| |||||||||||||
2 weeks isn't completely unreasonable.2 weeks isn't completely unreasonable.Posted Nov 6, 2008 7:12 UTC (Thu) by jimparis (subscriber, #38647)In reply to: 2 weeks isn't completely unreasonable. by dw Parent article: Android's first vulnerability
The root hole is different from the web browser issue, just to clear up any confusion.
It's very bizarre that the root hole exists. A Java app (ie. pTerminal) can spawn local applications. This is done with real uid (and effective uid and saved uid) set to eg. 10040. No big deal. But if you execute /system/bin/telnetd, it acts like it was setuid root and runs with euid=0 -- even though it's not setuid root. Almost seems like an intentional backdoor...
(Log in to post comments)
2 weeks isn't completely unreasonable. Posted Nov 6, 2008 11:48 UTC (Thu) by alex (subscriber, #1355) [Link]
It may well be intentional as development tool. Likely they forgot to remove from the release images either by accident or design.
2 weeks isn't completely unreasonable. Posted Nov 6, 2008 14:16 UTC (Thu) by jimparis (subscriber, #38647) [Link]
A development tool would be a setuid telnetd binary, not a magic telnetd binary that grants euid=0 without being setuid.
Someone from Google has mentioned to me via IRC that it's definitely not intentional. I still haven't managed to track down the cause though.
2 weeks isn't completely unreasonable. Posted Nov 6, 2008 16:21 UTC (Thu) by jimparis (subscriber, #38647) [Link] Nevermind, I found it -- init spawns a root shell on /dev/console that picks up all keyboard input. Hilarious!http://android.jim.sh/index.php/ConsoleShell
|
|||||||||||||