Android 4.2.x Superuser Shell Character Escape

Type packetstorm
Reporter Kevin Cernekee
Modified 2013-11-14T00:00:00


                                            `Vulnerable releases of two common Android Superuser packages may allow  
malicious Android applications to execute arbitrary commands as root,  
either without prompting the user or after the user has denied the  
- CyanogenMod/ClockWorkMod/Koush Superuser (current releases,  
including v1.0.2.1)  
- Chainfire SuperSU prior to v1.69  
The majority of recent third-party ROMs include one of these packages.  
Older ROMs may use the ChainsDD Superuser package, which is not  
affected but is no longer maintained.  
On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root  
binary which performs a number of privilege checks in order to  
determine whether the operation requested by the caller should be  
allowed. If any of these checks fail, the denial is recorded by  
broadcasting an intent to the Superuser app through the Android  
Activity Manager binary, /system/bin/am. /system/bin/am is invoked as  
root, and user-supplied arguments to the "su" command can be included  
on the "am" command line.  
On a rooted Android >= 4.3 device, due to changes in Android's  
security model, /system/xbin/su functions as an unprivileged client  
which connects to a "su daemon" started early in the boot process.  
The client passes the request over a UNIX socket, and the daemon reads  
the caller's credentials using SO_PEERCRED. As described above,  
/system/bin/am is called (now from the daemon) to communicate with the  
app that implements the user interface.  
If the user invokes "su -c 'COMMAND'" and the request is denied (or  
approved), ClockWorkMod Superuser constructs a command line to pass to  
a root shell:  
snprintf(user_result_command, sizeof(user_result_command), "exec  
/system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name  
'%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es  
command '%s' --es action %s --user %d",  
ctx->, ctx->,  
ctx->from.uid, ctx->to.uid, get_command(&ctx->to),  
policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);  
get_command() would return "COMMAND", unescaped, through  
"/system/bin/sh -c". By adding shell metacharacters to the command,  
the root subshell can be tricked into running arbitrary command lines  
as root:  
su -c "'&touch /data/abc;'"  
Upon denial by the operator, "touch /data/abc" will be executed with  
root privileges. The Superuser variant of this problem is being  
tracked under CVE-2013-6769.  
SuperSU prior to v1.69 removes quote and backslash characters from the  
string passed to /system/bin/sh, but backticks or $() can be used  
instead for the same effect:  
su -c '`touch /data/abc`'  
su -c '$(touch /data/abc)'  
The SuperSU variant of this problem is being tracked under CVE-2013-6775.  
ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied  
input on the /system/bin/am command line.