[原文]Untrusted search path vulnerability in the ChainsDD Superuser package 3.1.3 for Android 4.2.x and earlier, CyanogenMod/ClockWorkMod/Koush Superuser package 220.127.116.11 for Android 4.2.x and earlier, and Chainfire SuperSU package before 1.69 for Android 4.2.x and earlier allows attackers to load an arbitrary .jar file and gain privileges via a crafted BOOTCLASSPATH environment variable for a /system/xbin/su process. NOTE: another researcher was unable to reproduce this with ChainsDD Superuser.
Vulnerable releases of several common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root without notifying the device owner. This advisoriy documents PATH and BOOTCLASSPATH vulnerabilities.
Vulnerable releases of several common Android Superuser packages may
allow malicious Android applications to execute arbitrary commands as
root without notifying the device owner:
- ChainsDD Superuser (current releases, including v3.1.3)
- CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
- Chainfire SuperSU prior to v1.69
The majority of third-party ROMs include one of these packages.
On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed. In the course of its normal duties, and prior to making the
allow/deny decision, /system/xbin/su invokes external programs under a
privileged UID, typically root (0) or system (1000):
- /system/bin/log, to record activity to logcat
- /system/bin/am, to send intents to the Superuser Java app
- /system/bin/sh, to execute the /system/bin/am wrapper script
- /system/bin/app_process, the Dalvik VM
The user who invokes /system/xbin/su may have the ability to
manipulate the environment variables, file descriptors, signals,
rlimits, tty/stdin/stdout/stderr, and possibly other items belonging
to any of these subprocesses. At least two vulnerabilities are
- On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a
known-good value, so a malicious user could trick /system/bin/am into
using a trojaned app_process binary:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch
/data/trojan.out\nexec $0 "$@"' > app_process ; chmod 755 app_process
PATH=`pwd`:$PATH su -c 'true'
The PATH vulnerability is being tracked under CVE-2013-6768.
- Other environment variables could be used to affect the behavior of
the (moderately complex) subprocesses. For instance, manipulation of
BOOTCLASSPATH could cause a malicious .jar file to be loaded into the
privileged Dalvik VM instance. All three Superuser implementations
allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker.
The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.
Chainfire SuperSU for Android BOOTCLASSPATH Environment Variable Path Subversion Local Privilege Escalation
Local Access Required
Loss of Integrity
Chainfire SuperSU for Android is prone to a flaw in the way it loads the BOOTCLASSPATH environment variable. The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows a local attacker to inject custom code that will be run with the privilege of the program or user executing the program.
This attack can be leveraged remotely in some cases by placing the malicious file or library on a network share or extracted archive downloaded from a remote source. This can be done by tricking a user into opening an unspecified file from the local file system or a USB drive in some cases. This attack scenario is certainly possible, but rare.
It has been reported that this issue has been fixed. Upgrade to version 1.69, or higher, to address this vulnerability.