Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ZTE Score M Android Phone backdoor SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ZTE Score M Android Phone backdoor

The ZTE Score M phone, apparently available via Metro PCS in the US, comes with a special suid backdoor. The backdoor for a change does not use a fixed "secret" root password. But instead, the suid binary "sync_agent" has to be called with a special parameter.

If you do have an Android phone, take a look if you have this application in "/system/bin". At this point, only this one particular model is reported to have this application present, but it would be odd to not have ZTE use the same backdoor on other models. 

Cataloging and limiting suid applications should be a standard unix hardening step. The simplest way in my opinion to find suid binaries is to use this find command:

find / -x -type f -perm +u=s

Files with the suid bit set will run as the user owning the file, not as the user executing the file. This is typically used to allow normal users to execute particular administrative tasks. So verify if you need or don't need to execute a particular binary as normal user before removing the suid bit.

Update: The file has also been found on the ZTE Skate.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3694 Posts
ISC Handler
So what are you telling family and friends that somehow acquired one of these phones? Doubt they'd know where to find a shell or what to do once they got there...
Dean

135 Posts
Quick answer: Wait for the vendor patch, and hope for the best until then. Sadly, in particular with smart phones, there isn't much most users can do to mitigate these issues.
Johannes

3694 Posts
ISC Handler
The path in your article says "/systen/bin" should it really be "/system/bin" ? Sorry if this is picky, but wanted to make sure we were looking in the correct place for the file called "sync_agent" in that directory.
Johannes
20 Posts

Sign Up for Free or Log In to start participating in the conversation!