Android's KernelSU v0.5.7 Bug Allows Unauthorized Root Access to Applications
In a recent analysis published by Zimperium's zLabs, cybersecurity researchers have uncovered a vulnerability in the popular rooting framework, KernelSU. This discovery underscores ongoing weaknesses in rooting and jailbreaking frameworks, which are often developed by independent developers without formal security oversight.
The vulnerability, present in KernelSU version 0.5.7, allows attackers to impersonate the manager application of KernelSU and gain root access. This bypass occurs when the attacker's app in the exploit runs before the legitimate manager, such as after a reboot. By manipulating the file descriptor order, attackers can present the legitimate manager's APK first, thereby bypassing signature checks.
KernelSU, along with tools like APatch and SKRoot, typically gains root access through Android kernel patching. However, the lack of a formal security review process for KernelSU raises concerns about the security of its codebase. The project appears to be community-driven and discussed in forums like XDA Developers, with no mention of official security audits.
This vulnerability is not unique to KernelSU. Past examples include an APatch flaw that allowed any app to run privileged operations and Magisk's CVE-2024-48336, which let local apps impersonate Google Mobile Services to silently gain root access.
The attack can be triggered automatically by using the RECEIVE_BOOT_COMPLETED permission. Rooting frameworks generally use one of two authentication methods: password-based or package-based. In the case of KernelSU, it uses a package-based method where the kernel trusts a manager app's package name or signature.
Zimperium noted that similar vulnerabilities are widespread in rooting frameworks. Missing or weak authentication between user apps and kernel modules, poor privilege isolation between apps and root-level functions, insecure communication channels, and overreliance on user-space input without validation are common issues. Timing constraints limit the attack, but it remains practical under realistic conditions.
The process involves hooking into key kernel functions to execute arbitrary code, which enables powerful management features but also creates dangerous attack surfaces. This highlights the need for improved security measures in rooting and jailbreaking frameworks.
The developers of KernelSU were not explicitly named in the available search results. It is crucial for developers to address these vulnerabilities promptly to protect users from potential threats. The analysis of this vulnerability was published by Zimperium's zLabs on Wednesday.
