Dumb bug in G1 phone

Date November 10, 2008

If there’s any other gadget that has got as much buzz and anticipation as the iPhone, it has to be the G1 phone with Google’s Android platform on it.

Now I thought that Apple had some interesting bugs and a lax security process, but this "bug" is just plain dumb (thanks FS con chat guys for posting this :)).  From the issue tracking list…

It seems as though there is a /system/sbin/sh running in the background with /dev/console as stdin. That could explain why typing "reboot" and then enter (in ConnectBot or otherwise) will reboot your phone. If you type "telnetd", telnet into your phone, and look at the /proc/XX/fd tree for the /system/sbin/sh process, you can see it clearly.

That seems to be anywhere you can type – start typing a text message telling someone how to delete all files in unix (rm –rf) and watch their phone go away :) (of course that would depend on permissions and I really hope they didn’t screw that up)

So, it’s not a security bug per se, because the user has to type the command on their own phone, but it’s a strange one to have.  I have to question why all input is redirected through a shell in the first place (some restricted service to perhaps do some post-processing like spell-check), and also if anyone would have thought of a testcase (more reason to do threat modeling and use that to drive security testing – that process really should have found this issue).

Once again, I’m disappointed with my industry.

Category Posted in Industry, Security


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>