Canonical System Image

Arale: open port 7000

Bug #1501502 reported by Ferry Toth
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
Critical
Unassigned
Canonical System Image ww40-2015 "ota7"

Bug Description

When doing a port scan on my Meizu phone (OTA6) port 7000 appears to be open. Then daemon mnld appears to be listening to the port. mnld is running as user 1021, for which there is not entry in /etc/passwd.

As far as I can tell mnld might have something to do with gps, but I haven't been able to find documentation on this. It is unclear to me which client should be able to connect to this service, but I tried just firefox: http://ubuntu-phablet:7000 and got data back (see below).

I scanned a android phone and didn't find this port open.

I believe this may be a potential security vulnerability but as I am not sure didn't dare to tick the option below.

# nmap -sV -v ubuntu-phablet

Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-30 22:18 CEST
NSE: Loaded 29 scripts for scanning.
Initiating Ping Scan at 22:18
Scanning ubuntu-phablet (192.168.178.67) [2 ports]
Completed Ping Scan at 22:18, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:18
Completed Parallel DNS resolution of 1 host. at 22:18, 0.00s elapsed
Initiating Connect Scan at 22:18
Scanning ubuntu-phablet (192.168.178.67) [1000 ports]
Discovered open port 22/tcp on 192.168.178.67
Discovered open port 7000/tcp on 192.168.178.67
Completed Connect Scan at 22:18, 0.37s elapsed (1000 total ports)
Initiating Service scan at 22:18
Scanning 2 services on ubuntu-phablet (192.168.178.67)
Completed Service scan at 22:20, 123.96s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.178.67.
Initiating NSE at 22:20
Completed NSE at 22:21, 60.94s elapsed
Nmap scan report for ubuntu-phablet (192.168.178.67)
Host is up (0.029s latency).
rDNS record for 192.168.178.67: ubuntu-phablet.fritz.box
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
7000/tcp open afs3-fileserver?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=6.47%I=7%D=9/30%Time=560C438E%P=x86_64-pc-linux-gnu%r(NULL
SF:,29,"SSH-2\.0-OpenSSH_6\.7p1\x20Ubuntu-5ubuntu1\.3\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7000-TCP:V=6.47%I=7%D=9/30%Time=560C438E%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1068,"\$GPGGA,201817\.000,5200\.7555,N,00421\.9958,E,1,6,1\.38,-14\.
SF:0,M,47\.1,M,,\*48\r\n\$GNGSA,A,3,02,23,06,16,26,,,,,,,,1\.67,1\.38,0\.9
SF:5\*1C\r\n\$GNGSA,A,3,75,,,,,,,,,,,,1\.67,1\.38,0\.95\*18\r\n\$GPGSV,3,1
SF:,11,09,60,072,,07,60,150,13\.7,02,44,262,16\.9,06,35,211,12\.1\*65\r\n\
SF:$GPGSV,3,2,11,30,34,184,16\.5,05,32,299,15\.3,23,20,075,9\.5,16,17,043,
SF:18\.9\*49\r\n\$GPGSV,3,3,11,29,09,328,,26,06,018,14\.6,13,01,251,\*51\r
SF:\n\$GLGSV,2,1,8,66,69,071,,76,57,119,,67,46,306,,75,34,037,24\.7\*45\r\
SF:n\$GLGSV,2,2,8,82,23,271,,83,22,331,,77,19,174,,65,17,105,18\.6\*42\r\n
SF:\$BDGSV,1,1,4,10,31,049,,05,12,120,,07,10,034,,14,09,118,\*52\r\n\$GNRM
SF:C,201817\.000,A,5200\.7555,N,00421\.9958,E,0\.000,320\.59,300915,,,A\*4
SF:1\r\n\$GPVTG,320\.59,T,,M,0\.000,N,0\.000,K,A\*30\r\n\$GPACCURACY,7\.1\
SF:*0E\r\n\$GPGGA,201818\.000,5200\.7555,N,00421\.9958,E,1,6,1\.38,-14\.0,
SF:M,47\.1,M,,\*47\r\n\$GNGSA,A,3,02,23,06,16,26,,,,,,,,1\.67,1\.38,0\.95\
SF:*1C\r\n\$GNGSA,A,3,75,,,,,,,,,,,,1\.67,1\.38,0\.95\*18\r\n\$GPGSV,3,1,1
SF:1,09,60,072,,07,60,")%r(RPCCheck,1324,"\$GPGGA,201817\.000,5200\.7555,N
SF:,00421\.9958,E,1,6,1\.38,-14\.0,M,47\.1,M,,\*48\r\n\$GNGSA,A,3,02,23,06
SF:,16,26,,,,,,,,1\.67,1\.38,0\.95\*1C\r\n\$GNGSA,A,3,75,,,,,,,,,,,,1\.67,
SF:1\.38,0\.95\*18\r\n\$GPGSV,3,1,11,09,60,072,,07,60,150,13\.7,02,44,262,
SF:16\.9,06,35,211,12\.1\*65\r\n\$GPGSV,3,2,11,30,34,184,16\.5,05,32,299,1
SF:5\.3,23,20,075,9\.5,16,17,043,18\.9\*49\r\n\$GPGSV,3,3,11,29,09,328,,26
SF:,06,018,14\.6,13,01,251,\*51\r\n\$GLGSV,2,1,8,66,69,071,,76,57,119,,67,
SF:46,306,,75,34,037,24\.7\*45\r\n\$GLGSV,2,2,8,82,23,271,,83,22,331,,77,1
SF:9,174,,65,17,105,18\.6\*42\r\n\$BDGSV,1,1,4,10,31,049,,05,12,120,,07,10
SF:,034,,14,09,118,\*52\r\n\$GNRMC,201817\.000,A,5200\.7555,N,00421\.9958,
SF:E,0\.000,320\.59,300915,,,A\*41\r\n\$GPVTG,320\.59,T,,M,0\.000,N,0\.000
SF:,K,A\*30\r\n\$GPACCURACY,7\.1\*0E\r\n\$GPGGA,201818\.000,5200\.7555,N,0
SF:0421\.9958,E,1,6,1\.38,-14\.0,M,47\.1,M,,\*47\r\n\$GNGSA,A,3,02,23,06,1
SF:6,26,,,,,,,,1\.67,1\.38,0\.95\*1C\r\n\$GNGSA,A,3,75,,,,,,,,,,,,1\.67,1\
SF:.38,0\.95\*18\r\n\$GPGSV,3,1,11,09,60,072,,07,60,");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 185.64 seconds

