Skyagent: potentially-rogue binary present on ALL HTC EVO 4G
Team unrevoked has discovered a potentially-rogue binary present on the HTC EVO 4G (?Supersonic?) and HTC Hero (?HeroC?) devices. These devices ship with a setuid root binary named skyagent in the /system/bin directory. This binary, among other tasks, can be used to escalate privileges on these devices.
Another insecure binary is also present on Supersonic: hstools is also present in /system/bin.
http://www.unrevoked.com/rootwiki/do...ed1_disclosure
Another insecure binary is also present on Supersonic: hstools is also present in /system/bin.
http://www.unrevoked.com/rootwiki/do...ed1_disclosure
Comments
Team unrevoked has discovered a potentially-rogue binary present on the HTC EVO 4G (?Supersonic?) and HTC Hero (?HeroC?) devices. These devices ship with a setuid root binary named skyagent in the /system/bin directory. This binary, among other tasks, can be used to escalate privileges on these devices.
Another insecure binary is also present on Supersonic: hstools is also present in /system/bin.
Skynet has to start somewhere. It looks like it was not a malicious app, just debugging tools but certainly possible to cause damage if used with malicious intent.
http://grack.com/blog/2010/07/07/how...tell-about-it/
"One theory is that it?s a test program, designed to provide input and output for automated testing on real devices. Another theory is that it?s a law-enforcement or three-letter-agency wiretap program for capturing communication. Yet another is that it was placed there by a rogue employee as a plain, malicious backdoor. There?s not enough evidence to determine which (if any) of the theories is correct and Sprint hasn?t disclosed anything."
also from the article:
However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user's knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:
sending and monitor user tap and drag input (“PentapHook”), sending key events (“InputCapture”), dumping the framebuffer (“captureScreen”), listing processes (“GetProc”), rebooting the device immediately, and executing arbitrary shell commands as root (“LaunchChild”)
a debugging tool named "SkyAgent" ?
No worse than gdb or icebox. Obviously with a phone, a remote debugger would be used so the name seems ok to me. It may have been included to allow people to gain root on their devices to be able to easily make modifications - people have used SkyAgent to do so. On the iPad and iPhone, people use Apple's bundled back-door called Safari to gain root access ( http://twitter.com/planetbeing/status/17137959103 ). HTC issued a patch for the SkyAgent software to coincide with the EVO launch so it could well be a non-issue, especially if it can't be remotely activated.