I wonder how many people carelessly run a script that downloads, builds, and executed something with root access. If that zip gets compromised (i.e. The source means harm) there is no end to the pain a careless user can endure. It is like blindly copying and running shell commands you don't understand with sudo rights.<p>My intention is not to offend the author by the way :). It is to remind people to understand these kind of scripts and their risks before you run them.
This is just automating running the exploit from here:<p><a href="https://github.com/timwr/CVE-2016-5195" rel="nofollow">https://github.com/timwr/CVE-2016-5195</a>
I put 'root' in quotes, because technically, it isn't rooting. However, it creates a binary called 'run-as' that can execute packages as root. Not sure what the right term would be in this case.
For those who didn't see it:<p>I didn't write this exploit, I just wrote this script that automates the exploit. The repository with the actual exploit is here https://goo.gl/f8HdO7, and the script to automate it is here <a href="https://goo.gl/r2dFia" rel="nofollow">https://goo.gl/r2dFia</a> .
So I have a Galaxy Nexus, which does not get OS Updates anymore (Android 4.3 at the moment).<p>Do I understand correctly that vulnerabilities like this one mean I do not have any protection when I install an App on my phone? I mean the Android permissions system is useless, when any App can just use an exploit to get root isn't it?<p>Sorry for the beginner question, I am just hoping I am missing something.
For those on CyanogenMod: patch for Dirty COW is about to hit the nightly releases - <a href="https://review.cyanogenmod.org/#/q/19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619" rel="nofollow">https://review.cyanogenmod.org/#/q/19be0eaffa3ac7d8eb6784ad9...</a>
I can't help but think what would've happened if it were Microsoft that would have security problems of this scale all of the time while essentially blocking users from getting the updates to fix it. And then there's the manufacturers abandoning their hardware often directly after release.<p>The angry mob would probably bury them alive...<p>Sure, we can blame carriers, manufacturers and hardware suppliers for having their own policies, but this is the same for your average Windows laptop minus the carriers. Bundled themes and crapware from Sony, Lenovo or Dell never stopped Windows from updating.
This is an Android exploit for the Linux privilege escalation bug made public a few days ago, discussed here <a href="https://news.ycombinator.com/item?id=12756006" rel="nofollow">https://news.ycombinator.com/item?id=12756006</a><p>Hopefully this is where Google's app scanning shines and prevents this exploit from spreading.
Okay, sorry guys. I know it's broken right now. The problem is that wget and unzip commands aren't being used properly. I can't fix it on my phone, because the editor isn't working. I won't have computer access till tonight (it's 4PM here, and I'm at school). Really sorry about the delay!
Technically, this is not specific to Android phones. It's a hardware flaw and also possible on iOS.<p>edit: Correct, I was confusing it with Row Hammer.