Re: The Android Superuser App

[David Black <disclosure () d1b org>]

On 13 August 2012 05:47, Jann Horn <jannhorn () googlemail com> wrote:
> Hello,
> on Android, everyone who wants to give apps root access to his phone uses the
> Superuser application by ChainsDD. However, from a security perspective, that
> might be a somewhat bad idea.
>
> First, it's not really Open Source anymore, so you can't easily check whether
> everything works the way it should. Well, there are two github repos, one for
> the "su" binary and one for the Superuser app, but the one for the app is
> outdated. In fact, if you choose to build the Superuser app from source, you
> will get a vulnerable system because it still contains a vuln that is fixed
> in the more recent binary releases.
>
> Also, there are open, known vulns that the author doesn't seem to care about.
> You might want to have a look at
> https://github.com/ChainsDD/Superuser/issues/52 - whenever you choose to
> update the "su" binary using the Superuser app, unsigned code will be
> downloaded over HTTP and installed as a setuid root program on your device.
> This bug report is a month old, no comment from the developer, not fixed yet.
> And finally, I've found another vuln that essentially lets apps gain root
> rights without asking the user, and I will release all details about it in
> two weeks.

/me not surprised.


--
David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/