Slashdot Mirror
Bug In Android Passes Keystrokes To Root Shell
pasokon writes "ZDNet reports on an Android bug in T-Mobile G1s with early versions of the firmware: 'When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. ... open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: (enter)-r-e-b-o-o-t-(enter). Poof, your phone will reboot.'"
I can't imagine how or why anyone could accidentally pipe all user input through a root shell. This is one for the WTF of the decade.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
So would typing:
Enter shred -vfz -n 100 /dev/hda
Do what I think it would do?
Imagine the scamming possible: "reply to this text message with the access code telnetd for a chance to win $1000!"
Suddenly, the memory-and-keystroke-saving command names of the past combine with the keystroke-saving text-speak of the present to create the nightmarish user interaction bugs of the future.
RomSteady - I came, I saw, I tested. GamerTag: RomSteady / http://www.romsteady.net
doesn't wo
I guess it will be easier to jailbreak than the iPhone. It's not a bug, it's a feature! I wonder what happens when you type "(enter)rm /*.* -r(enter)", and is it warrantied?
Are we really that messed up as a society?
If I type "Reboot" and the device actually reboots, doesn't that mean it's working?
http://pinopsida.com
Not when it reboots as a result of you including the reboot command into, to pick a ramdom example, the text of a comment that you are posting to Slashdot.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Sort of. The problem is that it also means if you're texting a buddy of yours or writing a memo, and you just happen to type "reboot" and press enter in your message, then your phone restarts. You probably didn't want that to happen.
That's some amateur shit to have made it beyond beta 1. What the hell are your programmers doing all day?
I'm starting to get a little suspicious, to be frank. You've existed for many, many moons, Google...you have over 20,000 employees. You have computing capacity that's normally limited to that of small countries. Shouldn't you be a little further along by now?
This coming from Google? That surprises (and scares) me. I don't know how something like that would get through a QA process unless the QA process was rushed ... oh no, please don't become like almost every other software company out there Google! :-/
shred won't be installed.
cat /dev/urandom > /dev/hda is far more likely to work.
HTH
Deleted
I still haven't received the first OTA update for my Android yet (meaning I'm running RC19), and "the test" fails. My phone does not reboot.
I know more than you drink.
Delete *
You'd have to press enter then reboot then enter again. Otherwise reboot will be at the end of a long string of crap that the shell won't understand anyway. How many times are these phones returning 'command not found' I wonder.
How often do you type (ENTER)reboot(ENTER) ?
Most likely your comment will have words in the line that proceed reboot.
Where you are in danger is sending someone a text message like "reboot it"
Or trying to send a text message with a unix command in it.
A workaround might be to type something like 'cat' (enter), or "PATH=/" (enter) into the KB, every time you turn your phone on, and refrain from hitting Ctrl-C
I've got RC19 and this worked just fine, from the home screen, from an ssh app (where one might accidentally type the command intending it as genuine input), and even with the phone locked.
And honestly, this isn't that strange. Every phone I've owned has had some set of hidden commands that when keyed in will bring up debug info, reboot, etc. True, it's generally something much more obscure and less easy to accidentally trigger like a numeric sequence with octothorpes (#s) at either end.
I doubt this is a bug at all, just a poorly-chosen way to enact a standard system operation (that, I might add, if you use the browser a lot, you sorely need once a day or so).
Cherish. Live. Dream.
Hmm, what do you know... another obvious quirk to the Android that gets it on the frontpage of slashdot. I'm beginning to suspect it could be intentional for free advertising at this point. But then, who am I to question OS compilation? I couldn't even get Gentoo to run.
I'm on firmware 1.0 and TC4-RC29 and it works. That's kind of scary... Especially because I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course but if I did...
I wondered why I couldn't use my phone anymore. I thought Slashdot got pwned by some worm that infected my Android browser after the last time I logged in...
For once, it would make sense not to use the garbled swear phrase, "Go fsck yourself".
Face your daemons!
no matches found: google?
On the android enter sends a text.
So it is a real option to type it at the start of an SMS when trouble shooting with someone.
ME:What's hapening <hits enter>
Friend:random problem
Me:reboot <hits enter>
Still not likely.
I also find it interesting that just typing telnetd allows remote acces, without opening a shell.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Your "foom" message could be an email looking something like this:
--- cut here --- cut here ---
Dear Luser,
If you want to reboot your machine, just type
reboot
into a root shell.
Love from Pogue
--- cut here --- cut here ---
(except you wouldn't get that far ;-)
Every bloody emperor has his hand up history's skirt [Peter Hammill/VdGG]
Am I the only one who at first though we found a bug in an asteroid passing earth, implying life in space, then something about a sea shell and a root to some plant? And all of this being some key to something, not sure what... Hmmm... I think I need more sleep.
