Vulnerable releases of several common Android Superuser packages may
allow malicious Android applications to execute arbitrary commands as
root without notifying the device owner:
The majority of third-party ROMs include one of these packages.
On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed. In the course of its normal duties, and prior to making the
allow/deny decision, /system/xbin/su invokes external programs under a
privileged UID, typically root (0) or system (1000):
The user who invokes /system/xbin/su may have the ability to
manipulate the environment variables, file descriptors, signals,
rlimits, tty/stdin/stdout/stderr, and possibly other items belonging
to any of these subprocesses. At least two vulnerabilities are
readily apparent:
On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a
known-good value, so a malicious user could trick /system/bin/am into
using a trojaned app_process binary:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch
/data/trojan.out\nexec $0 "$@"' > app_process ; chmod 755 app_process
PATH=`pwd`:$PATH su -c 'true'
The PATH vulnerability is being tracked under CVE-2013-6768.
The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.