Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,810,466 Members 51,282 Now Online
XDA Developers Android and Mobile Development Forum

[SECURITY] Multiple Android Superuser vulnerabilities

Tip us?
 
cernekee
Old
#1  
Senior Member - OP
Thanks Meter 364
Posts: 182
Join Date: Jun 2013
Default [SECURITY] Multiple Android Superuser vulnerabilities

Well, I was going to hold off until all of the vendors had new releases posted, but now that the cat is out of the bag and the evildoers have sufficient information to figure out what got fixed:

Current Superuser/SuperSU releases have security holes that allow any application to execute commands as root without the user's permission (even apps with no permissions). Please upgrade immediately to SuperSU >= v1.69 or another patched release.

This is expected to impact the vast majority of rooted devices and custom ROMs.

Details follow:

Superuser unsanitized environment vulnerability on Android <= 4.2.x

Vulnerable releases of several common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root without notifying the device owner:
  • ChainsDD Superuser (current releases, including v3.1.3)
  • CyanogenMod/ClockWorkMod/Koush Superuser (current releases, including v1.0.2.1)
  • Chainfire SuperSU prior to v1.69

The majority of third-party ROMs include one of these packages.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. In the course of its normal duties, and prior to making the allow/deny decision, /system/xbin/su invokes external programs under a privileged UID, typically root (0) or system (1000):
  • /system/bin/log, to record activity to logcat
  • /system/bin/am, to send intents to the Superuser Java app
  • /system/bin/sh, to execute the /system/bin/am wrapper script
  • /system/bin/app_process, the Dalvik VM

The user who invokes /system/xbin/su may have the ability to manipulate the environment variables, file descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly other items belonging to any of these subprocesses. At least two vulnerabilities are readily apparent:

- On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, so a malicious user could trick /system/bin/am into using a trojaned app_process binary:

Code:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch /data/trojan.out\nexec $0 "$@"' > app_process ; chmod 755 app_process
PATH=`pwd`:$PATH su -c 'true'
The PATH vulnerability is being tracked under CVE-2013-6768.

- Other environment variables could be used to affect the behavior of the (moderately complex) subprocesses. For instance, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. All three Superuser implementations allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker.

The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.


Android Superuser shell character escape vulnerability

Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root, either without prompting the user or after the user has denied the request:
  • CyanogenMod/ClockWorkMod/Koush Superuser (current releases, including v1.0.2.1)
  • Chainfire SuperSU prior to v1.69

The majority of recent third-party ROMs include one of these packages. Older ROMs may use the ChainsDD Superuser package, which is not affected but is no longer maintained.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the "su" command can be included on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's security model, /system/xbin/su functions as an unprivileged client which connects to a "su daemon" started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller's credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface.

If the user invokes "su -c 'COMMAND'" and the request is denied (or approved), ClockWorkMod Superuser constructs a command line to pass to a root shell:

Code:
    snprintf(user_result_command, sizeof(user_result_command), "exec /system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name '%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es command '%s' --es action %s --user %d",
        VERSION_CODE,
        ctx->from.name, ctx->to.name,
        ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
        policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);
get_command() would return "COMMAND", unescaped, through "/system/bin/sh -c". By adding shell metacharacters to the command, the root subshell can be tricked into running arbitrary command lines as root:

Code:
su -c "'&touch /data/abc;'"
Upon denial by the operator, "touch /data/abc" will be executed with root privileges. The Superuser variant of this problem is being tracked under CVE-2013-6769.

SuperSU prior to v1.69 removes quote and backslash characters from the string passed to /system/bin/sh, but backticks or $() can be used instead for the same effect:

Code:
su -c '`touch /data/abc`'
su -c '$(touch /data/abc)'
The SuperSU variant of this problem is being tracked under CVE-2013-6775.

ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied input on the /system/bin/am command line.


Superuser "su --daemon" vulnerability on Android >= 4.3

Current releases of the CyanogenMod/ClockWorkMod/Koush Superuser package may allow restricted local users to execute arbitrary commands as root in certain, non-default device configurations.

Android 4.3 introduced the concept of "restricted profiles," created through the Settings -> Users menu. A restricted profile can be configured to allow access to only a minimal set of applications, and has extremely limited abilities to change settings on the device. This is often used to enforce parental controls, or to protect shared devices set up in public places. The OS requires an unlock code to be entered in order to access the owner's profile to administer the system.

