Forgot your password?
typodupeerror
Cellphones Handhelds Hardware

T-Mobile G1 Rooted 246

Posted by CmdrTaco
from the that-didn't-take-long dept.
An anonymous reader writes "T-Mobile's G1 phone, the first commercially available Android based phone, has been rooted. The exploit is extremely simple to execute, just requiring you to run telnetd from a terminal on the phone, and then connecting to the phone via telnet."
This discussion has been archived. No new comments can be posted.

T-Mobile G1 Rooted

Comments Filter:
  • Re:Rooted? (Score:2, Informative)

    by Anonymous Coward on Wednesday November 05, 2008 @10:41AM (#25642531)

    -- unless it's setuid, of course.

  • Re:Wait...so.... (Score:4, Informative)

    by MrMr (219533) on Wednesday November 05, 2008 @10:58AM (#25643005)
    No it's not more complex. The curious bit is that telnetd appears to set uid=0 after login, which allows you to make a setuid root shell.
  • by omeomi (675045) on Wednesday November 05, 2008 @11:09AM (#25643301) Homepage
    The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.

    Well, given that it's a device that isn't designed to be root-accessible by the user, this did require somebody to do something that the manufacturer didn't intend in order to gain root access.
  • by Sparr0 (451780) <sparr0@gmail.com> on Wednesday November 05, 2008 @11:11AM (#25643365) Homepage Journal

    Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.

  • by Animats (122034) on Wednesday November 05, 2008 @11:15AM (#25643477) Homepage

    It's apparently weirder than that. Running "telnetd" as an ordinary user apparently allows remote logins as root. This happens even though the "telnetd" executable does not apparently come with permissions set-UID to root. If that's correct, there's a security hole somewhere else that's being used by accident here. Is "login" a set-UID program on Android phones?

    (As a robotics guy, I hate the name "Android" being used for a telephone. It's the worst choice since "U.S. Robotics" which ended up as a modem company.)

  • by Anonymous Coward on Wednesday November 05, 2008 @11:20AM (#25643613)

    part of the exploit is that that when *any* user logs in through telnet uid=0 is set. This allows any user to elevate to to root privileges because the users shell is set to the same uid as the telnet daemon(who is running as root)

  • Re:Rooted? (Score:4, Informative)

    by Anonymous Coward on Wednesday November 05, 2008 @11:41AM (#25644199)

    And it also works in the other way... you can put your already rooted equipment into any window, and anybody inside that house will be able to gain root access, and also call the
    police

  • Re:Rooted? (Score:5, Informative)

    by paeanblack (191171) on Wednesday November 05, 2008 @11:41AM (#25644211)

    If the door's unlocked, it's hardly "breaking in," is it?

    Yes it is.

    The "Breaking" part of "Breaking & Entering" refers to breaking the plane of entry, not physically damaging anything.

    "Breaking" is not actually a separate action from "Entering". The reason they are used together is for clarity...one word derives from Old English, and the other word derives from French. Writing laws this way was useful when the Normans and Saxons were trying to cohabitate on the same island.

    There are many legal terms constructed the same way:
    Null and void
    Cease and desist
    Last Will and Testament
    Aid and Abet
    Goods and Chattels
    Terms and Conditions
    etc.

  • Re:Rooted? (Score:5, Informative)

    by Smauler (915644) on Wednesday November 05, 2008 @11:44AM (#25644279)

    Erm.... Breaking and entering is exactly what it says. Just entering is call trespassing, and just breaking is called criminal damage. Don't ask me how I know :).

  • by GXTi (635121) <gxti@partiallystapled.com> on Wednesday November 05, 2008 @12:20PM (#25645079) Homepage
    I don't understand why placeholder arguments aren't used 100% of the time a string is placed into a SQL query. It's completely baffling. Were that the case, SQL injection attacks would be totally infeasible, excepting even dumber TheDailyWTF-grade scenarios like having clients send SQL to the server. I suspect that PHP doesn't have them (or makes them harder to use), which would explain why it's such a horrible language.

