发布时间 :2014-03-31 10:58:57
修订时间 :2014-04-03 13:09:55

[原文]The CyanogenMod/ClockWorkMod/Koush Superuser package for Android 4.3 and 4.4 does not properly restrict the set of users who can execute /system/xbin/su with the --daemon option, which allows attackers to gain privileges by leveraging ADB shell access and a certain Linux UID, and then creating a Trojan horse script.

[CNNVD]多个Android Superuser工具包任意命令执行漏洞(CNNVD-201311-266)

        CyanogenMod Superuser等都是用于安卓手机中的超级用户授权工具。该工具通过授予应用程序root权限,可掌握手机的控制权。
        多个Android Superuser工具包中存在任意命令执行漏洞。攻击者可利用该漏洞以root权限执行任意命令,成功的利用可控制应用程序和底层设备。以下版本受到影响:CyanogenMod Superuser,ClockWorkMod Superuser,Koush Superuser。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20131113 Superuser "su --daemon" vulnerability on Android >= 4.3

- 漏洞信息

多个Android Superuser工具包任意命令执行漏洞
2013-11-21 00:00:00 2013-11-21 00:00:00
        CyanogenMod Superuser等都是用于安卓手机中的超级用户授权工具。该工具通过授予应用程序root权限,可掌握手机的控制权。
        多个Android Superuser工具包中存在任意命令执行漏洞。攻击者可利用该漏洞以root权限执行任意命令,成功的利用可控制应用程序和底层设备。以下版本受到影响:CyanogenMod Superuser,ClockWorkMod Superuser,Koush Superuser。

- 公告与补丁


- 漏洞信息 (F124020)

Android 4.3 Superuser Root Privilege Escalation (PacketStormID:F124020)
2013-11-14 00:00:00
Kevin Cernekee  

The Superuser package for Android 4.3 allows a user to spawn /system/xbin/su with manipulated environment variables to execute code as root.

Current releases of the CyanogenMod/ClockWorkMod/Koush Superuser
package may allow restricted local users to execute arbitrary commands
as root in certain, non-default device configurations.

Android 4.3 introduced the concept of "restricted profiles," created
through the Settings -> Users menu.  A restricted profile can be
configured to allow access to only a minimal set of applications, and
has extremely limited abilities to change settings on the device.
This is often used to enforce parental controls, or to protect shared
devices set up in public places.  The OS requires an unlock code to be
entered in order to access the owner's profile to administer the

/system/xbin/su is a setuid root executable, and any user may invoke
it in client mode ("su -c 'foo'" or just "su"), or in daemon mode ("su
--daemon").  In either mode of operation, the user who invokes this
program has the ability to manipulate its environment variables, file
descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly
other items.  By adding new entries at the front of the PATH for
commonly-executed root commands, then re-invoking "su --daemon", an
attacker may be able to hijack legitimate root sessions subsequently
started by other applications on the device.

"su --daemon" is normally started up very early in the boot process,
as root, from /init.superuser.rc (CM) or from
/system/etc/ (other ROMs).  The fact that
unprivileged users are allowed to restart the daemon later, under EUID
0, appears to be an oversight.

Successful exploitation requires a number of conditions to be met:

 - The attacker must have ADB shell access, e.g. over USB.  This is
disabled by default, and normally restricted to trusted ADB clients
whose RSA key fingerprints have been accepted by the device
administrator.  Root access via ADB (i.e. Settings -> Developer
Options -> Root access -> Apps and ADB) is not required.  Note that
ADB shell access is typically considered a security risk, even in the
absence of this problem.

 - The attacker must have a way to assume a non-shell (non-2000),
suid-capable Linux UID in order to prevent /system/xbin/su from
creating infinitely recursive connections to itself through the daemon
client UID check in main().  One way to do this would involve
uploading an app with the "debuggable" flag and using
/system/bin/run-as to assume this UID.  "adb install" can probably
used for this purpose.  However, due to a bug in Android 4.3's
"run-as" implementation[1], this does not currently work.  This bug
was fixed in Android 4.4, so CM11 will probably be able to satisfy
this requirement.

 - The device owner must have granted root permissions to one or more
applications via Superuser.  The restricted profile does not need to
be able to run this app from the launcher.

Sample exploit:

The restricted local user can reboot the tablet, run "adb shell" when
the boot animation shows up, then invoke the following commands:

    echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch
/data/trojan.out\nexec $0 "$@"' > /data/local/tmp/trojan
    chmod 755 /data/local/tmp/trojan
    for x in id ls cp cat touch chmod chown iptables dmesg; do ln -s
trojan /data/local/tmp/$x ; done
    PATH=/data/local/tmp:$PATH setsid run-as.422 my.debuggable.package
/system/xbin/su --daemon &

(Note the use of "run-as.422" as a proxy for a working Android 4.3
run-as binary, and the installation of "my.debuggable.package" with
the debuggable flag set.)

At this point the USB cable may be disconnected.

The next time a root application successfully passes the Superuser
check and invokes one of the trojaned shell commands,
/data/local/tmp/trojan will be executed under UID 0.

An ideal candidate for exploitation is a package which runs privileged
commands on boot, e.g. AdBlock Plus or AFWall+, as this allows for
instant access.  Another possibility is to hijack an app which the
device's operator runs frequently, such as Titanium Backup.

Note that this can NOT be exploited by malicious applications, as
zygote-spawned processes (apps) always access /system in nosuid
mode[2] on Android 4.3+.  The ADB shell was used as the attack vector
as it is not subject to this restriction.

ChainsDD Superuser v3.1.3 does not have an Android 4.3+ client/server
mode at all, and SuperSU aborts if an existing "daemonsu" instance is
already bound to the abstract @"eu.chainfire.supersu" socket.

Proposed resolution: on Android 4.3 and higher, install all
Superuser-related binaries with mode 0755 (setuid bit unset).

This problem is being tracked under CVE-2013-6770.


- 漏洞信息

CyanogenMod/ClockWorkMod/Koush Superuser for Android for Android /system/xbin/su Root Session Hijacking Weakness
Local Access Required, Mobile Phone / Hand-held Device Input Manipulation
Loss of Integrity Solution Unknown
Exploit Unknown Uncoordinated Disclosure

- 漏洞描述

CyanogenMod, ClockWorkMod, and Koush Superuser for Android contains a flaw that is due to the application failing to restrict users from using the /system/xbin/su setuid root executable. This may allow a local attacker to hijack a user's root session.

- 时间线

2013-11-13 Unknow
2013-11-13 Unknow

- 解决方案

OSVDB is not currently aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Android Superuser Packages CVE-2013-6770 Arbitrary Command Execution Vulnerability
Design Error 63740
No Yes
2013-11-14 12:00:00 2013-11-14 12:00:00
Kevin Cernekee

- 受影响的程序版本

- 漏洞讨论

Multiple Android Superuser packages are prone to an arbitrary command-execution vulnerability.

An attacker can leverage this issue to execute arbitrary commands with root privileges. Successful exploits will compromise the application and possibly the underlying device.

The following versions are affected:

CyanogenMod Superuser
ClockWorkMod Superuser
Koush Superuser

- 漏洞利用

Attackers can use standard commands to exploit this issue.

- 解决方案

Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 相关参考