Frugal smartphone security

To save on monthly expenses I normally have data turned off on my Android phone and use whatever free WiFi is available. But. . .

Word is out that bash has had a security fault for decades that allows arbitrary code execution. Looks like it is either being called “Bash Bug” or “Shellshock”. Seems like that should not be an issue as bash is used for local command line types of things. But if, especially if, bash is the default shell then lots of things that execute other programs can allow a remote attack.

While an Android phone is a phone it is also basically a Linux computer running the Android environment. Under it all is a fairly stock Linux operating system. And on CyanogenMod the default shell program on the latest monthly snapshot appears to be susceptible to this attack:

$ adb shell
shell@maguro:/ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
shell@maguro:/ $ echo $0
shell@maguro:/ $ ls -l /system/bin/sh
lrwxrwxrwx root root 2014-09-17 16:49 sh -> mksh
shell@maguro:/ $ ls -l /system/bin/mksh
-rwxr-xr-x root shell 157492 2008-08-01 05:00 mksh
shell@maguro:/ $ which bash
shell@maguro:/ $ ls -l /system/xbin/bash
-rwxr-xr-x root shell 427088 2008-08-01 05:00 bash
shell@maguro:/ $ bash
shell@localhost / $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
shell@localhost / $

It looks like the default shell is /system/bin/sh but that is actually a symbolic link to /system/bin/mksh which is the open source version of the Korn Shell. While I have not read that mksh is susceptible to this injection attack it fails the test. bash is also on CyanogenMod and also fails the test.

I haven’t checked recently but I think ash was the default shell for stock Android. If so, then they may be safe. Or maybe not. Somebody with stock ROMs might want to check.

It is my understanding that CyanogenMod has the default shell compiled in. I guess I could remount /system as read/write, move bash and then add a symlink so that the bash command is handled by busybox like ash and sh are. But I’d first have to check to see if busybox will accept that. And then things that really need bash would probably crash as the shell dialect is slightly different between bash and sh and more specifically, busybox’s implementation of its sh look alike. A hassle with probably more pitfalls than fixes, so I’ll just wait for the CyanogenMod people to update bash in a future release.

But you aren’t running a server on your phone, right? Yes. So it is no big deal, right? No.

When you connect to a network, like that untrusted WiFi network at the coffee shop, the DHCP protocol is used to give your phone its IP address, let it know what the default gateway is, let it know what time servers to use, etc. And one of the things the WiFi network’s DHCP server can do is have your phone (or laptop) run a shell script to do further setup. So a nefarious WiFi network can, as of now, not just snoop on your communications but take over your CyanogenMod phone or Linux or Macintosh laptop.

In the meantime, no more connecting to dodgy WiFi hotspots and then using my VPN to assure myself of privacy.

Edit 28Sept2014: It appears that I remembered wrong about DHCP having the ability to run a setup shell script on your computer. Looking at a protocol summary, I sure don’t see it. My fuzzy old memory must have been recalling a specific implementation on an old embedded application. Nonetheless, I think I will be wary of using unknown WiFi hotspots until this is fixed which I suspect will be on the next monthly snapshot. If they keep to their historical pattern, that will be in about a week.

At least updating my servers was easy:

# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test
# apt-get update
# apt-get upgrade
# env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test