CVE-2013-6769
CVSS10.0
发布时间 :2014-03-31 10:58:57
修订时间 :2014-03-31 15:01:38
NMCOPS    

[原文]The CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android allows attackers to gain privileges via shell metacharacters in the -c option to /system/xbin/su.


[CNNVD]多个Android Superuser Packages 任意命令执行漏洞(CNNVD-201311-223)

        CyanogenMod Superuser等都是用于安卓手机中的超级用户授权工具。该工具通过授予应用程序root权限,可掌握手机的控制权。
        多个Android Superuser工具中存在任意命令执行漏洞。攻击者可利用该漏洞以root权限执行任意命令,可完全控制应用程序和底层设备。以下版本受到影响:CyanogenMod Superuser 1.0.2.1,ClockWorkMod Superuser 1.0.2.1,Koush Superuser 1.0.2.1。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6769
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6769
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201311-223
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/529797
(UNKNOWN)  BUGTRAQ  20131113 Android Superuser shell character escape vulnerability

- 漏洞信息

多个Android Superuser Packages 任意命令执行漏洞
代码注入
2013-11-21 00:00:00 2013-11-21 00:00:00
远程  
        CyanogenMod Superuser等都是用于安卓手机中的超级用户授权工具。该工具通过授予应用程序root权限,可掌握手机的控制权。
        多个Android Superuser工具中存在任意命令执行漏洞。攻击者可利用该漏洞以root权限执行任意命令,可完全控制应用程序和底层设备。以下版本受到影响:CyanogenMod Superuser 1.0.2.1,ClockWorkMod Superuser 1.0.2.1,Koush Superuser 1.0.2.1。

- 公告与补丁

        目前厂商还没有提供此漏洞的相关补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://seclists.org/bugtraq/2013/Nov/58

- 漏洞信息 (F124016)

Android 4.2.x Superuser Shell Character Escape (PacketStormID:F124016)
2013-11-14 00:00:00
Kevin Cernekee  
exploit,arbitrary,shell,root
CVE-2013-6769
[点击下载]

Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root. These issues are due to a shell character escape vulnerability.

Vulnerable releases of two common Android Superuser packages may allow
malicious Android applications to execute arbitrary commands as root,
either without prompting the user or after the user has denied the
request:

 - CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
including v1.0.2.1)
 - Chainfire SuperSU prior to v1.69

The majority of recent third-party ROMs include one of these packages.
 Older ROMs may use the ChainsDD Superuser package, which is not
affected but is no longer maintained.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed.  If any of these checks fail, the denial is recorded by
broadcasting an intent to the Superuser app through the Android
Activity Manager binary, /system/bin/am.  /system/bin/am is invoked as
root, and user-supplied arguments to the "su" command can be included
on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's
security model, /system/xbin/su functions as an unprivileged client
which connects to a "su daemon" started early in the boot process.
The client passes the request over a UNIX socket, and the daemon reads
the caller's credentials using SO_PEERCRED.  As described above,
/system/bin/am is called (now from the daemon) to communicate with the
app that implements the user interface.

If the user invokes "su -c 'COMMAND'" and the request is denied (or
approved), ClockWorkMod Superuser constructs a command line to pass to
a root shell:

    snprintf(user_result_command, sizeof(user_result_command), "exec
/system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name
'%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es
command '%s' --es action %s --user %d",
        VERSION_CODE,
        ctx->from.name, ctx->to.name,
        ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
        policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);

get_command() would return "COMMAND", unescaped, through
"/system/bin/sh -c".  By adding shell metacharacters to the command,
the root subshell can be tricked into running arbitrary command lines
as root:

    su -c "'&touch /data/abc;'"

Upon denial by the operator, "touch /data/abc" will be executed with
root privileges.  The Superuser variant of this problem is being
tracked under CVE-2013-6769.

SuperSU prior to v1.69 removes quote and backslash characters from the
string passed to /system/bin/sh, but backticks or $() can be used
instead for the same effect:

    su -c '`touch /data/abc`'
    su -c '$(touch /data/abc)'

The SuperSU variant of this problem is being tracked under CVE-2013-6775.

ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied
input on the /system/bin/am command line.
    

- 漏洞信息

99879
CyanogenMod/ClockWorkMod/Koush Superuser for Android Command Injection Local Privilege Escalation Weakness
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public Uncoordinated Disclosure

- 漏洞描述

CyanogenMod, ClockWorkMod, and Koush Superuser for Android contain a flaw that leads to unauthorized privileges being gained. The issue is due to get_command() returning COMMAND unescaped, which may allow a local attacker to inject arbitrary commands. This will allow the attacker to more easily gain elevated privileges.

- 时间线

2013-11-11 Unknow
2013-11-13 Unknow

- 解决方案

OSVDB is not currently aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Android Superuser Packages CVE-2013-6769 Arbitrary Command Execution Vulnerability
Design Error 63712
Yes No
2013-11-13 12:00:00 2013-11-13 12:00:00
Kevin Cernekee

- 受影响的程序版本

- 漏洞讨论

Multiple Android Superuser packages are prone to an arbitrary command-execution vulnerability.

An attacker can leverage this issue to execute arbitrary commands with root privileges. Successful exploits will compromise the application and possibly the underlying device.

The following versions are affected:

CyanogenMod Superuser 1.0.2.1
ClockWorkMod Superuser 1.0.2.1
Koush Superuser 1.0.2.1

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站