Insecure owner/permission changes in init shell scripts (CVE-2013-6124)

Release Date: 
February 19, 2014
Advisory ID: 
QCIR-2014-00002-1
Summary: 

The following security vulnerabilities have been identified in QuIC-authored init scripts.

CVE-2013-6124:
During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to, e.g., change the owner of the sensor settings file to the system user. As these commands follow symbolic links (symlinks), an attacker with write access to these resources is able to conduct symlink attacks and thus change for example the owner of an arbitrary file to system. This flaw can be used to, e.g., elevate privileges.

AccessVector: local
Security Risk: medium
Vulnerability: CWE-61 (unix symbolic link following)

Affected versions:
All Android releases from CAF using the Linux kernel from the following heads:

  • jb_*
  • kk_*
  • hummingbird
  • penguin
  • kitkat
  • redcloud
Patch: 

We advise customers to apply the following patches:

Individual Patches

Note:
The changes provided by this advisory modify the toolchain commands chown and chown to introduce a new command line option to change the behavior of these commands to not follow symlinks. All QuIC-authored init shell scripts have been changed to make use of this option.

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Jon Sawyer for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com