Then loggin into the phone and:
# sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 23507/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 13335/sshd
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 807/mnld
tcp6 0 0 :::22 :::* LISTEN 13335/sshd
udp 0 0 0.0.0.0:64813 0.0.0.0:* 13219/dhclient
udp 0 0 127.0.1.1:53 0.0.0.0:* 23507/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 13219/dhclient
udp6 0 0 :::23322 :::* 13219/dhclient

Then:
# ps -ef | grep mnld
1021 807 691 0 sep23 ? 00:37:34 /system/xbin/mnld
root 13824 13801 0 22:32 pts/15 00:00:00 grep --color=auto mnld

(firefox):
$GPGGA,203649.000,5200.7542,N,00421.9867,E,1,4,2.38,-14.5,M,47.1,M,,*40
$GNGSA,A,3,02,09,16,,,,,,,,,,2.58,2.38,0.99*16
$GNGSA,A,3,75,,,,,,,,,,,,2.58,2.38,0.99*18
$GPGSV,3,1,11,07,66,136,,09,52,076,18.5,30,43,184,15.8,02,41,252,13.3*63
$GPGSV,3,2,11,05,39,299,,06,27,207,,16,16,036,26.0,23,14,079,*66
$GPGSV,3,3,11,13,08,255,10.8,29,07,321,13.4,26,02,013,*46
$GLGSV,3,1,10,66,62,091,,76,62,100,,67,55,313,,77,29,174,*67
$GLGSV,3,2,10,75,26,032,21.4,83,23,321,15.7,82,16,264,,65,10,111,*62
$GLGSV,3,3,10,68,04,298,,84,04,008,*6D
$BDGSV,1,1,4,10,29,048,,05,12,120,,07,08,035,,14,03,121,*52
$GNRMC,203649.000,A,5200.7542,N,00421.9867,E,0.000,122.18,300915,,,A*48
$GPVTG,122.18,T,,M,0.000,N,0.000,K,A*35
$GPACCURACY,6.5*0B
....

