Quick poll, who likes their devices to be messed with remotely and without your knowledge? That’s what I thought, nobody! It seems ZTE has left a root shell on the Score M and WWE edition Skate which allows full root access with only a password.
The following was given to TeamAndIRC through Pastebin by an anonymous source within ZTE:
The ZTE Score M is an Android 2.3.4 (Gingerbread) phone available in the United States on MetroPCS, made by Chinese telecom ZTE Corporation.
There is a setuid-root application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell:
$ sync_agent ztex1609523
# id
uid=0(root) gid=0(root)Nice backdoor, ZTE.
Regarding this exploit, ACS’ Head Chef ShabbyPenguin said,
“This was anonymously submitted and tipped off to some high level devs who have now independently confirmed this is the case.
Normal root is done by finding a vulnerability and exploiting it to gain escalated permissions, using that hole then stuffing programs like Superuser in and making it stick. [The] problem is as you can see from the Pastebin, all it requires is just a simple password and rooted shell is handed over. I cannot think of anything but [this being] deliberately left in. This seems too much to be an engineering tool “left in”.
So far it’s been confirmed that the ZTE Score M and the ZTE Skate as having this.”
ZTE has been made aware of this and has said they will be fixing it. Imagine though, the possibilities if this weren’t fixed, full control of a device could occur remotely and without your knowledge. Was this deliberately left in or was it an honest mistake? Let us know your thoughts.
zAcHcOmA
Sources Info: Pastebin / Reddit /TeamAndIRC
Let ACS know what you think, leave Comments Below.
____________________________________
In Android Creative Syndicate’s efforts to provide you, the reader with full and correct information in a timely manner, there is always a possibility of admitting a mistake. If you see anything wrong or incomplete please let ACS know immediately.
Thank you, in advance for your cooperation and understanding.
───────────────────────
In Android Creative Syndicate’s effort to provide you with full and correct information in a timely manner, there is always a possibility of admitting a mistake. If you see anything incorrect or incomplete please notify us in the comment section so it may be rectified. Some content, including images and text used in this post are used for demonstration and informational purposes and may be copyrighted. All images, ®, and ™ are copyright their respective owners. Thank you for your cooperation and understanding.
