Skyagent: potentially-rogue binary present on ALL HTC EVO 4G

[dogie678]

And this is one of the reasons why Android is the Windows of mobile.


Team unrevoked has discovered a potentially-rogue binary present on the HTC EVO 4G (“Supersonic”) and HTC Hero (“HeroC”) devices. These devices ship with a setuid root binary named skyagent in the /system/bin directory. This binary, among other tasks, can be used to escalate privileges on these devices.

Another insecure binary is also present on Supersonic: hstools is also present in /system/bin.


http://www.unrevoked.com/rootwiki/doku.php/public/unrevoked1_disclosure

 

[dogie678]

also from the article:


However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user's knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:
sending and monitor user tap and drag input (“PentapHook”), sending key events (“InputCapture”), dumping the framebuffer (“captureScreen”), listing processes (“GetProc”), rebooting the device immediately, and executing arbitrary shell commands as root (“LaunchChild”)