CVE-2016-10136 - OpenCVE

Vendors	Products
Adups	Adups Fota

Link	Resource
http://www.securityfocus.com/bid/96854
https://www.kryptowire.com/adups_security_analysis.html	Technical Description Third Party Advisory
https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html	Press/Media Coverage

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-01-13T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete files owned by the system user. The third-party app can modify the /data/system/users/0/settings_secure.xml file to add an app as a notification listener to be able to receive the text of notifications as they are received on the device. This also allows the /data/system/users/0/accounts.db to be read which contains authentication tokens for various accounts on the device. The third-party app can obtain privileged information and also modify files to obtain more privileges on the device."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-15T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.kryptowire.com/adups_security_analysis.html"}, {"name": "96854", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96854"}, {"tags": ["x_refsource_MISC"], "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-10136", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete files owned by the system user. The third-party app can modify the /data/system/users/0/settings_secure.xml file to add an app as a notification listener to be able to receive the text of notifications as they are received on the device. This also allows the /data/system/users/0/accounts.db to be read which contains authentication tokens for various accounts on the device. The third-party app can obtain privileged information and also modify files to obtain more privileges on the device."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.kryptowire.com/adups_security_analysis.html", "refsource": "MISC", "url": "https://www.kryptowire.com/adups_security_analysis.html"}, {"name": "96854", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96854"}, {"name": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html", "refsource": "MISC", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-10136", "datePublished": "2017-01-13T09:00:00", "dateReserved": "2017-01-13T00:00:00", "dateUpdated": "2017-03-15T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adups:adups_fota:-:*:*:*:*:*:*:*", "matchCriteriaId": "D8B2E488-EEE4-4C16-B1F6-BD5847A0DE1A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on BLU R1 HD devices with Shanghai Adups software. The content provider named com.adups.fota.sysoper.provider.InfoProvider in the app with a package name of com.adups.fota.sysoper allows any app on the device to read, write, and delete files as the system user. In the com.adups.fota.sysoper app's AndroidManifest.xml file, it sets the android:sharedUserId attribute to a value of android.uid.system which makes it execute as the system user, which is a very privileged user on the device. This allows a third-party app to read, write, and delete files owned by the system user. The third-party app can modify the /data/system/users/0/settings_secure.xml file to add an app as a notification listener to be able to receive the text of notifications as they are received on the device. This also allows the /data/system/users/0/accounts.db to be read which contains authentication tokens for various accounts on the device. The third-party app can obtain privileged information and also modify files to obtain more privileges on the device."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en los dispositivos BLU R1 HD con software Shanghai Adups. El proveedor de contenido denominado com.adups.fota.sysoper.provider.InfoProvider en la aplicaci\u00f3n con un nombre de paquete de com.adups.fota.sysoper permite a cualquier aplicaci\u00f3n en el dispositivo leer, escribir y eliminar archivos como usuario de sistema. En el archivo AndroidManifest.xml de la aplicaci\u00f3n com.adups.fota.sysoper, establece el atributo android:SharedUserld en un valor de android.uid.system que lo hace ejecutar como el usuario del sistema el cual es un usuario muy privilegiado en el sistema. Esto permite a una aplicaci\u00f3n de terceros leer, escribir y eliminar archivos propiedad del usuario del sistema. La aplicaci\u00f3n de terceros puede modificar el archivo /data/system/users/0/settings_secure.xml para a\u00f1adir una aplicaci\u00f3n como escucha de notificaciones para poder recibir el texto de las notificaciones a medida que se reciben en el dispositivo. Esto tambi\u00e9n permite leer /data/system/users/0/accounts.db que contienen tokens de autenticaci\u00f3n para varias cuentas del dispositivo. La aplicaci\u00f3n de terceros puede obtener informaci\u00f3n privilegiada y tambi\u00e9n modificar archivos para obtener m\u00e1s privilegios en el dispositivo."}], "id": "CVE-2016-10136", "lastModified": "2017-03-16T01:59:00.637", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-13T09:59:00.217", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/96854"}, {"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://www.kryptowire.com/adups_security_analysis.html"}, {"source": "cve@mitre.org", "tags": ["Press/Media Coverage"], "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

JSON object

JSON object

JSON object