Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[SECURITY] Multiple Android Superuser vulnerabilities

OP cernekee

13th November 2013, 08:16 PM   |  #1  
OP Senior Member
Thanks Meter: 379
 
186 posts
Join Date:Joined: Jun 2013
Well, I was going to hold off until all of the vendors had new releases posted, but now that the cat is out of the bag and the evildoers have sufficient information to figure out what got fixed:

Current Superuser/SuperSU releases have security holes that allow any application to execute commands as root without the user's permission (even apps with no permissions). Please upgrade immediately to SuperSU >= v1.69 or another patched release.

This is expected to impact the vast majority of rooted devices and custom ROMs.

Details follow:

Superuser unsanitized environment vulnerability on Android <= 4.2.x

Vulnerable releases of several common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root without notifying the device owner:
  • ChainsDD Superuser (current releases, including v3.1.3)
  • CyanogenMod/ClockWorkMod/Koush Superuser (current releases, including v1.0.2.1)
  • Chainfire SuperSU prior to v1.69

The majority of third-party ROMs include one of these packages.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. In the course of its normal duties, and prior to making the allow/deny decision, /system/xbin/su invokes external programs under a privileged UID, typically root (0) or system (1000):
  • /system/bin/log, to record activity to logcat
  • /system/bin/am, to send intents to the Superuser Java app
  • /system/bin/sh, to execute the /system/bin/am wrapper script
  • /system/bin/app_process, the Dalvik VM

The user who invokes /system/xbin/su may have the ability to manipulate the environment variables, file descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly other items belonging to any of these subprocesses. At least two vulnerabilities are readily apparent:

- On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, so a malicious user could trick /system/bin/am into using a trojaned app_process binary:

Code:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch /data/trojan.out\nexec $0 "$@"' > app_process ; chmod 755 app_process
PATH=`pwd`:$PATH su -c 'true'
The PATH vulnerability is being tracked under CVE-2013-6768.

- Other environment variables could be used to affect the behavior of the (moderately complex) subprocesses. For instance, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. All three Superuser implementations allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker.

The BOOTCLASSPATH vulnerability is being tracked under CVE-2013-6774.


Android Superuser shell character escape vulnerability

Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root, either without prompting the user or after the user has denied the request:
  • CyanogenMod/ClockWorkMod/Koush Superuser (current releases, including v1.0.2.1)
  • Chainfire SuperSU prior to v1.69

The majority of recent third-party ROMs include one of these packages. Older ROMs may use the ChainsDD Superuser package, which is not affected but is no longer maintained.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the "su" command can be included on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's security model, /system/xbin/su functions as an unprivileged client which connects to a "su daemon" started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller's credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface.

If the user invokes "su -c 'COMMAND'" and the request is denied (or approved), ClockWorkMod Superuser constructs a command line to pass to a root shell:

Code:
    snprintf(user_result_command, sizeof(user_result_command), "exec /system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name '%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es command '%s' --es action %s --user %d",
        VERSION_CODE,
        ctx->from.name, ctx->to.name,
        ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
        policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);
get_command() would return "COMMAND", unescaped, through "/system/bin/sh -c". By adding shell metacharacters to the command, the root subshell can be tricked into running arbitrary command lines as root:

Code:
su -c "'&touch /data/abc;'"
Upon denial by the operator, "touch /data/abc" will be executed with root privileges. The Superuser variant of this problem is being tracked under CVE-2013-6769.

SuperSU prior to v1.69 removes quote and backslash characters from the string passed to /system/bin/sh, but backticks or $() can be used instead for the same effect:

Code:
su -c '`touch /data/abc`'
su -c '$(touch /data/abc)'
The SuperSU variant of this problem is being tracked under CVE-2013-6775.

ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied input on the /system/bin/am command line.


Superuser "su --daemon" vulnerability on Android >= 4.3

Current releases of the CyanogenMod/ClockWorkMod/Koush Superuser package may allow restricted local users to execute arbitrary commands as root in certain, non-default device configurations.

Android 4.3 introduced the concept of "restricted profiles," created through the Settings -> Users menu. A restricted profile can be configured to allow access to only a minimal set of applications, and has extremely limited abilities to change settings on the device. This is often used to enforce parental controls, or to protect shared devices set up in public places. The OS requires an unlock code to be entered in order to access the owner's profile to administer the system.

/system/xbin/su is a setuid root executable, and any user may invoke it in client mode ("su -c 'foo'" or just "su"), or in daemon mode ("su --daemon"). In either mode of operation, the user who invokes this program has the ability to manipulate its environment variables, file descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly other items. By adding new entries at the front of the PATH for commonly-executed root commands, then re-invoking "su --daemon", an attacker may be able to hijack legitimate root sessions subsequently started by other applications on the device.

"su --daemon" is normally started up very early in the boot process, as root, from /init.superuser.rc (CM) or from /system/etc/install-recovery.sh (other ROMs). The fact that unprivileged users are allowed to restart the daemon later, under EUID 0, appears to be an oversight.


Successful exploitation requires a number of conditions to be met:

- The attacker must have ADB shell access, e.g. over USB. This is disabled by default, and normally restricted to trusted ADB clients whose RSA key fingerprints have been accepted by the device administrator. Root access via ADB (i.e. Settings -> Developer Options -> Root access -> Apps and ADB) is not required. Note that ADB shell access is typically considered a security risk, even in the absence of this problem.

- The attacker must have a way to assume a non-shell (non-2000), suid-capable Linux UID in order to prevent /system/xbin/su from creating infinitely recursive connections to itself through the daemon client UID check in main(). One way to do this would involve uploading an app with the "debuggable" flag and using /system/bin/run-as to assume this UID. "adb install" can probably used for this purpose. However, due to a bug in Android 4.3's "run-as" implementation[1], this does not currently work. This bug was fixed in Android 4.4, so CM11 will probably be able to satisfy this requirement.

- The device owner must have granted root permissions to one or more applications via Superuser. The restricted profile does not need to be able to run this app from the launcher.

Sample exploit:

The restricted local user can reboot the tablet, run "adb shell" when the boot animation shows up, then invoke the following commands:

Code:
echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch /data/trojan.out\nexec $0 "$@"' > /data/local/tmp/trojan
chmod 755 /data/local/tmp/trojan
for x in id ls cp cat touch chmod chown iptables dmesg; do ln -s trojan /data/local/tmp/$x ; done
PATH=/data/local/tmp:$PATH setsid run-as.422 my.debuggable.package /system/xbin/su --daemon &
(Note the use of "run-as.422" as a proxy for a working Android 4.3 run-as binary, and the installation of "my.debuggable.package" with the debuggable flag set.)

At this point the USB cable may be disconnected.

The next time a root application successfully passes the Superuser check and invokes one of the trojaned shell commands, /data/local/tmp/trojan will be executed under UID 0.

An ideal candidate for exploitation is a package which runs privileged commands on boot, e.g. AdBlock Plus or AFWall+, as this allows for instant access. Another possibility is to hijack an app which the device's operator runs frequently, such as Titanium Backup.

Note that this can NOT be exploited by malicious applications, as zygote-spawned processes (apps) always access /system in nosuid mode[2] on Android 4.3+. The ADB shell was used as the attack vector as it is not subject to this restriction.

ChainsDD Superuser v3.1.3 does not have an Android 4.3+ client/server mode at all, and SuperSU aborts if an existing "daemonsu" instance is already bound to the abstract @"eu.chainfire.supersu" socket.

Proposed resolution: on Android 4.3 and higher, install all Superuser-related binaries with mode 0755 (setuid bit unset).

This problem is being tracked under CVE-2013-6770.

[1] https://code.google.com/p/android/is...etail?id=58373
[2] http://source.android.com/devices/te...cements43.html
The Following 20 Users Say Thank You to cernekee For This Useful Post: [ View ]
14th November 2013, 08:31 PM   |  #2  
SecUpwN's Avatar
Senior Member
Flag CLASSIFIED
Thanks Meter: 591
 
1,941 posts
Join Date:Joined: Jun 2012
Donate to Me
More
Did you report that to @Chainfire?
14th November 2013, 09:41 PM   |  #3  
OP Senior Member
Thanks Meter: 379
 
186 posts
Join Date:Joined: Jun 2013
Quote:
Originally Posted by SecUpwN

Did you report that to @Chainfire?

Yes, he's been very responsive.

I contacted all three developers last Saturday, and posted the advisory after there was enough public information available to deduce what the problems were.

In case you're curious, there's been some additional discussion about exploiting ChainsDD Superuser on BUGTRAQ.
Last edited by cernekee; 15th November 2013 at 06:32 AM.
The Following User Says Thank You to cernekee For This Useful Post: [ View ]
16th November 2013, 02:16 AM   |  #4  
milojoseph's Avatar
Senior Member
Flag Brooklyn
Thanks Meter: 214
 
531 posts
Join Date:Joined: Sep 2012
More
Is there a way we can patch this maybe using xposed framework
The Following User Says Thank You to milojoseph For This Useful Post: [ View ]
16th November 2013, 02:33 AM   |  #5  
OP Senior Member
Thanks Meter: 379
 
186 posts
Join Date:Joined: Jun 2013
Quote:
Originally Posted by milojoseph

Is there a way we can patch this

There are new releases of SuperSU and CWM Superuser posted:

https://play.google.com/store/apps/d....supersu&hl=en
http://forum.xda-developers.com/show....php?t=1538053

https://play.google.com/store/apps/d...uperuser&hl=en

I haven't seen any updates to ChainsDD Superuser, and AFAICT the project is no longer maintained.

Quote:

maybe using xposed framework

Xposed is useful for patching Java programs, but /system/xbin/su is compiled C code. So the techniques used by Xposed would not apply to this case.
16th November 2013, 09:27 AM   |  #6  
Chainfire's Avatar
Senior Moderator / Senior Recognized Developer - Where is my shirt?
Thanks Meter: 53,700
 
9,354 posts
Join Date:Joined: Oct 2007
Donate to Me
More
Quote:
Originally Posted by cernekee

Xposed is useful for patching Java programs, but /system/xbin/su is compiled C code. So the techniques used by Xposed would not apply to this case.

There's always Substrate, that can be used even for patching native code, but still in this case not applicable I guess.
The Following User Says Thank You to Chainfire For This Useful Post: [ View ]
18th February 2014, 03:56 PM   |  #7  
Junior Member
Thanks Meter: 0
 
5 posts
Join Date:Joined: Feb 2014
Where you able to find any patch to fix them?
3rd June 2014, 07:33 PM   |  #8  
bydyphil's Avatar
Junior Member
Flag Mertesheim
Thanks Meter: 0
 
12 posts
Join Date:Joined: May 2013
thank you for sharing ...

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes