Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root. These issues are due to a shell character escape vulnerability.
Vulnerable releases of two common Android Superuser packages may allow
malicious Android applications to execute arbitrary commands as root,
either without prompting the user or after the user has denied the
- CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
- Chainfire SuperSU prior to v1.69
The majority of recent third-party ROMs include one of these packages.
Older ROMs may use the ChainsDD Superuser package, which is not
affected but is no longer maintained.
On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed. If any of these checks fail, the denial is recorded by
broadcasting an intent to the Superuser app through the Android
Activity Manager binary, /system/bin/am. /system/bin/am is invoked as
root, and user-supplied arguments to the "su" command can be included
on the "am" command line.
On a rooted Android >= 4.3 device, due to changes in Android's
security model, /system/xbin/su functions as an unprivileged client
which connects to a "su daemon" started early in the boot process.
The client passes the request over a UNIX socket, and the daemon reads
the caller's credentials using SO_PEERCRED. As described above,
/system/bin/am is called (now from the daemon) to communicate with the
app that implements the user interface.
If the user invokes "su -c 'COMMAND'" and the request is denied (or
approved), ClockWorkMod Superuser constructs a command line to pass to
a root shell:
snprintf(user_result_command, sizeof(user_result_command), "exec
/system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name
'%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es
command '%s' --es action %s --user %d",
ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);
get_command() would return "COMMAND", unescaped, through
"/system/bin/sh -c". By adding shell metacharacters to the command,
the root subshell can be tricked into running arbitrary command lines
su -c "'&touch /data/abc;'"
Upon denial by the operator, "touch /data/abc" will be executed with
root privileges. The Superuser variant of this problem is being
tracked under CVE-2013-6769.
SuperSU prior to v1.69 removes quote and backslash characters from the
string passed to /system/bin/sh, but backticks or $() can be used
instead for the same effect:
su -c '`touch /data/abc`'
su -c '$(touch /data/abc)'
The SuperSU variant of this problem is being tracked under CVE-2013-6775.
ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied
input on the /system/bin/am command line.
CyanogenMod/ClockWorkMod/Koush Superuser for Android Command Injection Local Privilege Escalation Weakness
Local Access Required
Loss of Integrity
CyanogenMod, ClockWorkMod, and Koush Superuser for Android contain a flaw that leads to unauthorized privileges being gained. The issue is due to get_command() returning COMMAND unescaped, which may allow a local attacker to inject arbitrary commands. This will allow the attacker to more easily gain elevated privileges.
OSVDB is not currently aware of a solution for this vulnerability.