Executive Summary

Informations
Name CVE-2016-10138 First vendor Publication 2017-01-13
Vendor Cve Last vendor Modification 2017-03-16

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

An issue was discovered on BLU Advance 5.0 and BLU R1 HD devices with Shanghai Adups software. The com.adups.fota.sysoper app is installed as a system app and cannot be disabled by the user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. The app has an exported broadcast receiver named com.adups.fota.sysoper.WriteCommandReceiver which any app on the device can interact with. Therefore, any app can send a command embedded in an intent which will be executed by the WriteCommandReceiver component which is executing as the system user. The third-party app, utilizing the WriteCommandReceiver, can perform the following actions: call a phone number, factory reset the device, take pictures of the screen, record the screen in a video, install applications, inject events, obtain the Android log, and others. In addition, the com.adups.fota.sysoper.TaskService component will make a request to a URL of http://rebootv5.adsunflower.com/ps/fetch.do where the commands in the String array with a key of sf in the JSON Object sent back by the server will be executed as the system user. Since the connection is made via HTTP, it is vulnerable to a MITM attack.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10138

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

Source Url
BID http://www.securityfocus.com/bid/96853
MISC https://www.kryptowire.com/adups_security_analysis.html
https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security...

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2021-05-04 09:50:05
  • Multiple Updates
2021-04-22 01:54:27
  • Multiple Updates
2020-05-23 00:48:41
  • Multiple Updates
2017-03-16 09:24:10
  • Multiple Updates
2017-01-24 00:22:30
  • Multiple Updates
2017-01-13 13:25:00
  • First insertion