CVE-2013-6774
First published: Sun Mar 30 2014(Updated: )
Untrusted search path vulnerability in the ChainsDD Superuser package 3.1.3 for Android 4.2.x and earlier, CyanogenMod/ClockWorkMod/Koush Superuser package 1.0.2.1 for Android 4.2.x and earlier, and Chainfire SuperSU package before 1.69 for Android 4.2.x and earlier allows attackers to load an arbitrary .jar file and gain privileges via a crafted BOOTCLASSPATH environment variable for a /system/xbin/su process. NOTE: another researcher was unable to reproduce this with ChainsDD Superuser.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Chainfire SuperSU | =1.69 | |
| Android | =1.0 | |
| Android | =1.1 | |
| Android | =1.5 | |
| Android | =1.6 | |
| Android | =2.0 | |
| Android | =2.0.1 | |
| Android | =2.1 | |
| Android | =2.2 | |
| Android | =2.2-rev1 | |
| Android | =2.2.1 | |
| Android | =2.2.2 | |
| Android | =2.2.3 | |
| Android | =2.3 | |
| Android | =2.3-rev1 | |
| Android | =2.3.1 | |
| Android | =2.3.2 | |
| Android | =2.3.3 | |
| Android | =2.3.4 | |
| Android | =2.3.5 | |
| Android | =2.3.6 | |
| Android | =2.3.7 | |
| Android | =3.0 | |
| Android | =3.1 | |
| Android | =3.2 | |
| Android | =3.2.1 | |
| Android | =3.2.2 | |
| Android | =3.2.4 | |
| Android | =3.2.6 | |
| Android | =4.0 | |
| Android | =4.0.1 | |
| Android | =4.0.2 | |
| Android | =4.0.3 | |
| Android | =4.0.4 | |
| Android | =4.1 | |
| Android | =4.1.2 | |
| Android | =4.2 | |
| Android | =4.2.1 | |
| Android | =4.2.2 | |
| Superuser | =3.1.3 | |
| Superuser | =1.0.2.1 | |
| All of | ||
| Chainfire SuperSU | =1.69 | |
| Any of | ||
| Android | =1.0 | |
| Android | =1.1 | |
| Android | =1.5 | |
| Android | =1.6 | |
| Android | =2.0 | |
| Android | =2.0.1 | |
| Android | =2.1 | |
| Android | =2.2 | |
| Android | =2.2-rev1 | |
| Android | =2.2.1 | |
| Android | =2.2.2 | |
| Android | =2.2.3 | |
| Android | =2.3 | |
| Android | =2.3-rev1 | |
| Android | =2.3.1 | |
| Android | =2.3.2 | |
| Android | =2.3.3 | |
| Android | =2.3.4 | |
| Android | =2.3.5 | |
| Android | =2.3.6 | |
| Android | =2.3.7 | |
| Android | =3.0 | |
| Android | =3.1 | |
| Android | =3.2 | |
| Android | =3.2.1 | |
| Android | =3.2.2 | |
| Android | =3.2.4 | |
| Android | =3.2.6 | |
| Android | =4.0 | |
| Android | =4.0.1 | |
| Android | =4.0.2 | |
| Android | =4.0.3 | |
| Android | =4.0.4 | |
| Android | =4.1 | |
| Android | =4.1.2 | |
| Android | =4.2 | |
| Android | =4.2.1 | |
| Android | =4.2.2 | |
| All of | ||
| Superuser | =3.1.3 | |
| Any of | ||
| Android | =1.0 | |
| Android | =1.1 | |
| Android | =1.5 | |
| Android | =1.6 | |
| Android | =2.0 | |
| Android | =2.0.1 | |
| Android | =2.1 | |
| Android | =2.2 | |
| Android | =2.2-rev1 | |
| Android | =2.2.1 | |
| Android | =2.2.2 | |
| Android | =2.2.3 | |
| Android | =2.3 | |
| Android | =2.3-rev1 | |
| Android | =2.3.1 | |
| Android | =2.3.2 | |
| Android | =2.3.3 | |
| Android | =2.3.4 | |
| Android | =2.3.5 | |
| Android | =2.3.6 | |
| Android | =2.3.7 | |
| Android | =3.0 | |
| Android | =3.1 | |
| Android | =3.2 | |
| Android | =3.2.1 | |
| Android | =3.2.2 | |
| Android | =3.2.4 | |
| Android | =3.2.6 | |
| Android | =4.0 | |
| Android | =4.0.1 | |
| Android | =4.0.2 | |
