An XDA member recently unveiled serious vulnerabilities in all three root packages used to gain superuser access on devices. The developers have been contacted, and the two active projects are working to address the issues. If you're running an older version, you might want to get on the update train.

According to cernekee on XDA, the vulnerabilities allow for a malicious app to obtain root access without going through the proper channels. You wouldn't see a notification at all – the app could just do its business in secret. Superuser from ChainsDD is no longer in development, but some folks are still using it. On Android 4.2 or lower (ChainsDD SU doesn't work at all on 4.3+), the root package runs several privilege checks to determine if an operation should be allowed. There are two vulnerabilities here:

  • On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, so a malicious user could trick /system/bin/am into using a trojaned app_process binary
  • Other environment variables could be used to affect the behavior of the (moderately complex) subprocesses. For instance, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. All three Superuser implementations allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker. (this one affected all three packages)

The only fix for this is to stop using Superuser from ChainsDD and go to SuperSU (already patched). Koush's Superuser is still affected, but is going to be fixed soon. However, Koush's Superuser and SuperSU were subject to some other exploits in this most recent round.

In Koush's Superuser prior to and SuperSU prior to v1.69 there are two vulnerabilities, one for Android 4.2 and lower, and one for 4.3 and higher. Both rely upon exploiting the broadcasting of failure notifications from privilege checks. An "su" command can be slipped in where it's not supposed to be.

4.2 and older: /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the "su" command can be included on the "am" command line.

4.3 and newer: due to changes in Android's security model, /system/xbin/su functions as an unprivileged client which connects to a "su daemon" started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller's credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface.

Koush's Superuser was also affected by one more vulnerability prior to the new update that exploited restricted profiles. It's a bit less dangerous because the attacker must have ADB shell access, over USB for example. This essentially hijacks a legitimate root command for malicious purposes. At any rate, it's fixed.

To recap, Superuser from ChainsDD is old and busted – don't use it. SuperSU appears to have been patched in v1.69, and Koush's Superuser is most of the way there, with just one bug left to fix. Remember, this isn't an Android problem – this is coming from components being installed by users to gain root. Whatever you're running, you should probably make sure you're up to date. Also make sure to check the XDA link for the full details along with code examples.

[XDA, +Koushik Dutta 1, 2 – Thanks, Kevin Cernekee]

Ryan Whitwam
Ryan is a tech/science writer, skeptic, lover of all things electronic, and Android fan. In his spare time he reads golden-age sci-fi and sleeps, but rarely at the same time. His wife tolerates him as few would.

He's the author of a sci-fi novel called The Crooked City, which is available on Amazon and Google Play. http://goo.gl/WQIXBM

  • James Passmore

    Thanks. Good info. I've already updated my phone but I've got a lot of old root tools for older phones that I am sure use ChainsDD. I was wondering what the whole story was when I saw the update.

    • Simon Belmont

      I think my old HTC Hero and T-Mobile G1 still have ChainsDD super on them. That's about it.

      Every other device that I have, that has root, I use SuperSU or the built in superuser (CM). Cheers.

  • Smithers_Jones

    " Remember, this isn't an Android problem". Won't stop the scumbag media sites jumping all over it. Ars, TheRegister, Engadget are the usual candidates,

    • lollyteg856

      мʏ ʀօօмαтɛ'ѕ αυɴт мαĸɛѕ $6з нօυʀʟʏ օɴ тнɛ ƈօмքυтɛʀ. ѕнɛ нαѕ вɛɛɴ ғιʀɛɖ ғʀօм աօʀĸ ғօʀ 8 мօɴтнѕ вυт ʟαѕт мօɴтн нɛʀ ιɴƈօмɛ աαѕ $1з709 ʝυѕт աօʀĸιɴɢ օɴ тнɛ ƈօмքυтɛʀ ғօʀ α ғɛա нօυʀѕ. вʀօաѕɛ αʀօυɴɖ тнιѕ աɛв-ѕιтɛ fox200&#46com

      • ltredbeard

        Mother of god. These posts are way too often lately.

    • Tomáš Petrík

      Ars Technica with former AP's Ron Amadeo? Wouldn't say so...

