Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-6774

Overview

Vulnerability Score 10.0 10.0
CVE Id CVE-2013-6774
Last Modified 31 Mar 2014 03:04:13
Published 31 Mar 2014 10:58:57
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-6774

Summary

Untrusted search path vulnerability in the ChainsDD Superuser package 3.1.3 for Android 4.2.x and earlier, CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.2.x and earlier, and Chainfire SuperSU package before 1.69 for Android 4.2.x and earlier allows attackers to load an arbitrary .jar file and gain privileges via a crafted BOOTCLASSPATH environment variable for a /system/xbin/su process. NOTE: another researcher was unable to reproduce this with ChainsDD Superuser.

Vulnerable Systems

Application

  • Androidsu Chainsdd Superuser 3.1.3

  • Chainfire Supersu 1.69

  • Koushik Dutta Superuser 1.0.2.1


References

BUGTRAQ - 20131114 Re: Superuser unsanitized environment vulnerability on Android <= 4.2.x

BUGTRAQ - 20131113 Superuser unsanitized environment vulnerability on Android <= 4.2.x


Last Updated: 27 May 2016 11:04:48