| Android | =4.0.3 | |
| Android | =4.0.4 | |
| Android | =4.1 | |
| Android | =4.1.2 | |
| Android | =4.2 | |
| Android | =4.2.1 | |
| Android | =4.2.2 | |
| All of | ||
| Superuser | =1.0.2.1 | |
| Any of | ||
| Android | =1.0 | |
| Android | =1.1 | |
| Android | =1.5 | |
| Android | =1.6 | |
| Android | =2.0 | |
| Android | =2.0.1 | |
| Android | =2.1 | |
| Android | =2.2 | |
| Android | =2.2-rev1 | |
| Android | =2.2.1 | |
| Android | =2.2.2 | |
| Android | =2.2.3 | |
| Android | =2.3 | |
| Android | =2.3-rev1 | |
| Android | =2.3.1 | |
| Android | =2.3.2 | |
| Android | =2.3.3 | |
| Android | =2.3.4 | |
| Android | =2.3.5 | |
| Android | =2.3.6 | |
| Android | =2.3.7 | |
| Android | =3.0 | |
| Android | =3.1 | |
| Android | =3.2 | |
| Android | =3.2.1 | |
| Android | =3.2.2 | |
| Android | =3.2.4 | |
| Android | =3.2.6 | |
| Android | =4.0 | |
| Android | =4.0.1 | |
| Android | =4.0.2 | |
| Android | =4.0.3 | |
| Android | =4.0.4 | |
| Android | =4.1 | |
| Android | =4.1.2 | |
| Android | =4.2 | |
| Android | =4.2.1 | |
| Android | =4.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2013-6774?
CVE-2013-6774 is classified as a moderate severity vulnerability due to its potential for exploitation via untrusted search paths.
How do I fix CVE-2013-6774?
To fix CVE-2013-6774, update the affected ChainsDD Superuser package to version 3.1.4 or later and ensure that all Android applications are from trusted sources.
What versions of software are affected by CVE-2013-6774?
CVE-2013-6774 affects ChainsDD Superuser package version 3.1.3, Koushik Dutta Superuser version 1.0.2.1, and Chainfire SuperSU versions before 1.69 for Android 4.2.x and earlier.
Can CVE-2013-6774 be exploited remotely?
No, CVE-2013-6774 typically requires local access to the device to exploit the untrusted search path vulnerability.
What are the potential impacts of CVE-2013-6774?
The potential impacts of CVE-2013-6774 include unauthorized code execution and privilege escalation on the affected Android devices.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/chainfire
- canonical/chainfire supersu
- version/chainfire supersu/1.69
- vendor/google
- canonical/android
- version/android/1.0
- version/android/1.1
- version/android/1.5
- version/android/1.6
- version/android/2.0
- version/android/2.0.1
- version/android/2.1
- version/android/2.2
- version/android/2.2-rev1
- version/android/2.2.1
- version/android/2.2.2
- version/android/2.2.3
- version/android/2.3
- version/android/2.3-rev1
- version/android/2.3.1
- version/android/2.3.2
- version/android/2.3.3
- version/android/2.3.4
- version/android/2.3.5
- version/android/2.3.6
- version/android/2.3.7
- version/android/3.0
- version/android/3.1
- version/android/3.2
- version/android/3.2.1
- version/android/3.2.2
- version/android/3.2.4
- version/android/3.2.6
- version/android/4.0
- version/android/4.0.1
- version/android/4.0.2
- version/android/4.0.3
- version/android/4.0.4
- version/android/4.1
- version/android/4.1.2
- version/android/4.2
- version/android/4.2.1
- version/android/4.2.2
- vendor/androidsu
- canonical/superuser
- version/superuser/3.1.3
- vendor/koushik dutta
- version/superuser/1.0.2.1