Worst. Bug. Ever.

Yeah, uh, "oops."
It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!

[...]
Funny story behind finding this:

I was in the middle of a text conversation with my girl when she asked why I hadn't responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated "Reboot" - which, to my surprise, rebooted my phone.

[...]
Here's a workaround I just discovered: Open the keyboard and type these 5 keystrokes: <return>-c-a-t-<return>. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.

Tags: , ,

16 Responses:

  1. bitterjesus says:

    That's so bad it's awesome! As an aside, I feel slightly stupider from having read some of the comments, although the "rm -rf /*" was a good suggestion.

  2. Man, I don't know if I want to believe this, but just can't, or if I don't want to believe this, but must.

  3. __marcelo says:

    This is close to the platonic ideal of security bugs. It's hard to imagine any worse non-totally-trivial example.

    • jwz says:

      Srsly. The only way it could be worse is if incoming SMS and email messages were also pasted to the shell.

    • gryazi says:

      Don't security bugs have to compromise security in some fashion?

      Although it'd be fun to check the .bash_history.

      • jwz says:

        You seem to have forgotten that the telcos (and their bitches, the phone-software-providers) consider it a matter of security that you not be able to root your phone.

        • gryazi says:

          Well, yeah, but I thought a condition of accepting Android in the first place was to not give a shit if the phone gets rooted by the user. Because otherwise they would not be going with Android and would have some 110% obscurified walled-garden system instead.

          That's the good they're supposed to bring to the party and all, and the OS is there to prevent foot-shooting by software not vetted by the carrier, preventing it from making calls or scraping the address book or sending spam or forwarding everything the microphone or camera picks up without the user's consent.

          [I am assuming that local root on the G1 doesn't give a user much of anything that local root on a laptop with a GSM modem or a Windows Mobile device doesn't, other than an increased ability to brick his own phone.]

          Maybe it's a window of opportunity for software to send whatever it wants to the shell, or talk the user into running rm -rf /, but it seems so likely to hose the phone before then (did they leave shell history enabled?) that it's more a "WTF" than a "risk."

  4. violentbloom says:

    rm *

    this seems like an obvious thing to test, but maybe I just do devious edge-cases.

    • wisn says:

      Until somebody figures a way to combine this with a remote exploit, you're unlikely to demonstrate how l337 you are outside of face-punching range of your victim.