CVE-2013-6770

Published Mar 31, 2014

Last updated 11 years ago

Overview

Description: The CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.3 and 4.4 does not properly restrict the set of users who can execute /system/xbin/su with the --daemon option, which allows attackers to gain privileges by leveraging ADB shell access and a certain Linux UID, and then creating a Trojan horse script.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 2.0

Type: Primary
Base score: 7.6
Impact score: 10
Exploitability score: 4.9
Vector string: AV:N/AC:H/Au:N/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-264

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:koushik_dutta:superuser:1.0.2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "53FF3870-BA75-41B6-9110-07C68A1F3A81"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "A2467F65-A3B7-4E45-A9A5-E5A6EFD99D7B"
          },
          {
            "criteria": "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "98C32982-095C-4628-9958-118A3D3A9CAA"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

Overview

Risk scores

CVSS 2.0

Weaknesses

Social media

Configurations

References