[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] The Android Superuser App
- To: Jann Horn <jannhorn@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] The Android Superuser App
- From: David Black <disclosure@xxxxxxx>
- Date: Thu, 16 Aug 2012 19:50:30 +1000
On 13 August 2012 05:47, Jann Horn <jannhorn@xxxxxxxxxxxxxx> wrote:
> Hello,
> on Android, everyone who wants to give apps root access to his phone uses the
> Superuser application by ChainsDD. However, from a security perspective, that
> might be a somewhat bad idea.
>
> First, it's not really Open Source anymore, so you can't easily check whether
> everything works the way it should. Well, there are two github repos, one for
> the "su" binary and one for the Superuser app, but the one for the app is
> outdated. In fact, if you choose to build the Superuser app from source, you
> will get a vulnerable system because it still contains a vuln that is fixed
> in the more recent binary releases.
>
> Also, there are open, known vulns that the author doesn't seem to care about.
> You might want to have a look at
> https://github.com/ChainsDD/Superuser/issues/52 - whenever you choose to
> update the "su" binary using the Superuser app, unsigned code will be
> downloaded over HTTP and installed as a setuid root program on your device.
> This bug report is a month old, no comment from the developer, not fixed yet.
> And finally, I've found another vuln that essentially lets apps gain root
> rights without asking the user, and I will release all details about it in
> two weeks.
/me not surprised.
--
David.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/