Vulnerability CVE-2013-6774


Published: 2014-03-31

Description:
Untrusted search path vulnerability in the ChainsDD Superuser package 3.1.3 for Android 4.2.x and earlier, CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.2.x and earlier, and Chainfire SuperSU package before 1.69 for Android 4.2.x and earlier allows attackers to load an arbitrary .jar file and gain privileges via a crafted BOOTCLASSPATH environment variable for a /system/xbin/su process. NOTE: another researcher was unable to reproduce this with ChainsDD Superuser.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Android 4.2.x Superuser Unsanitized Environment
Kevin Cernekee
15.11.2013

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Koushik dutta -> Superuser 
Chainfire -> Supersu 
Androidsu -> Chainsdd superuser 

 References:
http://www.securityfocus.com/archive/1/529822
http://www.securityfocus.com/archive/1/529796

Copyright 2022, cxsecurity.com

 

Back to Top