Xelex Technologies MobileTrack contains multiple vulnerabilities

Overview

Xelex Technologies’ MobileTrack application has been reported to not verify the source of administrative SMS commands. An unauthenticated remote attacker can send commands over SMS to MobileTrack. User data is also exposed on an insecure FTP server account.

Description

The website for MobileTrack states:

“MobileTrack is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. Customers can have visibility and control based on where a phone is located and how it is being used in real-time. With permission granted, a simple-to-install phone client is loaded directly onto a mobile smart phone and customers can quickly gain control of their mobile operations.”

CVE-2012-2562**: Lack of authentication for administrative SMS commands**
It has been reported that the source of SMS commands are not verified (CWE-306). An unauthenticated remote attacker that knows the phone number of a device with MobileTrack installed can run commands over SMS as if they were the administrator. Some of the available commands that would be useful to an attacker are TERM and WIPE. TERM uninstalls the application andWIPEwill wipe the entire phone.

CVE-2012-2567: Information exposure on insecure non-default FTP account
MobileTrack also contains an information exposure vulnerability for a non-default configuration that uses FTP instead of HTTPS. Although it is not the default, a MobileTrack system administrator may inadvertently create a situation where user data is stored on Xelex’s FTP server using the same username and password for all MobileTrack users (CWE-200). The data on the FTP server is automatically removed from the directory after upload so the window of opportunity for an attacker to copy the data is small. Test credentials are hard coded (CWE-798) into the MobileTrack application and data is transferred unencrypted (CWE-311) over FTP if the default HTTPS option is not used. The vendor has stated the hard-coded test credentials are not actively used in the application.

Additional details may be found in Mobile Defense’s security advisory.

The CVSS score below applies to CVE-2012-2562.

---

Impact

An unauthenticated remote attacker may be able to uninstall the application or wipe the device. If FTP is used, user data on Xelex’s FTP server may be exposed.

---

Solution

Apply an Update
MobileTrack version 2.4.1 has been released to address these vulnerabilities. In version 2.4.1, the hard-coded test credentials, as well as, the FTP feature are removed and SMS commands are not accepted directly. A single SMS command will tell MobileTrack to check the server for the specific command that is to be executed. If the server does not contain a command to execute nothing will happen.

---

Vendor Information

464683

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Xelex Affected

Notified: May 08, 2012 Updated: May 21, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.5	E:U/RL:U/RC:UR
Environmental	1.4	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

• <http://www.xelex.net/mobiletrack/&gt;
• <http://play.google.com/store/apps/details?id=com.mobiletrack&gt;
• <http://blog.mobiledefense.com/2012/05/mobile-defense-finds-two-security-vulnerabilities-in-xelex-mobiletrack/&gt;
• <http://cwe.mitre.org/data/definitions/306.html&gt;
• <http://cwe.mitre.org/data/definitions/798.html&gt;
• <http://cwe.mitre.org/data/definitions/200.html&gt;
• <http://cwe.mitre.org/data/definitions/311.html&gt;

Acknowledgements

Thanks to the Mobile Defense Threat Research Team for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:	CVE-2012-2562, CVE-2012-2567
Date Public:	2012-05-21 Date First Published: