Vulners
Lucene search
Android 4.2.x Superuser Unsanitized Environment Vulnerability
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2013-6768 | 30 Mar 201410:00 | – | cve |
| CVE-2013-6774 | 30 Mar 201410:00 | – | cve |
 | CVE-2013-6768 | 30 Mar 201410:00 | – | cvelist |
| CVE-2013-6774 | 30 Mar 201410:00 | – | cvelist |
 | EUVD-2013-6570 | 7 Oct 202500:30 | – | euvd |
| EUVD-2013-6576 | 7 Oct 202500:30 | – | euvd |
 | CVE-2013-6768 | 31 Mar 201414:58 | – | nvd |
| CVE-2013-6774 | 31 Mar 201414:58 | – | nvd |
 | Android 4.2.x Superuser Unsanitized Environment | 14 Nov 201300:00 | – | packetstorm |
 | Design/Logic Flaw | 31 Mar 201414:58 | – | prion |
10
Vulnerable releases of several common Android Superuser packages may
allow malicious Android applications to execute arbitrary commands as
root without notifying the device owner:
- ChainsDD Superuser (current releases, including v3.1.3)
- CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
including v1.0.2.1)
- Chainfire SuperSU prior to v1.69
The majority of third-party ROMs include one of these packages.
On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed. In the course of its normal duties, and prior to making the
allow/deny decision, /system/xbin/su invokes external programs under a
privileged UID, typically root (0) or system (1000):
- /system/bin/log, to record activity to logcat
- /system/bin/am, to send intents to the Superuser Java app
- /system/bin/sh, to execute the /system/bin/am wrapper script
- /system/bin/app_process, the Dalvik VM
The user who invokes /system/xbin/su may have the ability to
manipulate the environment variables, file descriptors, signals,
rlimits, tty/stdin/stdout/stderr, and possibly other items belonging
to any of these subprocesses. At least two vulnerabilities are
readily apparent:
- On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a
known-good value, so a malicious user could trick /system/bin/am into
using a trojaned app_process binary:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch
/data/trojan.out\nexec $0 "[email protected]"' > app_process ; chmod 755 app_process
PATH=`pwd`:$PATH su -c 'true'
The PATH vulnerability is being tracked under CVE-2013-6768.
- Other environment variables could be used to affect the behavior of
the (moderately complex) subprocesses. For instance, manipulation of
BOOTCLASSPATH could cause a malicious .jar file to be loaded into the
privileged Dalvik VM instance. All three Superuser implementations
allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker.
The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.
# 0day.today [2018-04-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Nov 2013 00:00Current
7.3High risk
Vulners AI Score7.3
EPSS0.00371