An XDA member recently unveiled serious vulnerabilities in all three root packages used to gain superuser access on devices. The developers have been contacted, and the two active projects are working to address the issues. If you're running an older version, you might want to get on the update train.

According to cernekee on XDA, the vulnerabilities allow for a malicious app to obtain root access without going through the proper channels. You wouldn't see a notification at all – the app could just do its business in secret. Superuser from ChainsDD is no longer in development, but some folks are still using it. On Android 4.2 or lower (ChainsDD SU doesn't work at all on 4.3+), the root package runs several privilege checks to determine if an operation should be allowed. There are two vulnerabilities here:

  • On ClockWorkMod Superuser, /system/xbin/su does not set PATH to a known-good value, so a malicious user could trick /system/bin/am into using a trojaned app_process binary
  • Other environment variables could be used to affect the behavior of the (moderately complex) subprocesses. For instance, manipulation of BOOTCLASSPATH could cause a malicious .jar file to be loaded into the privileged Dalvik VM instance. All three Superuser implementations allowed Dalvik's BOOTCLASSPATH to be supplied by the attacker. (this one affected all three packages)

The only fix for this is to stop using Superuser from ChainsDD and go to SuperSU (already patched). Koush's Superuser is still affected, but is going to be fixed soon. However, Koush's Superuser and SuperSU were subject to some other exploits in this most recent round.

In Koush's Superuser prior to 1.0.2.3 and SuperSU prior to v1.69 there are two vulnerabilities, one for Android 4.2 and lower, and one for 4.3 and higher. Both rely upon exploiting the broadcasting of failure notifications from privilege checks. An "su" command can be slipped in where it's not supposed to be.

4.2 and older: /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the "su" command can be included on the "am" command line.

4.3 and newer: due to changes in Android's security model, /system/xbin/su functions as an unprivileged client which connects to a "su daemon" started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller's credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface.

Koush's Superuser was also affected by one more vulnerability prior to the new update that exploited restricted profiles. It's a bit less dangerous because the attacker must have ADB shell access, over USB for example. This essentially hijacks a legitimate root command for malicious purposes. At any rate, it's fixed.

To recap, Superuser from ChainsDD is old and busted – don't use it. SuperSU appears to have been patched in v1.69, and Koush's Superuser is most of the way there, with just one bug left to fix. Remember, this isn't an Android problem – this is coming from components being installed by users to gain root. Whatever you're running, you should probably make sure you're up to date. Also make sure to check the XDA link for the full details along with code examples.

[XDA, +Koushik Dutta 1, 2 – Thanks, Kevin Cernekee]