      • Smithers_Jones

        Sadly the same site that had that total jeb end Ben Kuracha. Never read such openly biased paid for crap. Guess that's why they booted him out, he single handedly destroyed ars technica credibility

        • z0phi3l

          It's gotten better but like most "Tech" sites they fawn all over every detail about Apple products and shit all over Google and Android, they're slightly less blatant than before

          • Cerberus_tm

            I find Some of Ron's articles on Ars well written and critical of Google. Better than the rest: more knowledgeable and less fawning, certainly more so than Ars's Apple reviewers. I have to say some articles on Android Police also drool all over very minor interface tweaks. And the short game introductions are too positive and almost devoid of relevant information, especially in the first two sentences (genre? similar to?).

  • grandautotheft5

    i switched to supersu long time ago... its a lot better

    • Arthur Dent


      *serious question

    • Simon Belmont

      I switched to SuperSU well over a year ago, yeah. I wanted something that was continuing to be maintained, and the old superuser app just wasn't.

      And it's something like this that proves that a maintained app is good to have. Long abandoned ones can't get the security updates.

  • didibus

    Is su also this vulnerable in the linux world? Like in distros like Ubuntu and Debian, is it common to find sudo exploits where apps can gain superuser permissions without the user requesting it?

    • h4rr4r

      Not really no.

    • Ian Santopietro

      Ubuntu doesn't use su. sudo always requires a password.

      su on Android never does.

      • Alan Shearer

        maybe su on android should require one always, or at least have the option.

  • Dart

    What about the super user built into CM? Is that affected?

    Great coverage on this. Thanks AP.

    • deceksb

      The app used for cm is the same as koush's superuser but is completely integrated into the system. They said that they are already working on it.

      • squiddy20

        I've always wondered, does that get updated in the background, or is it completely dependent on what nightly/M release/RC/stable version you are running? I've never seen a prompt for an update, or a notification letting me know it has been updated.

        • Simon Belmont

          It's likely updated along with a flash of a new ROM because it's integrated into the system. I don't think it gets updated independently.

          So, once Koush has his super user fixed, it'll be added to the CM ROMs through AOSP, I assume. Hope this helps.

          • ltredbeard

            If this is true then the benefits of baking it into the ROM are negated by not being able to independently update it and its binaries, right?

          • Cerberus_tm

            It appears so. Would there be a way to use Koush's superuser application from the Play Store on CM? Then we'd have to disable the built-in one?

          • ltredbeard

            If I remember correctly, you can disable it and use a superuser of your choice.

          • Cerberus_tm

            Hmm any idea how to do that?

          • ltredbeard

            Isn't there an option under settings< superuser? I'm on stock 4.4 right now so I cant check.

          • Cerberus_tm

            There "Superuser access", which can be set to "disabled". Would that do the trick? Would you then be able to install Koush's Superuser and ignore the built-in one? Somehow that seems doubtful...


    An update was just released today for CWM SuperUser, may be that addresses it.

  • http://404err0r.com/ Henry Park

    Okay... so deciding to unroot and return to stock had a bit more advantage than I had previously thought...

  • https://plus.google.com/+TroyLeonard Troy Leonard

    That's why I haven't rooted my n5 yet And don't plan to. No need and more secure unrooted.

    • brandon johnson

      not necessarily.elevated privileges are the way to go. granted leaving an exploited root open does leave you vulnerable, but generally speaking, there is not as huge a risk as some attention-grabbing headlines might suggest

      • Ano

        To me an unrooted Android is unworkable also. I would even pay more for a device with a simple root-unroot switch if that was possible. On stock Android among others Xposed and Greenify are very necessary to get control over the ever growing bloatware of Google. The better battery time in my case is ridiculous on all devices. Not to mention the need of AdAway, OTG 'read and write', Titanium, etc.

        • Ano

          Forgot to mention. Simply removing apps from System/Apps and reinstalling as normal apps breaks OTA support. Ever growing Google bloat is starting to annoy me more and more

        • Cerberus_tm

          Question: which Google applications do you Greenify, and what are the results (any disadvantages? I'd really like to keep instant synch and stuff). And Greenifying which applications in particular gave you much better battery life? And which ROM do you use?

        • https://plus.google.com/+TroyLeonard Troy Leonard

          I have a Nexus 5 so my phone doesn't have any real blow on it therefore I don't need to read it to remove anything like that it works just fine the way it is that's why I bought a Nexus

  • brek

    My version of superuser seems built into my ROM (ViperXL). How can I tell if it is vulnerable?