Jump to content
Nytro

Android 4.2.x Superuser Shell Character Escape

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Android 4.2.x Superuser Shell Character Escape

Authored by Kevin Cernekee

Vulnerable releases of two common Android Superuser packages may allow malicious Android applications to execute arbitrary commands as root. These issues are due to a shell character escape vulnerability.

Vulnerable releases of two common Android Superuser packages may allow
malicious Android applications to execute arbitrary commands as root,
either without prompting the user or after the user has denied the
request:

 - CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
including v1.0.2.1)
 - Chainfire SuperSU prior to v1.69

The majority of recent third-party ROMs include one of these packages.
 Older ROMs may use the ChainsDD Superuser package, which is not
affected but is no longer maintained.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed.  If any of these checks fail, the denial is recorded by
broadcasting an intent to the Superuser app through the Android
Activity Manager binary, /system/bin/am.  /system/bin/am is invoked as
root, and user-supplied arguments to the "su" command can be included
on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's
security model, /system/xbin/su functions as an unprivileged client
which connects to a "su daemon" started early in the boot process.
The client passes the request over a UNIX socket, and the daemon reads
the caller's credentials using SO_PEERCRED.  As described above,
/system/bin/am is called (now from the daemon) to communicate with the
app that implements the user interface.

If the user invokes "su -c 'COMMAND'" and the request is denied (or
approved), ClockWorkMod Superuser constructs a command line to pass to
a root shell:

    snprintf(user_result_command, sizeof(user_result_command), "exec
/system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name
'%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es
command '%s' --es action %s --user %d",
        VERSION_CODE,
        ctx->from.name, ctx->to.name,
        ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
        policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);

get_command() would return "COMMAND", unescaped, through
"/system/bin/sh -c".  By adding shell metacharacters to the command,
the root subshell can be tricked into running arbitrary command lines
as root:

    su -c "'&touch /data/abc;'"

Upon denial by the operator, "touch /data/abc" will be executed with
root privileges.  The Superuser variant of this problem is being
tracked under CVE-2013-6769.

SuperSU prior to v1.69 removes quote and backslash characters from the
string passed to /system/bin/sh, but backticks or $() can be used
instead for the same effect:

    su -c '`touch /data/abc`'
    su -c '$(touch /data/abc)'

The SuperSU variant of this problem is being tracked under CVE-2013-6775.

ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied
input on the /system/bin/am command line.

Sursa: Android 4.2.x Superuser Shell Character Escape ? Packet Storm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...