Date: Sun, 12 Aug 2012 21:47:57 +0200
From: Jann Horn <jannhorn@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: The Android Superuser App

Hello,
on Android, everyone who wants to give apps root access to his phone uses the
Superuser application by ChainsDD. However, from a security perspective, that
might be a somewhat bad idea.

First, it's not really Open Source anymore, so you can't easily check whether
everything works the way it should. Well, there are two github repos, one for
the "su" binary and one for the Superuser app, but the one for the app is
outdated. In fact, if you choose to build the Superuser app from source, you
will get a vulnerable system because it still contains a vuln that is fixed
in the more recent binary releases.

Also, there are open, known vulns that the author doesn't seem to care about.
You might want to have a look at
https://github.com/ChainsDD/Superuser/issues/52 - whenever you choose to
update the "su" binary using the Superuser app, unsigned code will be
downloaded over HTTP and installed as a setuid root program on your device.
This bug report is a month old, no comment from the developer, not fixed yet.

And finally, I've found another vuln that essentially lets apps gain root
rights without asking the user, and I will release all details about it in
two weeks.

Seems like someone should make a better superuser app...

Jann

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists