Skip to main content

Insecure owner/permission changes in init shell scripts (CVE-2013-6124)

Release Date:

February 19, 2014

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:


CVE ID(s):



The following security vulnerabilities have been identified in QuIC-authored init scripts. CVE-2013-6124: During the device start-up phase, several init shell scripts are executed with root privileges to configure various aspects of the system. During this process, standard toolchain commands such as chown or chmod are used to, e.g., change the owner of the sensor settings file to the system user. As these commands follow symbolic links (symlinks), an attacker with write access to these resources is able to conduct symlink attacks and thus change for example the owner of an arbitrary file to system. This flaw can be used to, e.g., elevate privileges.

Access Vector: Local
Security Risk: Medium
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel from the following heads: jb_*, kk_*, hummingbird, penguin, kitkat, redcloud


We advise customers to apply the following patches:

Individual Patches

The changes provided by this advisory modify the toolchain commands chown and chown to introduce a new command line option to change the behavior of these commands to not follow symlinks. All QuIC-authored init shell scripts have been changed to make use of this option.


Qualcomm Innovation Center, Inc. (QuIC) thanks Jon Sawyer for reporting the related issues and working with QuIC to help improve Android device security.


Initial revision