    As for validating emails, check that there's at least one @ and that the part after the final @ has at least one dot in it, and you're good to go. No regular expressions required!

  • Explanation (Score:1, Informative)

    by Anonymous Coward on Wednesday November 05, 2008 @01:26PM (#25646535)

    I think people are misunderstanding this exploit. The G1 is locked down so that a user normally can't get root access on the phone. This severely restricts the modability of the phone. Sure, you can install your own android apps.. but you can't change the android system in any way.

    This exploit allows a user to get root access on the device, and thus opens a new world of modding possibilities. You are no longer restricted to what the android SDK allows you to do.

    Maybe the term "rooted" isn't quite the right term, but that's debatable. In any case, this a great find, that allows us G1 owners to have *much* more control over our phones.

  • by Eric Smith (4379) <eric@brouhaha. c o m> on Wednesday November 05, 2008 @02:05PM (#25647151) Homepage Journal
    Android does NOT run everything as root. They have a security model that uses separate user ids for many things, and root for almost nothing. When you start the telnetd, it is as a non-root user, and the telnetd is not setuid. However, when you connect to the telnetd from a telnet client, you get a root shell. Something extremely weird and/or broken seems to be going on in there.
  • Re:Rooted? (Score:1, Informative)

    by Anonymous Coward on Wednesday November 05, 2008 @02:16PM (#25647277)

    Message received: To get the latest pron video on you phone place phone on the floor and step firmly with your heel on to the display.

    OMG phone destroyed by virus!

  • Re:Rooted? (Score:3, Informative)

    by jmorris42 (1458) * <jmorris.beau@org> on Wednesday November 05, 2008 @02:18PM (#25647309)

    > Agreed. Non-story. This is just stupid.

    Guess you didn't actually read the material. This shouldn't work but somehow a privledge escalation is allowing a non-root user to invoke telnetd and then to connect from outside and actually get a root shell. So the owner of the hardware is able to break int T-Mobile's software. Oh the horror!

    So far it is more likely to simply get patched instead of developing into a full jailbreak but stay tuned. The camel's nose has entered the tent, it just might be able to get all the way in.

  • Re:Rooted? (Score:2, Informative)

    by gv250 (897841) on Wednesday November 05, 2008 @02:19PM (#25647319)

    Well, entering is called trespassing when it's a civil offense; it's breaking and entering when it's a criminal offense. paeanblack has it right.

    Not in Illinois. 720 ILCS 5/21-3 [ilga.gov] says, in relevant part:

    Sec. 21-3. Criminal trespass to real property. (a) ... whoever: (1) knowingly and without lawful authority enters or remains within or on a building ... commits a Class B misdemeanor.

  • by I'm not really here (1304615) on Wednesday November 05, 2008 @03:27PM (#25648597)
    Yes. Microsoft is working on that one: http://www.microsoft.com/opensource/licenses.mspx [microsoft.com]
  • by amorsen (7485) <benny+slashdot@amorsen.dk> on Wednesday November 05, 2008 @03:59PM (#25649211)

    Does this mean that telnetd is setuid root, or does it mean that you already have to have root to get root?

    Neither. That is why this article is news.

  • Re:Rooted? (Score:3, Informative)

    by ncc74656 (45571) * <scott@alfter.us> on Thursday November 06, 2008 @11:30AM (#25662591) Homepage Journal

    Because telnetd has some tiny fraction of the system overhead of ssh daemons, even "tiny" ones.

    CPU usage for an SSH daemon during an interactive session, while it probably is higher than a telnet daemon, is still low enough (0.005% instead of 0.001%, perhaps?) that it'll most likely get lost in the noise. I have dropbear running on a WRT54GL, and it has no trouble keeping up. The trivial CPU usage is worth the added security. It might crunch a bit more during session setup when it's using public-key encryption to set things up, but IIRC everything else gets shared-key encryption (which imposes much less of a load).

panic: can't find /

Working...