| Worst. Bug. Ever. |
[Sat, 8-Nov-2008 7:25 PM] |
Yeah, uh, "oops." It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow! [...]
Funny story behind finding this: I was in the middle of a text conversation with my girl when she asked why I hadn't responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated "Reboot" - which, to my surprise, rebooted my phone. [...]
Here's a workaround I just discovered: Open the keyboard and type these 5 keystrokes: <return>-c-a-t-<return>. That will cause the phantom shell to not listen to commands any more, at least until the next reboot. |
|
|
| Comments: |
That's so bad it's awesome! As an aside, I feel slightly stupider from having read some of the comments, although the "rm -rf /*" was a good suggestion.
Man, I don't know if I want to believe this, but just can't, or if I don't want to believe this, but must.
From: ![[info]](http://l-stat.livejournal.com/img/userinfo.gif) mhoye
Sun, 9-Nov-2008 2:05 PM (UTC)
| (Link)
|
The best part is that since android's not really open-source, you can't deploy any fixes yourself.
This is close to the platonic ideal of security bugs. It's hard to imagine any worse non-totally-trivial example.
![[User Picture]](http://l-userpic.livejournal.com/5887295/515656) | From: jwz
Sun, 9-Nov-2008 5:18 AM (UTC)
| (Link)
|
Srsly. The only way it could be worse is if incoming SMS and email messages were also pasted to the shell.
Don't security bugs have to compromise security in some fashion?
Although it'd be fun to check the .bash_history.
| From: jwz
Sun, 9-Nov-2008 9:02 AM (UTC)
| (Link)
|
You seem to have forgotten that the telcos (and their bitches, the phone-software-providers) consider it a matter of security that you not be able to root your phone.
Well, yeah, but I thought a condition of accepting Android in the first place was to not give a shit if the phone gets rooted by the user. Because otherwise they would not be going with Android and would have some 110% obscurified walled-garden system instead.
That's the good they're supposed to bring to the party and all, and the OS is there to prevent foot-shooting by software not vetted by the carrier, preventing it from making calls or scraping the address book or sending spam or forwarding everything the microphone or camera picks up without the user's consent.
[I am assuming that local root on the G1 doesn't give a user much of anything that local root on a laptop with a GSM modem or a Windows Mobile device doesn't, other than an increased ability to brick his own phone.]
Maybe it's a window of opportunity for software to send whatever it wants to the shell, or talk the user into running rm -rf /, but it seems so likely to hose the phone before then (did they leave shell history enabled?) that it's more a "WTF" than a "risk."
![[User Picture]](http://l-userpic.livejournal.com/27276650/6146006) | From: strspn
Sun, 9-Nov-2008 5:18 AM (UTC)
off topic | (Link)
|
I keep this on my ipod just to horrify people with.
From: wdr1
Sun, 9-Nov-2008 7:21 AM (UTC)
Re: off topic | (Link)
|
4chan is two doors down to the right.
| From: jwz
Sun, 9-Nov-2008 9:01 AM (UTC)
Re: off topic | (Link)
|
I see what you did there.
![[User Picture]](http://l-userpic.livejournal.com/53689433/4934280) | From: xrayspx
Sun, 9-Nov-2008 8:12 AM (UTC)
Re: off topic | (Link)
|
I found that episode nowhere near as creepy as the My Fake Baby women.
rm *
this seems like an obvious thing to test, but maybe I just do devious edge-cases.
![[User Picture]](http://l-userpic.livejournal.com/21755913/494204) | From: wisn
Mon, 10-Nov-2008 5:49 PM (UTC)
| (Link)
|
Until somebody figures a way to combine this with a remote exploit, you're unlikely to demonstrate how l337 you are outside of face-punching range of your victim. | |