A unique way to learn a language: http://languageloom.com
Comment removed based on user account deletion
Instant karma's a bitch.
$ reboot
reboot: Need to be root
After hearing about the backdoor kill switch, the platform became irrelevant to me in the first place. :/
Sad because I was looking forward to it. I guess there must be a way to block that though, right? Unless software updates remove the remover remover?
*looks at last sentence*
Wow... it's just not worth the effort to even begin that fight...
well the command "LOL COMMENT reboot" won't execute. The command "reboot isn't tickles lawl" might cause an unexpected reset.
Obligatory blog plug: http://www.caseybanner.ca/
Wait, a Unix command? Darn, I was thinking of getting an android phone because it was supposed to be open source. Now you are telling me that Darl McBride owns Android? That's just wrong.
If that was the iPhone slashdot users would be going ballistic right now - and rightly so.
You know... I like this a lot better than _not being able_ to get any shell on my phone.
It may be a bug, but a side effect that is pleasant is the end user has more control over the device than they would have over most consumer electronics.
In most products, the manufacturer goes out of their way to make sure the end user can't gain access to such things as a shell, by using secret passwords, signed binaries, and such...
Yes, it's also risky.. if commands like "rm -rf ROOT_FILESYSTEM_PATH" actually do anything (other than result in a silent error due to say "read only filesystem")
But no well-experienced Unix admin dares type in the actual command to "rm -rf" the system root directory in any context whatsoever.
I suspect the fix will be more unfortunate than the bug... removing the ability to get any shell access to the phone at all.
The command "reboot isn't tickles lawl" might cause an unexpected reset.
Not until you type another single quote and press enter, though.
The state you are in while your HEAD is detached... - wait, what?
I have the Android build:
kila-user 1.0 TC4-RC29 115247
And i just tried this and it rebooted my phone. Really WTF. I imagine this will be fixed soon, but i do know several people have not received the RC29 OTA updates. I never did i had to manually update the phone, and as far as i know i do not have the patch to fix 'jailbreaking' the phone as its called.
well played!
Obligatory blog plug: http://www.caseybanner.ca/
aside from the silently and invisibly part, a shell bing available on boot isn't that bad of an idea?
Bah pansy! Real man run as root!
Just 3 days ago slashdot did an article about stupid unix tricks http://ask.slashdot.org/askslashdot/08/11/05/2027234.shtml I would lul so hard if the first poster was on a G1
"It's rm [space] -rf [space] /"
Don't know if this is true, but let's seize the opportunity to discuss whether putting open source code on the web increases the risk to a developer of being held liable for its bugs. Not specifically for this case, but generally:
Some countries have strict liability laws, and it is possible to be held liable if any action of yours causes extreme problems, such as death of another person. Sometimes such laws are very broad and very strange. Would it be possible for an evil aggressor to attack open source developers by claiming that they, eg, downloaded their free code and put it into an aeroplane but a bug in the code caused a crash, killing people? (assuming the bug was not intentional, but that it was very silly and exceptionally gross)
The developer could say that the code had a no-warranty/no-guarantee notice, that it was a gift, that it did not establish a business relationship, that it was not a product but only an exercise of free speech, that the downloader/user should exercise their own due diligence and study the code for defects before using it, that they should have purchased a support/guarantee contract, that the code was written and shared online for personal enjoyment rather than for creating a useful product, etc. But would an impartial and competent court in a strict liability jurisdiction accept these defences? And what if the court was in a corrupt jurisdiction and the judge were bribed to side with the aggressor? Would it be possible for the court to condemn the developer by sufficiently stretching the strict liability law?
My take on the issue is, of course, that open source developers have absolutely no liability to anyone even under extreme circumstances, as nobody forces anyone to download open source code, and in most cases open source code is written primarily for the amusement of its developers. So, even if the military downloads an OS kernel and puts it into nuclear missiles, but a bug in the kernel then randomly fires the missiles causing a nuclear holocaust and the extinction of all the human race except the developer and the military general who used the source code, I personally would think that it was the general's fault of using the code and not the developer's for writing it. But I have no idea whether other people would think like me, especially in a court in a country with strange laws (and possibly corruption). Would it be possible to stretch the laws to pass the liability to the developer?
Or, to think about it in another domain, could an amateur radio operator be held liable for a homebrew that another person received from the amateur as a gift and that person used it to send signals to aliens who thanks to them discovered the Earth's position and came and conquered it?
Is there even a 0.0000000001% chance of a buggy but free widget's creator being held liable if someone else used the widget and its bugs caused havoc?
Wow, thanks Google, I was just able to reboot from my browser. Sheesh! I mean I even have an ssh client on my G1, I could have really fucked it up while just messing around on one of my servers remotely.
