On Wed, Aug 15, 2012 at 8:10 AM, Dan Rosenberg <[email protected]> wrote: > This also can't be used by malicious apps, since you need user/group "shell" > to replace /data/local/tmp with a symbolic link, and normal applications > cannot be granted this user/group.
You're right: my apologies. I didn't really look at how this exploit works. And you're certainly right that making /data writeable is a better way to exploit it. I just confirmed that on my 2.3.6 Epic 4G Touch there is no issue: a directory symlinked to /data/local/tmp does NOT get its permissions changed on boot. I am not sure I would say that it's erroneous to make /data/local writeable by adb shell. It may be handy for a developer with an unrooted device to put various commandline utilities in /data/local, such as a better busybox. Alex -- Alexander R. Pruss [email protected] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
