kornan / superuser Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 17 KB

Automatically exported from code.google.com/p/superuser

Java 73.64% Makefile 2.51% C 23.85%

superuser's People

Contributors

Watchers

superuser's Issues

No password protection on superuser

What steps will reproduce the problem?
1. Install superuser on a rooted android phone
2. Open a shell and run 'su'
3. Note that you're asked if you want to give that app permission to run as 
super-user, but there 
is no password.

What is the expected output? What do you see instead?

I expect to be asked for a password before being granted su access.  As it 
stands, this looks like 
it could be used by someone who got hold of my phone to, for example, get my 
gmail password 
from the gmail app.

Now I know that with physical access they could always flash the phone anyway, 
but this changes 
the attack from 'root the phone', including multiple restarts, to 'enter a few 
shell commands'.

The fix could be something as simple as enabling the lock screen (requiring the 
user the unlock 
the phone, even if the lock screen is not normally enabled) when bringing up 
the 'allow'/'deny' 
screen.  That would add a password, but in a way that is relatively unobtrusive.

Original issue reported on code.google.com by [email protected] on 16 Jan 2010 at 9:18

overflow in su.c

su.c has a trivially exploitable bug on lines 65-66:

char update[1024];
sprintf(update, "update whitelist set count=%d where _id='%s';", count,
argv[0]);

An attacker controls the size and values representing in argv[0]. When
argv[0] is greater than 1024, this will cause an overflow condition. This
might allow an attacker to execute arbitrary code.

This kind of stuff is all over su.c and is basically a nightmare.

Original issue reported on code.google.com by [email protected] on 26 May 2010 at 3:57

Alternative to superuser?

This programm seems to be written by idiots.
Reading the source makes me crying.
Is there an *secure* alternative to this tool?

Original issue reported on code.google.com by [email protected] on 26 Mar 2011 at 11:48

A bunch of bugs in su.c

I've attached a quick code review that includes a dozen security issues. 

Almost all of these bugs allow any other application on the phone to gain
root privileges without user interaction.

Original issue reported on code.google.com by [email protected] on 26 May 2010 at 4:20

Attachments:

su.patch

debugging is enabled in AndroidManifest.xml

It appears that the AndroidManifest.xml has debugging enabled. This should
be disabled by default for security reasons.

Original issue reported on code.google.com by [email protected] on 26 May 2010 at 3:29

Attachments:

AndroidManifest.patch

Some java code review and other security issues

I've attached a quick patch that makes some comments and discusses a number
of security related issues in the SuperuserActivity.java and
SuperuserRequestActivity.java files.

Original issue reported on code.google.com by [email protected] on 26 May 2010 at 5:05

Attachments:

code-review.patch

ERROR/Database: Leak found

When I am prompted to allow an application to access su, if I press the
back button, the following error appears
ERROR/Database: Leak found

Stacktrace from LogCat attached

Original issue reported on code.google.com by [email protected] on 17 Feb 2009 at 4:51

Attachments:

stacktrace.txt

kornan / superuser Goto Github PK

superuser's People

Contributors

Watchers

superuser's Issues

No password protection on superuser

overflow in su.c

Alternative to superuser?

A bunch of bugs in su.c

debugging is enabled in AndroidManifest.xml

Some java code review and other security issues

ERROR/Database: Leak found

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent