Created
March 25, 2015 02:02
-
-
Save thejh/36e559b036a3a4c679ee to your computer and use it in GitHub Desktop.
Android Security issue [#1093611178] UID reuse, reported 14.08.12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Android reuses UIDs, and IMO, it shouldn't do that, at least not without having rebooted once. | |
Reasons: | |
- the deinstallation process doesn't kill all processes with the UID of the app, and neither does | |
the installation process - therefore, an app can gain higher privileges by tricking the user | |
into uninstalling it and then installing another app with higher privileges | |
- there are app-writable filesystems which aren't protected against suid executables, so an app | |
could drop a suid-shell in one of those filesystems and thereby allow other malicious apps to | |
obtain full access to whatever app will be the next one to get assigned the uid (all filesystems | |
without nosuid, except for rootfs, seem to be temporary, so a reboot should wipe all suid executables) | |
There are four billion possible UIDs, right? Doesn't seem like it's necessary to reuse them. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment