Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtKevin Cernekee1337DAY-ID-21519
HistoryNov 15, 2013 - 12:00 a.m.

Android 4.2.x Superuser Unsanitized Environment Vulnerability

2013-11-1500:00:00
Kevin Cernekee
0day.today
18

0.004 Low

EPSS

Percentile

71.4%

JSON

Vulnerable releases of several common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root without notifying the device owner. This advisoriy documents PATH and BOOTCLASSPATH vulnerabilities.

Vulnerable releases of several common Android Superuser packages may
allow malicious Android applications to execute arbitrary commands as
root without notifying the device owner:

 - ChainsDD Superuser (current releases, including v3.1.3)
 - CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
including v1.0.2.1)
 - Chainfire SuperSU prior to v1.69

The majority of third-party ROMs include one of these packages.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed.  In the course of its normal duties, and prior to making the
allow/deny decision, /system/xbin/su invokes external programs under a
privileged UID, typically root (0) or system (1000):

 - /system/bin/log, to record activity to logcat
 - /system/bin/am, to send intents to the Superuser Java app
 - /system/bin/sh, to execute the /system/bin/am wrapper script
 - /system/bin/app_process, the Dalvik VM

The user who invokes /system/xbin/su may have the ability to
manipulate the environment variables, file descriptors, signals,
rlimits, tty/stdin/stdout/stderr, and possibly other items belonging
to any of these subprocesses.  At least two vulnerabilities are
readily apparent:

 - On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a
known-good value, so a malicious user could trick /system/bin/am into
using a trojaned app_process binary:

    echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch
/data/trojan.out\nexec $0 "[email protected]"' > app_process ; chmod 755 app_process
    PATH=`pwd`:$PATH su -c 'true'

The PATH vulnerability is being tracked under CVE-2013-6768.

 - Other environment variables could be used to affect the behavior of
the (moderately complex) subprocesses.  For instance, manipulation of
BOOTCLASSPATH could cause a malicious .jar file to be loaded into the
privileged Dalvik VM instance.  All three Superuser implementations
allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker.

The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.

#  0day.today [2018-04-08]  #

Related

packetstorm 1
securityvulns 2
cvelist 2
cve 2
prion 2
packetstorm
packetstorm
Android 4.2.x Superuser Unsanitized Environment
2013-11-14 00:00:00
securityvulns
securityvulns
Superuser unsanitized environment vulnerability on Android &lt;= 4.2.x
2013-11-18 00:00:00
Android su applications privilege escalation
2013-11-18 00:00:00
cvelist
cvelist
CVE-2013-6774
2014-03-30 10:00:00
CVE-2013-6768
2014-03-30 10:00:00
cve
cve
CVE-2013-6774
2014-03-31 14:58:00
CVE-2013-6768
2014-03-31 14:58:00
prion
prion
Design/Logic Flaw
2014-03-31 14:58:00
Design/Logic Flaw
2014-03-31 14:58:00

0.004 Low

EPSS

Percentile

71.4%

JSON
Related for 1337DAY-ID-21519
packetstorm1securityvulns2cvelist2cve2prion2