Thread: Idea: N900 security update (openssl, browser etc)
View Single Post
Xagoln is offline Xagoln
2016-09-19 , 00:42
Posts: 262 | Thanked: 315 times | Joined on Jun 2010
#36
Originally Posted by wicket View Post
An arbitrary code execution exploit in MicroB would give an attacker the same privileges as the user user. This normally means they would have read/write access to everything under /home/user including MyDocs. This assumes that the device owner hasn't done anything stupid to weaken the security. One thing that I forgot is that many users here use rootsh without a password which would of course gives the attacker full access to the device.
Indeed. I was thinking of rootsh as an attack vector, although in my limited experimentation I was not able to pass commands to /usr/bin/root. There are surely ways though.

If you ask me, Maemo is very broken in this respect. It's not that hard for an attacker to create some malware, create multiple Garage accounts and then vote it up for promotion to Extras. Actually, they probably don't even need to do that. They can just enable Extras-devel and install anything from that. It's part of the reason why I want to replace Maemo with Debian.
I agree totally, and that's something that's been on my mind a lot, although I think any alternatives to Maemo are currently too clunky or lacking in vital features if one still wants to use their N900 as a phone.
 

The Following 5 Users Say Thank You to Xagoln For This Useful Post: