Bug In Android Passes Keystrokes To Root Shell 205
pasokon writes "ZDNet reports on an Android bug in T-Mobile G1s with early versions of the firmware: 'When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. ... open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: (enter)-r-e-b-o-o-t-(enter). Poof, your phone will reboot.'"
Comment removed (Score:5, Insightful)
Re:This is simply mind-boggling. (Score:5, Informative)
Read this:
http://android.jim.sh/index.php/ConsoleShell [android.jim.sh]
Looks like debugging code left behind...
Re:This is simply mind-boggling. (Score:5, Informative)
Re:This is simply mind-boggling. (Score:5, Funny)
If you want to keep from fubar-ing your G1 by typing in the wrong stuff accidentally, just type "cat [enter]" first thing when you power on the device, and it will be defused from then on. All input will be harmlessly filed away to stdout.
Wait--you're missing the big picture.
Jailbreak the phone!
Woo! We now have root access! We can hax0r the phone and load our own custom applic...what? Oh. Shit. Wrong phone. I'll wait for the next iPhone article.
Re:This is simply mind-boggling. (Score:4, Informative)
You mean defused until you type Control-z, Control-d or Control-c, right?
Nope. I really do mean from then on. Read the various write-ups to understand why.
And for bonus points, see if you can find your phone's "control" key.
Re:This is simply mind-boggling. (Score:5, Funny)
This is obviously bad for Apple. I mean if the iPhone weren't all like, locked down, and, um....
Yeah, anyway, the iPhone is done for, no question. I mean you can't even GET to root shell on an iPhone, and here it is a standard feature on Android! Mind-boggling indeed!
Re:This is simply mind-boggling. (Score:4, Funny)
BTW what's this 'Android' you're talking about?
Re:This is simply mind-boggling. (Score:5, Insightful)
I can perfectly well imagine someone purposely piping all the user input to root shell for easy debug and development, then forgetting to disable it in the release version.
Re: (Score:2, Insightful)
A better way would be to require holding down e.g. "c" during boot to enable it. Automatically sending ALL keystrokes to the console is a bad idea, even for debugging.
Re: (Score:2)
So could I, and I'd damn will fire that person in an instant. You a key combo or something at startup to trigger such actions, not do it by default.
You also make sure these things don't ever make it into production builds using #ifdef's or whatever java's flavor is.
This is simply unacceptable for a product like this, not one, but several people should be walking out the door right now for letting this A) happen and more importantly B) slip through the cracks of the QA/Release cycle.
Re:This is simply mind-boggling. (Score:4, Informative)
Re:This is simply mind-boggling. (Score:5, Informative)
The latest OTA update is RC30, which patches the issue (I confirmed this on my G1).
I don't see the problem. (Score:2)
So you're using your device, and it let you do whatever you want with it. So what? Why does it matter if I'm root on my phone?
(Say whatever you want for exploitable applications also enjoying the same level of authority.)
Scary (Score:5, Funny)
Imagine the scamming possible: "reply to this text message with the access code telnetd for a chance to win $1000!"
Confluence (Score:5, Funny)
Suddenly, the memory-and-keystroke-saving command names of the past combine with the keystroke-saving text-speak of the present to create the nightmarish user interaction bugs of the future.
Re:Confluence (Score:5, Funny)
The extraordinary synergistic elements of modern input paradigms combined with the forward thinking interactivity of the past pushes the envelope of tomorrow's technology to new heights.
Re: (Score:2)
Fuck, that made my brain hurt. Watch it, along with /vertisements, they're seeding the comments section with marketroids.
reboot (Score:4, Funny)
doesn't wo
Open source, remember? fix already out (Score:5, Informative)
Re:Open source, remember? fix already out (Score:5, Insightful)
Re:Open source, remember? fix already out (Score:5, Interesting)
Bingo - You won't see this sort of turnaround time for a fix for the iPhone.
and this is why FOSS is a champion to me - the community fixes the issue and everyone else can check the fix to make sure it's not malicious.
And this is why all gov't entities in the USA should use FOSS. The people/community as a whole can do a better job of keeping the government secure than corporations can.
Re: (Score:2)
Of course, Your argument would carry more weight if it wasn't for the ridiculous leaving the debug feature on in the first place...
Re: (Score:2)
Re: (Score:2)
Bingo - You won't see this sort of turnaround time for a fix for the iPhone.
You are calling over a week to simply disable debugging code a good turnaround time?
Re: (Score:2)
For a bunch of people that don't work for the company that produced the flaw? Fuck yes that's goddamned GOOD turnaround time. Apple would have kept it under wraps for a month+ (just like Microsoft, don't think I'm playing favorites,) and issue the fix on their next patch cycle. FOSS doesn't have a patch cycle.
Usually, flaws like this get discovered on an iPhone, Apple tries to shut everyone up. In the FOSS world, you won't get that sort of bullshit nearly as often, as someone will look it over and figure ou
Re: (Score:2)
You also don't see this sort of stupity on the iPhone, do you?