For a work around I guess you could just type "(enter)cat(enter)" in the beginning so all keystrokes won't actually get executed (till you ctrl+c), at least there's no ctrl on the keyboard (that I know of). The first exploit was pretty blah, security circus, yada yada -- this can be pretty serious though, someone could def fuck up their device by mistake.
If the command "yes" (that outputs a string repeatedly until killed) is included I would guess it would be pretty common to suddenly have your android mobile become slower.
- Peter Brodersen; professional nerd
Bingo - You won't see this sort of turnaround time for a fix for the iPhone.
and this is why FOSS is a champion to me - the community fixes the issue and everyone else can check the fix to make sure it's not malicious.
Hah, was it a short turn around because it was an extremely nasty bug, or because the fix was only a few lines in an rc file? Oh no, surely it's because of the 'community'.
The community is responsible for testing cellphone software? WHERE? The community has any involvement with deploying software updates to cellphones? WHEN THE FUCK DID THAT HAPPEN?
And this is why all gov't entities in the USA should use FOSS. The people/community as a whole can do a better job of keeping the government secure than corporations can.
Everything you typed was unknowingly redirected to a root shell, and you have the BALLS to say that this took the community at large to detect and correct the issue, therefor the government should use FOSS. Sorry, the free in FOSS doesn't have anything to do with preventing or correcting bugs, and a bug like this screams why the fuck didn't the 'community' QA/test process detect it before shipping? If fewer bugs like this appeared in open software, MAYBE you'd have a leg to stand on, but no, this was a shipping product, and one fugly ass bug. You can't blame open source for the bug, and you sure as shit can't give it extra credit for the fix.
I'm sick and fucking tired of coolaid drinking, rosy glasses wearing assholes that attribute all this bullshit to open source. Open software is good for a tremendous number of things, but when the community code review process misses a bug THIS fucking huge, how can you possibly give FOSS credit? It had absolutely nothing to do with delivering the fix, everything to do with finding it, and you know full well a bug of this nature should have been caught in any standard QA process. This is not a "only a giant army of warrior geeks armed with source could have spotted it" bug, though those DO exist. They shipped with a big 'ole chunk of debugging code enabled.
Android QA team: F-
Community process: failure to appear
So you're using your device, and it let you do whatever you want with it. So what? Why does it matter if I'm root on my phone?
(Say whatever you want for exploitable applications also enjoying the same level of authority.)
The telnetd hack was running as root without explanation, and was oddly non-functional from the adb shell. This could provide a reason for that -- the adb shell was running the telnetd process as the non-root user, while running telnetd from the phone itself (via pTerminal) was running as the non-root user AND as the root user (via this bug). The execution as a non-root user would fail, while the second launch as root would succeed and open a root shell on port 22.
Case solved?
Comment removed based on user account deletion
Comment removed based on user account deletion
So now the web truly remembers everything!
I take it there's no silver bullet for building and packaging projects, either.
Wow, not only did you skip reading the summary, you didn't even bother to read the whole TITLE? /. is getting lazy...
If I have nothing to hide, don't search me
Except this console doesn't recognize Alt, so you can't type slashes.
I don't *think* it much of a "security" flaw, as you say; but you don't want random command being run as root with random arguments. Who knows what would happen? Infact administrators often spend most of their time logged in as a non-root users so they don't accidentally do stupid things. Having every thing you type run as a root command is badly broken.
It'd be really annoying just having the system reboot whenever I tell someone to
retry
reboot
CARRIER LOST.
Well yes but, it is never the bug you are expecting that bites you in the final release (was it a final release? it was RC29). It is always the bug that is so mindbogglingly stupid that you never think to check for it.
I think your example is rather extreme. First of all, if the aeroplane didn't crash the claim would be obviously false. If the aeroplane did crash the there would be huge inquiry, the engineer/aggressor who decided to misuse the OS code in a place would also bear liability and would be in a world of pain. If so much as a hint got out that they intentionally crashed the plane then they would be charged with a hundred counts of homicide... and thats if they are lucky enough not be a tried under anti-terrorist law.
The realistic outcome would be that someone yanks the code out of somewhere, doesn't bother to check it, and decides to sue someone. IANAL, (and I am certainly not a lawyer in every jurisdiction of the world) but the common wisdom is that even when suing a company you've paid for software the courts have held that it is the buyers responsibility to check suitability, not the producer of commodity software.
How exactly is the grandparent less redundant than the parent?
Comment removed based on user account deletion
Using RC29, I didn't notice this to be the case. Perhaps when someone specifically puts their phone in root mode, this could be an issue, but even for people who hack their phones they do not leave it on root.
When someone uses the root access on their phone, it may be an issue, but one typically would do this simply to change one thing, or install some linux software. I believe as soon as you restart your phone it would no longer be an issue. Basically this is pretty phony.