Executive Summary

Title Ragentek Android OTA update mechanism vulnerable to MITM attack
Name VU#624539 First vendor Publication 2016-11-17
Vendor VU-CERT Last vendor Modification 2016-11-17
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#624539

Ragentek Android OTA update mechanism vulnerable to MITM attack

Original Release date: 17 Nov 2016 | Last revised: 17 Nov 2016


Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel, which can allow a remote attacker to execute arbitrary code with root privileges.


CWE-494: Download of Code Without Integrity Check - CVE-2016-6564

Android devices with code from Ragentek contain a privileged binary that performs over-the-air (OTA) update checks.
Additionally, there are multiple techniques used to hide the execution of this binary. This behavior could be described as a rootkit.

This binary, which resides as /system/bin/debugs, runs with root privileges and does not communicate over an encrypted channel.
The binary has been shown to communicate with three hosts via HTTP:

  • oyag[.]lhzbdvm[.]com
  • oyag[.]prugskh[.]net
  • oyag[.]prugskh[.]com

Server responses to requests sent by the debugs binary include functionalities to execute arbitrary commands as root, install applications, or update configurations.

Examples of a request sent by the client binary:
    POST /pagt/agent?data={"name":"c_regist","details":{...}} HTTP/1. 1
    Connection: Close

An example response from the server could be:
    HTTP/1.1 200 OK
    {"code": "01", "name": "push_commands", "details": {"server_id": "1" ,
    "title": "Test Command", "comments": "Test", "commands": "touch /tmp/test"}}
This binary is reported to be present in the following devices:
  • BLU Studio G
  • BLU Studio G Plus
  • BLU Studio 6.0 HD
  • BLU Studio X
  • BLU Studio X Plus
  • BLU Studio C HD
  • Infinix Hot X507
  • Infinix Hot 2 X510
  • Infinix Zero X506
  • Infinix Zero 2 X509
  • DOOGEE Voyager 2 DG310
  • LEAGOO Lead 5
  • LEAGOO Lead 6
  • LEAGOO Lead 3i
  • LEAGOO Lead 2S
  • LEAGOO Alfa 6
  • IKU Colorful K45i
  • Beeline Pro 2
  • XOLO Cube 5.0


An remote, unauthenticated attacker in a position to perform man-in-the-middle attacks can execute arbitrary commands as root.


Apply an update
The reporter indicates that BLU has provided an update, which is intended to address the vulnerability, Please see the vendor status page for more details.

For other devices, please check with your device vendor for updates. If you are unable to apply an update, see the following workarounds:

Avoid use of untrusted networks

Use your device on trusted networks only, and avoid using untrusted networks such as open or public wifi.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
BLU ProductsAffected-11 Nov 2016
Infinix MobilityAffected-11 Nov 2016
RagentekAffected-11 Nov 2016
BeelineUnknown-11 Nov 2016
DoogeeUnknown-11 Nov 2016
IKU MobileUnknown-11 Nov 2016
LeagooUnknown-11 Nov 2016
XOLOUnknown-11 Nov 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://blog.anubisnetworks.com/blog/ragentek-android-ota-update-mechanism-vulnerable-to-mitm-attack
  • https://cwe.mitre.org/data/definitions/494.html
  • http://www.observatoriodeseguridad.com/?p=230
  • https://twitter.com/timstrazz/status/689981808012828673
  • https://en.wikipedia.org/wiki/Rootkit


Thanks to Dan Dahlberg and Tiago Pereira of BitSight Technologies and Anubis Networks for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs:CVE-2016-6564
  • Date Public:11 Nov 2016
  • Date First Published:17 Nov 2016
  • Date Last Updated:17 Nov 2016
  • Document Revision:20


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/624539

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

CPE : Common Platform Enumeration

Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2018-09-14 21:22:04
  • Multiple Updates
2018-07-14 00:21:04
  • Multiple Updates
2016-11-18 00:23:15
  • Multiple Updates
2016-11-17 21:23:40
  • First insertion