Open source is good for a lot of things, but don't try to proclaim its greatness because someone could fix a bug that never should have existed and certainly should have been 'seen' long before it went into production. Its open source, how many saw this before it went into production? How many people can take advantage of the flaw on the phones of someone who doesn't know about it yet?
In this situation while it is great that it was found and fi
Re: (Score:2)
The community had access as soon as the device came out. Granted Q/A from the COMPANY was shitty but the users making the fix is what makes FOSS great. The fact users can implement a fix, and have it sanctioned (whereas Microsoft and Apple most likely wouldn't sanction a user-fix,) makes the FOSS community even better. The information isn't FUCKING RESTRICTED LIKE YOUR MOTHER'S SNATCH, it's open like Las Vegas whores! Anyone can inspect it and determine the quality once it's available on the street!
Besides,
Re: (Score:3, Insightful)
Re: (Score:2, Funny)
These phones are not on the google networks, and not low risk items like Google Earth. In many cases phones are not toys and cosumers expect them to be safe and secure.
And that my friend is why I have the cheapest prepaid phone available, your attitude! I simply don't care to be like so many people I see tethered to an electronic device that makes them unaware of their surroundings and appear rude and narcissistic in public! I don't know you! I don't want to talk to you! And I certainly don't want to hear that you need to stop by the gas station to pick up a gallon of milk because you forgot it at Wal-Mart! And if it truly is a matter of import, of life and death moving a
Re: (Score:2)
Your question of "how quickly" was answered: Pretty damn fast, actually.
Re: (Score:3, Insightful)
I am a programmer and I am entirely and absolutely dumb-struck by this revelation.
That is absolutely the most asinine debug method I have ever head and I am seriously wondering if it was an intentional backdoor.
Never, Ever send random commands to a shell. Hell, we are talking a unix base, there are hundreds, of not thousands of 2 and 3 letter functions which do 'something' and a significant number of them are not harmless. I realize the phone is not likely to have all of them, but it will have a number of t
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Only if it aliased to rm -i
Re: (Score:3, Interesting)
python -c 'sys,time=__import__("sys"),__import__("time"); time.sleep(3); beepn = lambda x: [(sys.stdout.write(chr(7)), sys.stdo
Re: (Score:2)
Re: (Score:3, Interesting)
Life under the thumb of cellular phone companies.. (Score:5, Interesting)
Are we really that messed up as a society?
If I type "Reboot" and the device actually reboots, doesn't that mean it's working?
Re:Life under the thumb of cellular phone companie (Score:5, Insightful)
Not when it reboots as a result of you including the reboot command into, to pick a ramdom example, the text of a comment that you are posting to Slashdot.
Re: (Score:2)
Re: (Score:2)
The command "reboot isn't tickles lawl" might cause an unexpected reset.
Not until you type another single quote and press enter, though.
Re: (Score:2)
Re:Life under the thumb of cellular phone companie (Score:5, Funny)
Re: (Score:2)
Your "foom" message could be an email looking something like this:
--- cut here --- cut here ---
Dear Luser,
If you want to reboot your machine, just type
reboot
into a root shell.
Love from Pogue
--- cut here --- cut here ---
(except you wouldn't get that far ;-)
Re:Life under the thumb of cellular phone companie (Score:5, Funny)
Instant karma's a bitch.
Re: (Score:3, Insightful)
If that was the iPhone slashdot users would be going ballistic right now - and rightly so.
Re: (Score:2)
Re:Life under the thumb of cellular phone companie (Score:2)
$ reboot
reboot: Need to be root
A Conversation (Score:5, Funny)
Re:A Conversation (Score:5, Funny)
Re: (Score:3, Funny)
funny yes, but the shell is already root so there is no sudo necessary.
Re:A Conversation (Score:4, Funny)
A relative to little Bobby Tables [xkcd.com] perhaps? ;-)
Seriously Google... (Score:4, Interesting)
I'm starting to get a little suspicious, to be frank. You've existed for many, many moons, Google...you have over 20,000 employees. You have computing capacity that's normally limited to that of small countries. Shouldn't you be a little further along by now?
Re: (Score:3, Interesting)
I have read the headline as "Android allows remote root access" and was like "Not a big surprise" immediately.
Ordinary people, not just techies got way paranoid about Google and such bugs only serves to validate them.
People modding you as troll should understand what Android is supposed to race with. Damn secure, stable, 200 million installed Symbian which is soon to be open source and Windows Mobile by the mafioso style company Microsoft which gets huge support from their Windows desktop dominance. Lets no
Re: (Score:2)
Yeah, leaving debugging features activated in the shipped product, seriously amateur shit that *NO* professional company would ever do.
C'mon, this had a particularly nasty effect, but the causes behind it are as common as they come.
Degradation (Score:2, Informative)
This coming from Google? That surprises (and scares) me. I don't know how something like that would get through a QA process unless the QA process was rushed ... oh no, please don't become like almost every other software company out there Google! :-/
Re: (Score:2)
Too late.
Re: (Score:2)
What QA?
