Android Superuser shell character escape vulnerability

From: Kevin Cernekee <>
Subject: Android Superuser shell character escape vulnerability

Vulnerable releases of two common Android Superuser packages may allow
malicious Android applications to execute arbitrary commands as root,
either without prompting the user or after the user has denied the

 - CyanogenMod/ClockWorkMod/Koush Superuser (current releases,
including v1.0.2.1)
 - Chainfire SuperSU prior to v1.69

The majority of recent third-party ROMs include one of these packages.
 Older ROMs may use the ChainsDD Superuser package, which is not
affected but is no longer maintained.

On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root
binary which performs a number of privilege checks in order to
determine whether the operation requested by the caller should be
allowed.  If any of these checks fail, the denial is recorded by
broadcasting an intent to the Superuser app through the Android
Activity Manager binary, /system/bin/am.  /system/bin/am is invoked as
root, and user-supplied arguments to the "su" command can be included
on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's
security model, /system/xbin/su functions as an unprivileged client
which connects to a "su daemon" started early in the boot process.
The client passes the request over a UNIX socket, and the daemon reads
the caller's credentials using SO_PEERCRED.  As described above,
/system/bin/am is called (now from the daemon) to communicate with the
app that implements the user interface.

If the user invokes "su -c 'COMMAND'" and the request is denied (or
approved), ClockWorkMod Superuser constructs a command line to pass to
a root shell:

    snprintf(user_result_command, sizeof(user_result_command), "exec
/system/bin/am " ACTION_RESULT " --ei binary_version %d --es from_name
'%s' --es desired_name '%s' --ei uid %d --ei desired_uid %d --es
command '%s' --es action %s --user %d",
        ctx->, ctx->,
        ctx->from.uid, ctx->to.uid, get_command(&ctx->to),
        policy == ALLOW ? "allow" : "deny", ctx->user.android_user_id);

get_command() would return "COMMAND", unescaped, through
"/system/bin/sh -c".  By adding shell metacharacters to the command,
the root subshell can be tricked into running arbitrary command lines
as root:

    su -c "'&touch /data/abc;'"

Upon denial by the operator, "touch /data/abc" will be executed with
root privileges.  The Superuser variant of this problem is being
tracked under CVE-2013-6769.

SuperSU prior to v1.69 removes quote and backslash characters from the
string passed to /system/bin/sh, but backticks or $() can be used
instead for the same effect:

    su -c '`touch /data/abc`'
    su -c '$(touch /data/abc)'

The SuperSU variant of this problem is being tracked under CVE-2013-6775.

ChainsDD Superuser v3.1.3 does not appear to pass the user-supplied
input on the /system/bin/am command line.

Copyright © 1995-2020 All rights reserved.