Incredibly Dangerous Android Bug Executes Every Keystroke as Root User
source: http://blog.wired.com/gadgets/2008/11/incredibly-dang.html
-
-
- Crazyotto
- added this
Warning: This is not a joke. If you are one of the lucky few with the Android G1 Googlephone, try typing the word "reboot".
Sorry. I take it you managed to find your way back here after your phone restarted. This incredible "feature" is not any kind of malware you might have picked up, but a real life bug in the actual shipping version of the Android OS. Anything you type on the keyboard, in any application, is simultaneously sent to a command line shell and executed as the root user.
A rough translation: Imagine you are running a terminal in Linux, the geeky text window into which you type commands for the computer to execute. Imagine, also, that the account in which you are working is that of the super user, or root, a user with permission to do anything it wants, including a simple five character command which will erase the entire contents of the phone, operating system and all.
That is exactly what is happening with the Android OS up to build number RC29 (the version which is hurriedly being pushed over the air as an update to G1 users. We thought that the hackers had scored when we reported that root terminal success had been achieved on the Googlephone, but now the process of downloading the terminal application, PTerminal, seems a little clunky. In fact, you should be able to turn on telnet, the process which enables you to remotely browse to your device over the network, simply by typing telnetd (although you'll need some jiggery pokery to make sure you're first in the correct directory).
Incredible, and quite ridiculously dangerous. No wonder AT&T CEO Ralph De La Vega said that "The platform is still evolving". The update should be with you soon. In the meantime, you can temporarily disable the background shell, using Burnette's instructions.
Open the keyboard and type these 5 keystrokes: -c-a-t-. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.
If that's too much for you, just be careful what you type.
Sorry. I take it you managed to find your way back here after your phone restarted. This incredible "feature" is not any kind of malware you might have picked up, but a real life bug in the actual shipping version of the Android OS. Anything you type on the keyboard, in any application, is simultaneously sent to a command line shell and executed as the root user.
A rough translation: Imagine you are running a terminal in Linux, the geeky text window into which you type commands for the computer to execute. Imagine, also, that the account in which you are working is that of the super user, or root, a user with permission to do anything it wants, including a simple five character command which will erase the entire contents of the phone, operating system and all.
That is exactly what is happening with the Android OS up to build number RC29 (the version which is hurriedly being pushed over the air as an update to G1 users. We thought that the hackers had scored when we reported that root terminal success had been achieved on the Googlephone, but now the process of downloading the terminal application, PTerminal, seems a little clunky. In fact, you should be able to turn on telnet, the process which enables you to remotely browse to your device over the network, simply by typing telnetd (although you'll need some jiggery pokery to make sure you're first in the correct directory).
Incredible, and quite ridiculously dangerous. No wonder AT&T CEO Ralph De La Vega said that "The platform is still evolving". The update should be with you soon. In the meantime, you can temporarily disable the background shell, using Burnette's instructions.
Open the keyboard and type these 5 keystrokes: -c-a-t-. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.
If that's too much for you, just be careful what you type.