As if there were Google products that actually pass beta before DNF is out... lol. ;)
Re: (Score:3, Interesting)
Their install process on OS X (Google Desktop) has horrified people so much that there is article about it on Daring Fireball, Gruber's blog.
http://daringfireball.net/2007/04/google_desktop_installer [daringfireball.net] , especially the part where it messes with /System (shouldn't even go there unless you code kernel extensions)
Their recent Chrome install process on Windows is also a horrible way of doing things,
http://robmensching.com/blog/archive/2008/09/04/Dissecting-the-Google-Chrome-setup.aspx [robmensching.com]
If you notice, they are all p
Re: (Score:3, Interesting)
Why is everyone assuming that having root on your own phone is a security bug? I mean it's odd that it's exposed there, but it's your phone. A bug, sure, but a big security issue? Not really. So someone with physical access to the phone can theoretically hack into it. But that's always the case.
Re: (Score:2)
Note that it is T-Mobile that is selling the phones, though, not Google. Most likely T-Mobile introduced the bug.
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
> This coming from Google?
Google doesn't sell phones. It's coming from T-Mobile.
False (Score:2, Interesting)
Re:False (Score:5, Informative)
I restarted my phone manually, and tried this on a fresh boot. My phone did immediately restart. Yikes.
Re: (Score:3, Interesting)
Try this:
echo hello | passwd --stdin
Free root?
You might want to save passwd before doing this, though ;-)
Re: (Score:2)
The phone doesn't have passwd, or a traditional passwd database at all.
Re: (Score:3, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Scary (Score:4, Interesting)
Re: (Score:2)
I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course
My cat has the stupid tendency to suddenly jump onto keyboards, often where the enter key is located. You are must be happy not to have a cat like that.
Re: (Score:2)
Unless you open the phone via something like telnet. Theres a simple piece of social engineering here. Come up with a sob story about how you need to make a phone call and you don't have a phone. Find a kind G1 owner to let you borrow theres to make a call. Have a friend distract them.Quickly run the exploit and open up remote access...
You could potentially download a little thing that calls home to help you locate the phone on the network, and get pretty much whatever you want off of it and since it's a ke
Dang. My other slashdot username is "rm -rf /" (Score:2, Funny)
I must be tired (Score:3, Funny)
Customers leave through the back door (Score:2, Funny)
After hearing about the backdoor kill switch, the platform became irrelevant to me in the first place. :/
Sad because I was looking forward to it. I guess there must be a way to block that though, right? Unless software updates remove the remover remover?
*looks at last sentence*
Wow... it's just not worth the effort to even begin that fight...
"What's your number?" (Score:2)
"It's rm [space] -rf [space] /"
Product liability for open source? (Score:2)
Don't know if this is true, but let's seize the opportunity to discuss whether putting open source code on the web increases the risk to a developer of being held liable for its bugs. Not specifically for this case, but generally:
Some countries have strict liability laws, and it is possible to be held liable if any action of yours causes extreme problems, such as death of another person. Sometimes such laws are very broad and very strange. Would it be possible for an evil aggressor to attack open source
does it come with "yes" command? (Score:2)
If the command "yes" (that outputs a string repeatedly until killed) is included I would guess it would be pretty common to suddenly have your android mobile become slower.
So that is how the telnetd hack worked? (Score:2)
The telnetd hack was running as root without explanation, and was oddly non-functional from the adb shell. This could provide a reason for that -- the adb shell was running the telnetd process as the non-root user, while running telnetd from the phone itself (via pTerminal) was running as the non-root user AND as the root user (via this bug). The execution as a non-root user would fail, while the second launch as root would succeed and open a root shell on port 22.
Case solved?
Time to update the release checklist (Score:2)
So now the web truly remembers everything!
I take it there's no silver bullet for building and packaging projects, either.
Re: (Score:3, Funny)
I am typing this from my Android. I have tried this and I don't have any pr
NO CARRIER
Re: (Score:2)
Nah it'll never work (Score:3, Insightful)
shred won't be installed.
cat /dev/urandom > /dev/hda is far more likely to work.
HTH
Re: (Score:3, Interesting)
Re: (Score:2)
Raising what bar?
Re: (Score:3, Informative)
I have linux installed on a compact flash card, and it sees itself as residing on hda because it is connected via adapter to an ide socket. It might be seen as sda if it were connected to a SATA connection.
No physical ide (or SATA) drive needed. There might easily be interface emulation to ease the porting of the OS to solid state devices.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Re:Easier than the iPhone (Score:5, Funny)
Re: (Score:2)
initrd.img
vmlinuz.old
Re: (Score:2)
Re: (Score:2)
Re:Easier than the iPhone (Score:4, Funny)
In the name of all that is holy, who has a file matching *.* in their root?!
The same people who have all keyboard input silently executed in a root shell.
Re: (Score:2)
it's
rm -rf /
Re: (Score:3, Interesting)
Re:Easier than the iPhone (Score:4, Funny)
Good. You should never enter a command you don't understand. I'm all for raising the bar above water level.
Re: (Score:3, Funny)
I'm beginning to suspect it could be intentional for free advertising at this point.
Only if they're advertising iPhones or BlackBerrys.