Vulnerability Note VU#464683

Xelex Technologies MobileTrack contains multiple vulnerabilities

Original Release date: 21 May 2012 | Last revised: 29 Jul 2014

Overview

Xelex Technologies' MobileTrack application has been reported to not verify the source of administrative SMS commands. An unauthenticated remote attacker can send commands over SMS to MobileTrack. User data is also exposed on an insecure FTP server account.

Description

The website for MobileTrack states:

    "MobileTrack is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. Customers can have visibility and control based on where a phone is located and how it is being used in real-time. With permission granted, a simple-to-install phone client is loaded directly onto a mobile smart phone and customers can quickly gain control of their mobile operations."


CVE-2012-2562: Lack of authentication for administrative SMS commands
It has been reported that the source of SMS commands are not verified (CWE-306). An unauthenticated remote attacker that knows the phone number of a device with MobileTrack installed can run commands over SMS as if they were the administrator. Some of the available commands that would be useful to an attacker are TERM and WIPE. TERM uninstalls the application and WIPE will wipe the entire phone.

CVE-2012-2567: Information exposure on insecure non-default FTP account
MobileTrack also contains an information exposure vulnerability for a non-default configuration that uses FTP instead of HTTPS. Although it is not the default, a MobileTrack system administrator may inadvertently create a situation where user data is stored on Xelex's FTP server using the same username and password for all MobileTrack users (CWE-200). The data on the FTP server is automatically removed from the directory after upload so the window of opportunity for an attacker to copy the data is small. Test credentials are hard coded (CWE-798) into the MobileTrack application and data is transferred unencrypted (CWE-311) over FTP if the default HTTPS option is not used. The vendor has stated the hard-coded test credentials are not actively used in the application.

Additional details may be found in Mobile Defense's security advisory.

The CVSS score below applies to CVE-2012-2562.

Impact

An unauthenticated remote attacker may be able to uninstall the application or wipe the device. If FTP is used, user data on Xelex's FTP server may be exposed.

Solution

Apply an Update
MobileTrack version 2.4.1 has been released to address these vulnerabilities. In version 2.4.1, the hard-coded test credentials, as well as, the FTP feature are removed and SMS commands are not accepted directly. A single SMS command will tell MobileTrack to check the server for the specific command that is to be executed. If the server does not contain a command to execute nothing will happen.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
XelexAffected08 May 201221 May 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.5 E:U/RL:U/RC:UR
Environmental 1.4 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to the Mobile Defense Threat Research Team for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-2562 CVE-2012-2567
  • Date Public: 21 May 2012
  • Date First Published: 21 May 2012
  • Date Last Updated: 29 Jul 2014
  • Document Revision: 49

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.