Sources for cmdserver/cmdclient binaries - security hole!

Hi @tenk.wang, @jasonl, @goenjoy

Could you please point myself where are sources of cmdclient and cmdserver binaries in Android source ?
So far as I can understand they are shipping as precompiled binaries with Android Q source tree and I’m bit worry about leaving such a big security hole… as I see that cmdserver exposes an open port and is backend for cmdclient which in its turn allows to execute anything with root privileges

tcp 0 0 0.0.0.0:40000 0.0.0.0:* LISTEN 4229/cmdserver

kvim3l:/system/bin # netstat -taup                                                                                                                                                         
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program Name
tcp        0      0 0.0.0.0:40000           0.0.0.0:*               LISTEN      4229/cmdserver
tcp6       0      0 :::5555                 :::*                    LISTEN      3495/adbd
tcp6       0      0 ::ffff:192.168.1.7:5555 ::ffff:192.168.1.:52204 ESTABLISHED 3495/adbd
udp        0      0 192.168.1.7:bootpc      192.168.1.1:bootps      ESTABLISHED 3678/system_server
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           3540/mdnsd
udp        0      0 0.0.0.0:38125           0.0.0.0:*                           3540/mdnsd
udp6       0      0 :::mdns                 :::*                                3540/mdnsd
udp6       0      0 :::41445                :::*                                3540/mdnsd
kvim3l:/system/bin $ cmdclient id                                                                                                                                                          
uid=0(root) gid=0(root) groups=0(root) context=u:r:cmdserver:s0
kvim3l:/system/bin $ 

I understand that it used to perform khadasapi functions inside but opened port for all interfaces - isn’t something I’m happy my device is doing… perhaps it should be bound to localhost only (127.0.0.1) - otherwise it is nice chance to get a botnet from khadas devices.

it is so unprotected - it is real security hole - it is enough a simple telnet client to run any command on Khadas Android Q (which have cmdserver installed by default)… Here is nice example of telnet session from my workstation to my khadas device (no password, no checking… nice backdoor)

% telnet 192.168.1.7 40000                                                                                                                                                         22:28:45
Trying 192.168.1.7...
Connected to 192.168.1.7.
Escape character is '^]'.
id
uid=0(root) gid=0(root) groups=0(root) context=u:r:cmdserver:s0

% telnet 192.168.1.7 40000                                                                                                                                                         22:29:04
Trying 192.168.1.7...
Connected to 192.168.1.7.
Escape character is '^]'.
lsacct
bin
boot
bugreports
cache
charger
config
d
data
default.prop
dev
etc
init
init.environ.rc
init.rc
init.recovery.amlogic.rc
init.usb.configfs.rc
init.usb.rc
init.zygote32.rc
lost+found
metadata
mnt
odm
oem
proc
product
sbin
sdcard
storage
sys
system
ueventd.rc
vendor

@hyphop -
“Шеф! У нас дыра в безопасности!
Ну хоть что-то у нас в безопасности.”

I understand that it used to perform khadasapi functions inside but opened port for all interfaces - isn’t something I’m happy my device is doing… perhaps it should be bound to localhost only (127.0.0.1) - otherwise it is nice chance to get a botnet from khadas devices.

you right is ugly !

Yes, this is the source code we wrote, but it will not be open source.

yes

Thank you for pointing out, but I think it’s a problem that you can’t have both fish and bear’s paw unless you can find an alternative.

Well, yep - there are always a lot of ways to make things, instead of use of sockets - it could be IPC communications and etc… having an open port on public interfaces (WiFi, Ethernet) for cmdserver with unprotected protocol allowing to execute any command as root - well it is a security flaw.

As far as I understood - this is in use only for khadas api (I maybe wrong) - android doesn’t have any clue about it - so quick fix is to disable and remove cmdserver from system.

Quick Fix is to disable cmdserver completely - it doesn’t harm your android
remount root fs as read-write

% adb root                                                                                                                                                                          
restarting adbd as root
% adb remount                                                                                                                                                                       
remount succeeded

and then modify

/vendor/etc/init/hw # vi init.amlogic.rc 

and comment out strings related to cmdserver


#service cmdserver /system/bin/cmdserver
#    user root
#    group root
#    seclabel u:r:cmdserver:s0

service bugreport /system/bin/dumpstate -d -p -B -P -z \
    -o /data/user_de/0/com.android.shell/files/bugreports/bugreport
    class main
    disabled
    oneshot

on property:sys.boot_completed=1
    start preinstall

#on property:sys.boot_completed=1
#    start cmdserver

Now all is clear

kvim3l:/vendor/etc/init/hw # netstat -taup                                                                                                                                                 
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program Name
tcp        0      0 localhost:5037          0.0.0.0:*               LISTEN      4740/adbd
tcp6       0      0 :::5555                 :::*                    LISTEN      4740/adbd
tcp6       0    306 ::ffff:192.168.1.7:5555 ::ffff:192.168.1.:62861 ESTABLISHED 4740/adbd
udp        0      0 192.168.1.7:bootpc      192.168.1.1:bootps      ESTABLISHED 3677/system_server
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           3545/mdnsd
udp        0      0 0.0.0.0:58193           0.0.0.0:*                           3545/mdnsd
udp6       0      0 :::53294                :::*                                3545/mdnsd
udp6       0      0 :::mdns                 :::*                                3545/mdnsd