Superuser "su --daemon" vulnerability on Android >= 4.3

2013-11-1800:00:00

vulners.com

Current releases of the CyanogenMod/ClockWorkMod/Koush Superuser
package may allow restricted local users to execute arbitrary commands
as root in certain, non-default device configurations.

Android 4.3 introduced the concept of "restricted profiles," created
through the Settings -> Users menu. A restricted profile can be
configured to allow access to only a minimal set of applications, and
has extremely limited abilities to change settings on the device.
This is often used to enforce parental controls, or to protect shared
devices set up in public places. The OS requires an unlock code to be
entered in order to access the owner's profile to administer the
system.

/system/xbin/su is a setuid root executable, and any user may invoke
it in client mode ("su -c 'foo'" or just "su"), or in daemon mode ("su
–daemon"). In either mode of operation, the user who invokes this
program has the ability to manipulate its environment variables, file
descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly
other items. By adding new entries at the front of the PATH for
commonly-executed root commands, then re-invoking "su --daemon", an
attacker may be able to hijack legitimate root sessions subsequently
started by other applications on the device.

"su --daemon" is normally started up very early in the boot process,
as root, from /init.superuser.rc (CM) or from
/system/etc/install-recovery.sh (other ROMs). The fact that
unprivileged users are allowed to restart the daemon later, under EUID
0, appears to be an oversight.

Successful exploitation requires a number of conditions to be met:

The attacker must have ADB shell access, e.g. over USB. This is
disabled by default, and normally restricted to trusted ADB clients
whose RSA key fingerprints have been accepted by the device
administrator. Root access via ADB (i.e. Settings -> Developer
Options -> Root access -> Apps and ADB) is not required. Note that
ADB shell access is typically considered a security risk, even in the
absence of this problem.
The attacker must have a way to assume a non-shell (non-2000),
suid-capable Linux UID in order to prevent /system/xbin/su from
creating infinitely recursive connections to itself through the daemon
client UID check in main(). One way to do this would involve
uploading an app with the "debuggable" flag and using
/system/bin/run-as to assume this UID. "adb install" can probably
used for this purpose. However, due to a bug in Android 4.3's
"run-as" implementation[1], this does not currently work. This bug
was fixed in Android 4.4, so CM11 will probably be able to satisfy
this requirement.
The device owner must have granted root permissions to one or more
applications via Superuser. The restricted profile does not need to
be able to run this app from the launcher.

Sample exploit:

The restricted local user can reboot the tablet, run "adb shell" when
the boot animation shows up, then invoke the following commands:

echo -e &#39;#!/system/bin/sh&#92;nexport PATH=/system/bin:$PATH&#92;ntouch

/data/trojan.out\nexec $0 "$@"' > /data/local/tmp/trojan
chmod 755 /data/local/tmp/trojan
for x in id ls cp cat touch chmod chown iptables dmesg; do ln -s
trojan /data/local/tmp/$x ; done
PATH=/data/local/tmp:$PATH setsid run-as.422 my.debuggable.package
/system/xbin/su --daemon &

(Note the use of "run-as.422" as a proxy for a working Android 4.3
run-as binary, and the installation of "my.debuggable.package" with
the debuggable flag set.)

At this point the USB cable may be disconnected.

The next time a root application successfully passes the Superuser
check and invokes one of the trojaned shell commands,
/data/local/tmp/trojan will be executed under UID 0.

An ideal candidate for exploitation is a package which runs privileged
commands on boot, e.g. AdBlock Plus or AFWall+, as this allows for
instant access. Another possibility is to hijack an app which the
device's operator runs frequently, such as Titanium Backup.

Note that this can NOT be exploited by malicious applications, as
zygote-spawned processes (apps) always access /system in nosuid
mode[2] on Android 4.3+. The ADB shell was used as the attack vector
as it is not subject to this restriction.

ChainsDD Superuser v3.1.3 does not have an Android 4.3+ client/server
mode at all, and SuperSU aborts if an existing "daemonsu" instance is
already bound to the abstract @"eu.chainfire.supersu" socket.

Proposed resolution: on Android 4.3 and higher, install all
Superuser-related binaries with mode 0755 (setuid bit unset).

This problem is being tracked under CVE-2013-6770.

[1] https://code.google.com/p/android/issues/detail?id=58373
[2] http://source.android.com/devices/tech/security/enhancements43.html