itscamp / superuser Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/superuser
Automatically exported from code.google.com/p/superuser
What steps will reproduce the problem?
1. Install superuser on a rooted android phone
2. Open a shell and run 'su'
3. Note that you're asked if you want to give that app permission to run as
super-user, but there
is no password.
What is the expected output? What do you see instead?
I expect to be asked for a password before being granted su access. As it
stands, this looks like
it could be used by someone who got hold of my phone to, for example, get my
gmail password
from the gmail app.
Now I know that with physical access they could always flash the phone anyway,
but this changes
the attack from 'root the phone', including multiple restarts, to 'enter a few
shell commands'.
The fix could be something as simple as enabling the lock screen (requiring the
user the unlock
the phone, even if the lock screen is not normally enabled) when bringing up
the 'allow'/'deny'
screen. That would add a password, but in a way that is relatively unobtrusive.
Original issue reported on code.google.com by [email protected]
on 16 Jan 2010 at 9:18
I've attached a quick patch that makes some comments and discusses a number
of security related issues in the SuperuserActivity.java and
SuperuserRequestActivity.java files.
Original issue reported on code.google.com by [email protected]
on 26 May 2010 at 5:05
Attachments:
This programm seems to be written by idiots.
Reading the source makes me crying.
Is there an *secure* alternative to this tool?
Original issue reported on code.google.com by [email protected]
on 26 Mar 2011 at 11:48
It appears that the AndroidManifest.xml has debugging enabled. This should
be disabled by default for security reasons.
Original issue reported on code.google.com by [email protected]
on 26 May 2010 at 3:29
Attachments:
su.c has a trivially exploitable bug on lines 65-66:
char update[1024];
sprintf(update, "update whitelist set count=%d where _id='%s';", count,
argv[0]);
An attacker controls the size and values representing in argv[0]. When
argv[0] is greater than 1024, this will cause an overflow condition. This
might allow an attacker to execute arbitrary code.
This kind of stuff is all over su.c and is basically a nightmare.
Original issue reported on code.google.com by [email protected]
on 26 May 2010 at 3:57
I've attached a quick code review that includes a dozen security issues.
Almost all of these bugs allow any other application on the phone to gain
root privileges without user interaction.
Original issue reported on code.google.com by [email protected]
on 26 May 2010 at 4:20
Attachments:
When I am prompted to allow an application to access su, if I press the
back button, the following error appears
ERROR/Database: Leak found
Stacktrace from LogCat attached
Original issue reported on code.google.com by [email protected]
on 17 Feb 2009 at 4:51
Attachments:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.