Full Disclosure mailing list archives
Re: The Android Superuser App
From: David Black <disclosure () d1b org>
Date: Thu, 16 Aug 2012 19:50:30 +1000
On 13 August 2012 05:47, Jann Horn <jannhorn () googlemail com> wrote:
Hello, on Android, everyone who wants to give apps root access to his phone uses the Superuser application by ChainsDD. However, from a security perspective, that might be a somewhat bad idea. First, it's not really Open Source anymore, so you can't easily check whether everything works the way it should. Well, there are two github repos, one for the "su" binary and one for the Superuser app, but the one for the app is outdated. In fact, if you choose to build the Superuser app from source, you will get a vulnerable system because it still contains a vuln that is fixed in the more recent binary releases. Also, there are open, known vulns that the author doesn't seem to care about. You might want to have a look at https://github.com/ChainsDD/Superuser/issues/52 - whenever you choose to update the "su" binary using the Superuser app, unsigned code will be downloaded over HTTP and installed as a setuid root program on your device. This bug report is a month old, no comment from the developer, not fixed yet. And finally, I've found another vuln that essentially lets apps gain root rights without asking the user, and I will release all details about it in two weeks.
/me not surprised. -- David. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The Android Superuser App Jann Horn (Aug 13)
- Re: The Android Superuser App Jann Horn (Aug 13)
- Re: The Android Superuser App Benji (Aug 13)
- <Possible follow-ups>
- Re: The Android Superuser App Alexander Pruss (Aug 15)
- Re: The Android Superuser App David Black (Aug 17)
- Re: The Android Superuser App Jann Horn (Aug 13)