Arale: open port 7000
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
Critical
|
Unassigned |
Bug Description
When doing a port scan on my Meizu phone (OTA6) port 7000 appears to be open. Then daemon mnld appears to be listening to the port. mnld is running as user 1021, for which there is not entry in /etc/passwd.
As far as I can tell mnld might have something to do with gps, but I haven't been able to find documentation on this. It is unclear to me which client should be able to connect to this service, but I tried just firefox: http://
I scanned a android phone and didn't find this port open.
I believe this may be a potential security vulnerability but as I am not sure didn't dare to tick the option below.
# nmap -sV -v ubuntu-phablet
Starting Nmap 6.47 ( http://
NSE: Loaded 29 scripts for scanning.
Initiating Ping Scan at 22:18
Scanning ubuntu-phablet (192.168.178.67) [2 ports]
Completed Ping Scan at 22:18, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:18
Completed Parallel DNS resolution of 1 host. at 22:18, 0.00s elapsed
Initiating Connect Scan at 22:18
Scanning ubuntu-phablet (192.168.178.67) [1000 ports]
Discovered open port 22/tcp on 192.168.178.67
Discovered open port 7000/tcp on 192.168.178.67
Completed Connect Scan at 22:18, 0.37s elapsed (1000 total ports)
Initiating Service scan at 22:18
Scanning 2 services on ubuntu-phablet (192.168.178.67)
Completed Service scan at 22:20, 123.96s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.178.67.
Initiating NSE at 22:20
Completed NSE at 22:21, 60.94s elapsed
Nmap scan report for ubuntu-phablet (192.168.178.67)
Host is up (0.029s latency).
rDNS record for 192.168.178.67: ubuntu-
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh (protocol 2.0)
7000/tcp open afs3-fileserver?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port22-
SF:,29,
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)
SF-Port7000-
SF:LL,1068,
SF:0,M,
SF:5\*1C\
SF:,11,
SF:$GPGSV,
SF:18\.
SF:\n\$
SF:n\$GLGSV,
SF:\$BDGSV,
SF:C,201817\
SF:1\r\
SF:*0E\
SF:M,47\
SF:*1C\
SF:1,09,
SF:,00421\
SF:,16,
SF:1\.38,
SF:16\.
SF:5\.3,
SF:,06,
SF:46,306,
SF:9,174,
SF:,034,
SF:E,0\
SF:,K,A\
SF:0421\
SF:6,26,
SF:.38,
Read data files from: /usr/bin/
Service detection performed. Please report any incorrect results at http://
Nmap done: 1 IP address (1 host up) scanned in 185.64 seconds
Then loggin into the phone and:
# sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 23507/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 13335/sshd
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 807/mnld
tcp6 0 0 :::22 :::* LISTEN 13335/sshd
udp 0 0 0.0.0.0:64813 0.0.0.0:* 13219/dhclient
udp 0 0 127.0.1.1:53 0.0.0.0:* 23507/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 13219/dhclient
udp6 0 0 :::23322 :::* 13219/dhclient
Then:
# ps -ef | grep mnld
1021 807 691 0 sep23 ? 00:37:34 /system/xbin/mnld
root 13824 13801 0 22:32 pts/15 00:00:00 grep --color=auto mnld
(firefox):
$GPGGA,
$GNGSA,
$GNGSA,
$GPGSV,
$GPGSV,
$GPGSV,
$GLGSV,
$GLGSV,
$GLGSV,
$BDGSV,
$GNRMC,
$GPVTG,
$GPACCURACY,6.5*0B
....
Changed in canonical-devices-system-image: | |
assignee: | Jamie Strandboge (jdstrand) → Yuan-Chen Cheng (ycheng-twn) |
status: | New → Incomplete |
Changed in canonical-devices-system-image: | |
milestone: | none → backlog |
importance: | Undecided → Critical |
tags: | added: arale |
Changed in canonical-devices-system-image: | |
status: | Incomplete → Fix Released |
milestone: | backlog → ww40-2015 |
Changed in canonical-devices-system-image: | |
assignee: | Yuan-Chen Cheng (ycheng-twn) → nobody |
Digging into the data format, it looks like the server is similar to NMEA data published by gpsd.
Is it really intentional to publish location via the wifi via an open port (no encryption, no password)?