lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJiQ=7DfeDygNo544XqB98U_Pd8YY_+U+8C0c_BRXinzwWLYkw@mail.gmail.com>
Date: Wed, 13 Nov 2013 11:25:51 -0800
From: Kevin Cernekee <cernekee@...il.com>
To: bugtraq@...urityfocus.com
Subject: Android Superuser shell character escape vulnerability

Vulnerable releases of two common Android Superuser packages may allow
malicious Android applications to execute arbitrary commands as root,
either without prompting the user or after the user has denied the
request:

 - CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
including v1.0.2.1)
 - Chainfire SuperSU prior to v1.69

The majority of recent third-party ROMs include one of these packages.
 Older ROMs may use the ChainsDD Superuser package, which is not
affected but is no longer maintained.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed.  If any of these checks fail, the denial is recorded by
broadcasting an intent to the Superuser app through the Android
Activity Manager binary, /system/bin/am.  /system/bin/am is invoked as
root, and user-supplied arguments to the "su" command can be included
on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's
security model, /system/xbin/su functions as an unprivileged client
which connects to a "su daemon" started early in the boot process.
The client passes the request over a UNIX socket, and the daemon reads
the caller's credentials using SO_PEERCRED.  As described above,
/system/bin/am is called (now from the daemon) to communicate with the
app that implements the user interface.

If the user invokes "su -c 'COMMAND'" and the request is denied (or
approved), ClockWorkMod Superuser constructs a command line to pass to
a root shell:

    snprintf(user_result_command, sizeof(user_result_command), "exec
/system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name
'%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es
command '%s' --es action %s --user %d",
        VERSION_CODE,
        ctx->from.name, ctx->to.name,
        ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
        policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);

get_command() would return "COMMAND", unescaped, through
"/system/bin/sh -c".  By adding shell metacharacters to the command,
the root subshell can be tricked into running arbitrary command lines
as root:

    su -c "'&touch /data/abc;'"

Upon denial by the operator, "touch /data/abc" will be executed with
root privileges.  The Superuser variant of this problem is being
tracked under CVE-2013-6769.

SuperSU prior to v1.69 removes quote and backslash characters from the
string passed to /system/bin/sh, but backticks or $() can be used
instead for the same effect:

    su -c '`touch /data/abc`'
    su -c '$(touch /data/abc)'

The SuperSU variant of this problem is being tracked under CVE-2013-6775.

ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied
input on the /system/bin/am command line.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