/system/xbin/su is a setuid root executable, and any user may invoke it in client mode ("su -c 'foo'" or just "su"), or in daemon mode ("su --daemon"). In either mode of operation, the user who invokes this program has the ability to manipulate its environment variables, file descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly other items. By adding new entries at the front of the PATH for commonly-executed root commands, then re-invoking "su --daemon", an attacker may be able to hijack legitimate root sessions subsequently started by other applications on the device.

"su --daemon" is normally started up very early in the boot process, as root, from /init.superuser.rc (CM) or from /system/etc/install-recovery.sh (other ROMs). The fact that unprivileged users are allowed to restart the daemon later, under EUID 0, appears to be an oversight.


Successful exploitation requires a number of conditions to be met:

- The attacker must have ADB shell access, e.g. over USB. This is disabled by default, and normally restricted to trusted ADB clients whose RSA key fingerprints have been accepted by the device administrator. Root access via ADB (i.e. Settings -> Developer Options -> Root access -> Apps and ADB) is not required. Note that ADB shell access is typically considered a security risk, even in the absence of this problem.

- The attacker must have a way to assume a non-shell (non-2000), suid-capable Linux UID in order to prevent /system/xbin/su from creating infinitely recursive connections to itself through the daemon client UID check in main(). One way to do this would involve uploading an app with the "debuggable" flag and using /system/bin/run-as to assume this UID. "adb install" can probably used for this purpose. However, due to a bug in Android 4.3's "run-as" implementation[1], this does not currently work. This bug was fixed in Android 4.4, so CM11 will probably be able to satisfy this requirement.

- The device owner must have granted root permissions to one or more applications via Superuser. The restricted profile does not need to be able to run this app from the launcher.

Sample exploit:

The restricted local user can reboot the tablet, run "adb shell" when the boot animation shows up, then invoke the following commands:

Code:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch /data/trojan.out\nexec $0 "$@"' > /data/local/tmp/trojan
chmod 755 /data/local/tmp/trojan
for x in id ls cp cat touch chmod chown iptables dmesg; do ln -s trojan /data/local/tmp/$x ; done
PATH=/data/local/tmp:$PATH setsid run-as.422 my.debuggable.package /system/xbin/su --daemon &
(Note the use of "run-as.422" as a proxy for a working Android 4.3 run-as binary, and the installation of "my.debuggable.package" with the debuggable flag set.)

At this point the USB cable may be disconnected.

The next time a root application successfully passes the Superuser check and invokes one of the trojaned shell commands, /data/local/tmp/trojan will be executed under UID 0.

An ideal candidate for exploitation is a package which runs privileged commands on boot, e.g. AdBlock Plus or AFWall+, as this allows for instant access. Another possibility is to hijack an app which the device's operator runs frequently, such as Titanium Backup.

Note that this can NOT be exploited by malicious applications, as zygote-spawned processes (apps) always access /system in nosuid mode[2] on Android 4.3+. The ADB shell was used as the attack vector as it is not subject to this restriction.

ChainsDD Superuser v3.1.3 does not have an Android 4.3+ client/server mode at all, and SuperSU aborts if an existing "daemonsu" instance is already bound to the abstract @"eu.chainfire.supersu" socket.

Proposed resolution: on Android 4.3 and higher, install all Superuser-related binaries with mode 0755 (setuid bit unset).

This problem is being tracked under CVE-2013-6770.

[1] https://code.google.com/p/android/is...etail?id=58373
[2] http://source.android.com/devices/te...cements43.html
The Following 20 Users Say Thank You to cernekee For This Useful Post: [ Click to Expand ]
 
SecUpwN
Old
#2  
SecUpwN's Avatar
Senior Member
Thanks Meter 582
Posts: 1,915
Join Date: Jun 2012
Location: CLASSIFIED

 
DONATE TO ME
Did you report that to @Chainfire?


SICK OF SURVEILLANCE?

Get the Android IMSI-Catcher Detector.


