An XDA member recently unveiled serious vulnerabilities in all three root packages used to gain superuser access on devices. The developers have been contacted, and the two active projects are working to address the issues. If you're running an older version, you might want to get on the update train.
According to cernekee on XDA, the vulnerabilities allow for a malicious app to obtain root access without going through the proper channels. You wouldn't see a notification at all – the app could just do its business in secret. Superuser from ChainsDD is no longer in development, but some folks are still using it. On Android 4.2 or lower (ChainsDD SU doesn't work at all on 4.3+), the root package runs several privilege checks to determine if an operation should be allowed. There are two vulnerabilities here:
Source : Android Police
- On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, so a malicious user could trick /system/bin/am into using a trojaned app_process binary
- Other environment variables could be used to affect the behavior of the (moderately complex) subprocesses. For instance, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. All three Superuser implementations allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker. (this one affected all three packages)
No comments