lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Aug 2012 19:50:30 +1000
From: David Black <disclosure@....org>
To: Jann Horn <jannhorn@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: The Android Superuser App

On 13 August 2012 05:47, Jann Horn <jannhorn@...glemail.com> wrote:
> Hello,
> on Android, everyone who wants to give apps root access to his phone uses the
> Superuser application by ChainsDD. However, from a security perspective, that
> might be a somewhat bad idea.
>
> First, it's not really Open Source anymore, so you can't easily check whether
> everything works the way it should. Well, there are two github repos, one for
> the "su" binary and one for the Superuser app, but the one for the app is
> outdated. In fact, if you choose to build the Superuser app from source, you
> will get a vulnerable system because it still contains a vuln that is fixed
> in the more recent binary releases.
>
> Also, there are open, known vulns that the author doesn't seem to care about.
> You might want to have a look at
> https://github.com/ChainsDD/Superuser/issues/52 - whenever you choose to
> update the "su" binary using the Superuser app, unsigned code will be
> downloaded over HTTP and installed as a setuid root program on your device.
> This bug report is a month old, no comment from the developer, not fixed yet.
> And finally, I've found another vuln that essentially lets apps gain root
> rights without asking the user, and I will release all details about it in
> two weeks.

/me not surprised.


--
David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists