ZTE Score: Privilege of Escalation in a Nutshell
Contributor: Branko Spasojevic
A recent post on Pastebin revealed that a simple command can provide root access to the ZTE Score mobile device. This escalation of privilege can give you full control of a ZTE Score M phone running Android 2.3.4 (Gingerbread). We analyzed both the MetroPCS and Cricket Wireless versions of the device and we were able to reproduce the privilege escalation.
The Android security model sandboxes applications so they cannot interact with other applications nor directly perform system level commands without specific authorization preventing undesired affects. The privilege escalation allows one to bypass the default Android security model and run any code on the device and make any modifications unchecked.
The privilege escalation was not a bug in code on the device, but instead likely a design feature for carrier administration purposes or troubleshooting. Unfortunately, irrespective of the reason this code was included, by allowing any application to gain a root shell (system level privileges), malicious applications can also utilize the root shell performing malicious actions normally prevented by the Android security model.
Telecommunications manufacturer ZTE has confirmed that there is a patch for this issue, to be delivered remotely in the near future.
The issue exists in an installed executable that contains functionality which executes a system shell (/system/bin/sh) with superuser privileges. The executable will first check that the first part of the argument is equal to "ztex". If that check is passed, it will then check that the second part of the user argument (argument[4:]) is equal to number "1609523". If the second check also passes, it will then execute a "su" command with "/system/bin/sh" as an argument by calling execvp(). This will present the user with a root privileged shell session. There are no further restrictions to what can be executed from the root shell.
The analysis below shows how easy it can be to gain root access on the ZTE Score device.
In a terminal session, the command “sync_agent ztex1609523” is issued at the command line. The # symbol indicates we have root access. We type id to verify access:
We are presented with User ID and Group ID information:
To be sure we have root access, we try to enter the root directory as a non-root user and then as a root user. As a root user, we are able to access the directory:
While the above manual demonstration is done with physical access to the phone, the same can be done automatically and programmatically, hence the attacker doesn’t need physical access to the device to abuse this privilege escalation flaw. The worst-case scenario here is an attacker who tricks the user into installing a malicious application that takes advantage of this privilege escalation flaw. Once the application has full access to the device, the attacker can install, delete, monitor, and modify the device to their own desire from anywhere in the world.
If you own a ZTE Score M device, be sure to install the patch once it is released. In the meantime, following general security best practices can help mitigate the risk of your device becoming compromised. In particular, download and install only reputable and trusted applications, only use reputable and trusted marketplaces, and read and understand all security warnings and application terms and agreements.