[Secure-testing-team] Bug#694176: android-tools-adb
Bastian Blank
waldi at debian.org
Sat Nov 24 16:20:02 UTC 2012
Package: android-tools-adb
Version: 4.1.1+git20120801-1
Severity: grave
Tags: security
adb starts a daemon on first call without asking the user. This daemon
listens on a TCP port on localhost:
| $ id -u
| 1000
| $ netstat -tlpen | …
| Proto Local Address Foreign Address State User PID/Program name
| tcp 127.0.0.1:5037 0.0.0.0:* LISTEN 1000 22319/adb
This daemon does not feature any user authentication and allows other
users to access the connected devices with the permissions of the user
running the daemon:
| $ id -u
| 1001
| $ adb shell
| shell at android:/ $ ^D
Bastian
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.6-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages android-tools-adb depends on:
ii libc6 2.13-35
ii zlib1g 1:1.2.7.dfsg-13
android-tools-adb recommends no packages.
android-tools-adb suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list