Tags: arale
Revision history for this message
Ferry Toth (ftoth) wrote :

Digging into the data format, it looks like the server is similar to NMEA data published by gpsd.

Is it really intentional to publish location via the wifi via an open port (no encryption, no password)?

Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

@jamie care to comment

Changed in canonical-devices-system-image:
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

On an arale with:
current build number: 143
device name: arale
channel: ubuntu-touch/rc-proposed/meizu.en
last update: 2015-10-20 12:47:20
version version: 143
version ubuntu: 20151020
version device: 20151016-0b38025
version custom: 20150925-900-8-47

I don't see this port open, but the radio

/system/bin/mnld does exist. It does not exist on mako. Googling it appears to be something that is specific to mediatek. This is probably something from the device tarball and it should definitely not be listening on the network because that is a violation of our 'no open ports' policy. Perhaps someone from the arale enablement team can comment?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I didn't finish this: 'but the radio is off, I'm only on wifi'.

Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
assignee: Jamie Strandboge (jdstrand) → Yuan-Chen Cheng (ycheng-twn)
status: New → Incomplete
Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
milestone: none → backlog
importance: Undecided → Critical
Revision history for this message
Ferry Toth (ftoth) wrote :
Download full text (3.6 KiB)

@Jamie, NMEA data probably relates to GPS data. Do you mean location data is supplied by the cell and wifi network and published by mnld? I have that switched off BTW, only using location data from the GPS.

Updated yesterday to Arale OTA7 (that is 15.04 r6). Forgot to mention earlier that the following command are over the wifi connection. Repeating the nmap from #1 the port is now closed. The mnld daemon is still running but that might be correct if that is supplying GPS information to other internal processes, although it's not listening to a port any more. Still, GPS is working, as confirmed by the SensorStatus app (found support backend, method Satelite, location found) and working Google Maps and HERE Maps.

So, works for me with the latest update.

# nmap -sV -v ubuntu-phablet

Starting Nmap 6.47 ( http://nmap.org ) at 2015-10-20 23:38 CEST
NSE: Loaded 29 scripts for scanning.
Initiating Ping Scan at 23:38
Scanning ubuntu-phablet (192.168.178.67) [2 ports]
Completed Ping Scan at 23:38, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:38
Completed Parallel DNS resolution of 1 host. at 23:38, 0.00s elapsed
Initiating Connect Scan at 23:38
Scanning ubuntu-phablet (192.168.178.67) [1000 ports]
Discovered open port 22/tcp on 192.168.178.67
Completed Connect Scan at 23:38, 0.33s elapsed (1000 total ports)
Initiating Service scan at 23:38
Scanning 1 service on ubuntu-phablet (192.168.178.67)
Completed Service scan at 23:38, 6.01s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.178.67.
Nmap scan report for ubuntu-phablet (192.168.178.67)
Host is up (0.017s latency).
rDNS record for 192.168.178.67: ubuntu-phablet.fritz.box
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port22-TCP:V=6.47%I=7%D=10/20%Time=5626B465%P=x86_64-pc-linux-gnu%r(NUL
SF:L,29,"SSH-2\.0-OpenSSH_6\.7p1\x20Ubuntu-5ubuntu1\.3\r\n");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.68 seconds

# sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 2433/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 15282/sshd ...

Read more...

Yuan-Chen Cheng (ycheng-twn)
tags: added: arale
Revision history for this message
Chunsang Jeong (chunsang) wrote :

From my testing, 7000 was only opened when I used location service thru Nokia HERE. When turning it to "Using GPS only" then 7000 wasn't opened any more even from http://ubuntu-phablet:7000 at firefox.

Revision history for this message
Ferry Toth (ftoth) wrote :

@Chunsang: not in my case. I had "Using GPS only" switched on when I made the first report. Also, the open port persisted after a reboot. Finally, now with OTA7, it seems to be never opened.

Revision history for this message
Chunsang Jeong (chunsang) wrote :

@Ferry,
Right, after updating device with OTA7, the port wasn't opened any more in any cases.

Pat McGowan (pat-mcgowan)
Changed in canonical-devices-system-image:
status: Incomplete → Fix Released
milestone: backlog → ww40-2015
Yuan-Chen Cheng (ycheng-twn)
Changed in canonical-devices-system-image:
assignee: Yuan-Chen Cheng (ycheng-twn) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.