more advanced offerings.


United States the Primary Source of Cyberattacks


A compromised machine is often used as a proxy for spam, botnets, denial of service, or other types of malicious activities. These machines can be located anywhere in the world, but this quarter many were located in the United States. Based on data collected from the McAfee Global Threat Intelligence™ network, the United States was the primary source of SQL-injection attacks and cross-site scripting attacks, and also had the highest number of victims of both attacks. The United States currently houses the most botnet control servers, and the location point for the vast majority of new malicious websites, with an average of 9,000 new bad sites recorded per day.


Download the McAfee Threats Report here.