| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Aug 2012 08:41:26 -0500 From: Alexander Pruss <arpruss@...il.com> To: Dan Rosenberg <dan.j.rosenberg@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: debugfs exploit for a number of Android devices On Wed, Aug 15, 2012 at 8:10 AM, Dan Rosenberg <dan.j.rosenberg@...il.com> wrote: > This also can't be used by malicious apps, since you need user/group "shell" > to replace /data/local/tmp with a symbolic link, and normal applications > cannot be granted this user/group. You're right: my apologies. I didn't really look at how this exploit works. And you're certainly right that making /data writeable is a better way to exploit it. I just confirmed that on my 2.3.6 Epic 4G Touch there is no issue: a directory symlinked to /data/local/tmp does NOT get its permissions changed on boot. I am not sure I would say that it's erroneous to make /data/local writeable by adb shell. It may be handy for a developer with an unrooted device to put various commandline utilities in /data/local, such as a better busybox. Alex -- Alexander R. Pruss arpruss@...il.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists