Slashdot Mirror
T-Mobile G1 Rooted
An anonymous reader writes "T-Mobile's G1 phone, the first commercially available Android based phone, has been rooted. The exploit is extremely simple to execute, just requiring you to run telnetd from a terminal on the phone, and then connecting to the phone via telnet."
-- unless it's setuid, of course.
No it's not more complex. The curious bit is that telnetd appears to set uid=0 after login, which allows you to make a setuid root shell.
The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.
Well, given that it's a device that isn't designed to be root-accessible by the user, this did require somebody to do something that the manufacturer didn't intend in order to gain root access.
ZuluPad, the wiki notepad on crack
Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.
It's apparently weirder than that. Running "telnetd" as an ordinary user apparently allows remote logins as root. This happens even though the "telnetd" executable does not apparently come with permissions set-UID to root. If that's correct, there's a security hole somewhere else that's being used by accident here. Is "login" a set-UID program on Android phones?
(As a robotics guy, I hate the name "Android" being used for a telephone. It's the worst choice since "U.S. Robotics" which ended up as a modem company.)
part of the exploit is that that when *any* user logs in through telnet uid=0 is set. This allows any user to elevate to to root privileges because the users shell is set to the same uid as the telnet daemon(who is running as root)
And it also works in the other way... you can put your already rooted equipment into any window, and anybody inside that house will be able to gain root access, and also call the
police
If the door's unlocked, it's hardly "breaking in," is it?
Yes it is.
The "Breaking" part of "Breaking & Entering" refers to breaking the plane of entry, not physically damaging anything.
"Breaking" is not actually a separate action from "Entering". The reason they are used together is for clarity...one word derives from Old English, and the other word derives from French. Writing laws this way was useful when the Normans and Saxons were trying to cohabitate on the same island.
There are many legal terms constructed the same way:
Null and void
Cease and desist
Last Will and Testament
Aid and Abet
Goods and Chattels
Terms and Conditions
etc.
Erm.... Breaking and entering is exactly what it says. Just entering is call trespassing, and just breaking is called criminal damage. Don't ask me how I know :).
As for validating emails, check that there's at least one @ and that the part after the final @ has at least one dot in it, and you're good to go. No regular expressions required!
I think people are misunderstanding this exploit. The G1 is locked down so that a user normally can't get root access on the phone. This severely restricts the modability of the phone. Sure, you can install your own android apps.. but you can't change the android system in any way.
This exploit allows a user to get root access on the device, and thus opens a new world of modding possibilities. You are no longer restricted to what the android SDK allows you to do.
Maybe the term "rooted" isn't quite the right term, but that's debatable. In any case, this a great find, that allows us G1 owners to have *much* more control over our phones.
Android does NOT run everything as root. They have a security model that uses separate user ids for many things, and root for almost nothing. When you start the telnetd, it is as a non-root user, and the telnetd is not setuid. However, when you connect to the telnetd from a telnet client, you get a root shell. Something extremely weird and/or broken seems to be going on in there.
Message received: To get the latest pron video on you phone place phone on the floor and step firmly with your heel on to the display.
OMG phone destroyed by virus!
> Agreed. Non-story. This is just stupid.
Guess you didn't actually read the material. This shouldn't work but somehow a privledge escalation is allowing a non-root user to invoke telnetd and then to connect from outside and actually get a root shell. So the owner of the hardware is able to break int T-Mobile's software. Oh the horror!
So far it is more likely to simply get patched instead of developing into a full jailbreak but stay tuned. The camel's nose has entered the tent, it just might be able to get all the way in.
Democrat delenda est
Well, entering is called trespassing when it's a civil offense; it's breaking and entering when it's a criminal offense. paeanblack has it right.
Not in Illinois. 720 ILCS 5/21-3 says, in relevant part:
Yes. Microsoft is working on that one: http://www.microsoft.com/opensource/licenses.mspx
Before commenting on the Bible, please read it first
Does this mean that telnetd is setuid root, or does it mean that you already have to have root to get root?
Neither. That is why this article is news.
Finally! A year of moderation! Ready for 2019?
CPU usage for an SSH daemon during an interactive session, while it probably is higher than a telnet daemon, is still low enough (0.005% instead of 0.001%, perhaps?) that it'll most likely get lost in the noise. I have dropbear running on a WRT54GL, and it has no trouble keeping up. The trivial CPU usage is worth the added security. It might crunch a bit more during session setup when it's using public-key encryption to set things up, but IIRC everything else gets shared-key encryption (which imposes much less of a load).
20 January 2017: the End of an Error.