Active Topics
-
[HOWTO] Comprehensive Firmware Flashing Guide for N9 (1,580)
to Nokia N9 / N950 by aspergerguy - 4 hrs, 7 mins ago -
Nokia N9-00 Prototype Build S1.12 (RM-680 codename "Dali") (250)
to Nokia N9 / N950 by en0s - 3 days ago -
[Announce] Maebble - Pebble support for Maemo (118)
to Applications by glo-worm - 3 days, 12 hrs ago -
Possible to flash Leste to eMMC? (6)
to Maemo 7 / Leste by Eri - 4 days, 3 hrs ago - more...
|
2016-10-21
, 18:18
|
|
Posts: 3,464 |
Thanked: 5,107 times |
Joined on Feb 2010
@ Gothenburg in Sweden
|
#3
|
AFAIU you first have to login via ssh(or similar) as normal user to the phone before you can gain root access I don't see it as critical on phone but worse on web sites.
"The exploits can be used against Web hosting providers that provide shell access"
And how many of you give out ssh access to your phone?
However I hope SFOS next release has the fix.
Last edited by mikecomputing; 2016-10-21 at 18:31.
"The exploits can be used against Web hosting providers that provide shell access"
And how many of you give out ssh access to your phone?
However I hope SFOS next release has the fix.
__________________
Keep safe and healthy
Keep safe and healthy
Last edited by mikecomputing; 2016-10-21 at 18:31.
 |
|
2016-10-21
, 19:13
|
|
Posts: 6,436 |
Thanked: 12,701 times |
Joined on Nov 2011
@ Ängelholm, Sweden
|
#4
|
this exploit can be easily used by any malware application you install 
|
|
2016-10-22
, 01:51
|
|
Posts: 31 |
Thanked: 31 times |
Joined on Jan 2013
@ USA
|
#5
|
Apparently the "fix" was identified, any ideas when this will be backported to KP?
Not sure about 2.6.28, but backported to my 4.0.5 server, there had been changes so the patch in the commit wouldn't cleanly go in... but was close enough to easily figure out
Supposedly it's been around since 2.6.22 but "harder" to exploit ... and as I don't have many random binaries I run on my N900, probably somewhat safe. The regular PCs with <koff>flashplayer and any with outward facing shell access I have to be worried about...
Not sure about 2.6.28, but backported to my 4.0.5 server, there had been changes so the patch in the commit wouldn't cleanly go in... but was close enough to easily figure out
Supposedly it's been around since 2.6.22 but "harder" to exploit ... and as I don't have many random binaries I run on my N900, probably somewhat safe. The regular PCs with <koff>flashplayer and any with outward facing shell access I have to be worried about...
|
|
2016-10-22
, 05:32
|
|
Posts: 93 |
Thanked: 283 times |
Joined on Jul 2016
|
#6
|
Originally Posted by mikecomputing
Nope, your phone could be rooted by nice looking app which is in fact the chinese hackers' malware sneaked into Play Market / App Store e.g. http://www.ibtimes.co.uk/chinese-hac...s-risk-1520592 so it's kinda critical too.
AFAIU you first have to login via ssh(or similar) as normal user to the phone before you can gain root access I don't see it as critical on phone but worse on web sites.
BUT at the same time you could root your own phone if you need it and if the phone manufacturer prevents you from getting root access. So I find this vulnerability as somewhat good for the handhelds power users.
Originally Posted by mikecomputing
And concerning the servers - it is a total disaster. You do not need the shell access to own your hosting provider's server - you just need exec/system/etc function enabled in PHP configuration and even if such functions are disabled there are plenty of other ways to run shell code where the simplest is - running a cron job from the control panel.
"The exploits can be used against Web hosting providers that provide shell access"
 |
|
2016-10-22
, 14:23
|
|
Posts: 764 |
Thanked: 2,889 times |
Joined on Jun 2014
|
#7
|
Originally Posted by meego_leenooks1
"The intelligence-testing Brain Test app was discovered to be containing the malware by security firm Check Point."
http://www.ibtimes.co.uk/chinese-hackers-fool-google-put-one-million-android-users-risk-1520592
Honestly, if you install "Brain Test" applications, you're bound to get hacked in some way eventually.
Every time these supposedly extreme security flaws come up, it turns out to be something you need to explicitly allow. That isn't a security problem, it's a user problem, and those have turned out to be impossible to fix.
|
|
2016-10-22
, 17:02
|
|
Posts: 93 |
Thanked: 283 times |
Joined on Jul 2016
|
#8
|
Originally Posted by nthn
That's just the first example I found in Google. I've seen news about dozens or hundreds of innocent-looking apps in Play Market / App Store with hidden ad/spy/mal-ware inside. Surely you have to explicitly allow them to run (install them yourself) but how do you know which app is clean and legitimate and which is not?
"The intelligence-testing Brain Test app was discovered to be containing the malware by security firm Check Point."
Honestly, if you install "Brain Test" applications, you're bound to get hacked in some way eventually.
|
|
2016-10-22
, 18:09
|
|
Posts: 368 |
Thanked: 975 times |
Joined on Aug 2013
|
#10
|
Originally Posted by meego_leenooks1
Indeed, as long as those apps are proprietary / closed source you just don't know. A ton of Google Play programs ask for permissions that don't make sense. Why should a game need access to your contacts etc..
That's just the first example I found in Google. I've seen news about dozens or hundreds of innocent-looking apps in Play Market / App Store with hidden ad/spy/mal-ware inside. Surely you have to explicitly allow them to run (install them yourself) but how do you know which app is clean and legitimate and which is not?
On an Android phone I assume with cyanogenmod (no gapps) and only install apps from the f-droid repo you will prevent installing any malicious software and are relatively safe.
| The Following User Says Thank You to t-b For This Useful Post: | ||
Quite a massive number of devices that are vulnerable to this bug as it's quite an old feature and only discovered now. Then to think many android phones won't get an kernel-update probably. I am assuming android is just as vulnerable as any other linux distro with old kernel.
N900 loaded with:
CSSU-T (Thumb)
720p recording,
Pierogi, Lanterne, Cooktimer, Frogatto
N9 16GB loaded with:
Kernel-Plus
--
[TCPdump & libpcap | ngrep]
--
donate