Help us support EFF, Guardian Project and Privacy International!
DONATE DarkCoin:
XxEJvrYtkTZzvMUjtbZwPY34MyCGHSu4ys

 
cernekee
Old
(Last edited by cernekee; 15th November 2013 at 05:32 AM.)
#3  
Senior Member - OP
Thanks Meter 364
Posts: 182
Join Date: Jun 2013
Quote:
Originally Posted by SecUpwN View Post
Did you report that to @Chainfire?
Yes, he's been very responsive.

I contacted all three developers last Saturday, and posted the advisory after there was enough public information available to deduce what the problems were.

In case you're curious, there's been some additional discussion about exploiting ChainsDD Superuser on BUGTRAQ.
The Following User Says Thank You to cernekee For This Useful Post: [ Click to Expand ]
 
milojoseph
Old
#4  
milojoseph's Avatar
Senior Member
Thanks Meter 198
Posts: 465
Join Date: Sep 2012
Location: Brooklyn
Is there a way we can patch this maybe using xposed framework
The Following User Says Thank You to milojoseph For This Useful Post: [ Click to Expand ]
 
cernekee
Old
#5  
Senior Member - OP
Thanks Meter 364
Posts: 182
Join Date: Jun 2013
Quote:
Originally Posted by milojoseph View Post
Is there a way we can patch this
There are new releases of SuperSU and CWM Superuser posted:

https://play.google.com/store/apps/d....supersu&hl=en
http://forum.xda-developers.com/show....php?t=1538053

https://play.google.com/store/apps/d...uperuser&hl=en

I haven't seen any updates to ChainsDD Superuser, and AFAICT the project is no longer maintained.

Quote:
maybe using xposed framework
Xposed is useful for patching Java programs, but /system/xbin/su is compiled C code. So the techniques used by Xposed would not apply to this case.
 
Chainfire
Old
#6  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt?
Thanks Meter 49,952
Posts: 9,087
Join Date: Oct 2007

 
DONATE TO ME
Quote:
Originally Posted by cernekee View Post
Xposed is useful for patching Java programs, but /system/xbin/su is compiled C code. So the techniques used by Xposed would not apply to this case.
There's always Substrate, that can be used even for patching native code, but still in this case not applicable I guess.
BLOG - G+(Chainfire) - G+(Personal) - TWITTER - IRC - PAYPAL - BTC 1JeoxivKEXbbiegsv1BrUC7fD7GgSPcqkG

A proper quote includes only the relevant paragraphs, and a proper post never ends with the word "why"

 

Android
HTC G1, Hero, One
LG G Pad 8.3, G Watch, G3
Moto E
Samsung i5800, i9000*2, P1000*2, P7100, i9100*2, N7000, P6800, i9300, N7100, i9505, N9005, G900F
Sony T LT30p, Z C6603
Nexus Galaxy*2, N7*2, N10, N7-2013, N7-2013-3G, N5

SuperSU, Mobile ODIN, TriangleAway, DSLR Controller, CF-Root, 500 Firepaper, OpenDelta, USB Host Diagnostics, ExynosAbuseAPK, Live dmesg+logcat, NoMoarPowah!, CF-Bench, Chainfire3D, CF.lumen, SGS2 SIM Unlocker, GingerBreakAPK, SuperPower, and more!

Windows Mobile 5/6
E-Mobile EM-ONE
HTC Wizard*2, Kaiser, Touch, Diamond, Pro, HD*2, Diamond 2, Pro 2*2, HD2*2
Samsung i780, i900*2, i8000*2, b7300, b7320, b7330, b7620*2, b6520

WMWifiRouter, KaiserTweak, FPUEnabler, WMLongLife, WMRegOptimizer, CFC+GUI, TF3D+v2 ports, Kaiser+Omnia2+Snapdragon 3D drivers, GfxBoost, and more!

Windows Phone 7
LG GW910

iOS
Apple iPad 3, iPad Mini 2


NOTICE: I do not respond to tech support questions through PM.
The Following User Says Thank You to Chainfire For This Useful Post: [ Click to Expand ]
 
nicolasbert
Old
#7  
Junior Member
Thanks Meter 0
Posts: 5
Join Date: Feb 2014
Where you able to find any patch to fix them?
 
bydyphil
Old
#8  
bydyphil's Avatar
Junior Member
Thanks Meter 0
Posts: 12
Join Date: May 2013
Location: Mertesheim
thank you for sharing ...

Thread Tools
Display Modes