Android's KernelSU v0.5.7 vulnerability enables rooted access for specific apps

In a recent finding by Zimperium's zLabs researchers, a significant vulnerability has been uncovered in the KernelSU rooting framework. This flaw, if exploited, could create dangerous attack surfaces when powerful management features are enabled.

The vulnerability revolves around a design flaw in authentication, allowing attackers to impersonate the manager application and gain root access. KernelSU, a kernel-level root solution, is known for its growing community of advanced users focused on privacy and banking security. However, the independent developers behind KernelSU are not explicitly named in the search results.

The latest version of KernelSU, 0.5.7, had a security flaw discovered in mid-2023. This vulnerability can be exploited by manipulating file descriptor order to present the legitimate manager's APK first, bypassing signature checks in KernelSU.

To exploit this vulnerability, the attacker's app must run before the legitimate manager, such as after a reboot. This can be achieved by using the RECEIVE_BOOT_COMPLETED permission.

This latest finding highlights ongoing weaknesses in rooting and jailbreaking frameworks. Poor privilege isolation between apps and root-level functions, insecure communication channels, and overreliance on user-space input without validation are common issues in such frameworks. These frameworks are often built by independent developers without formal security oversight, leading to numerous critical vulnerabilities during their lifecycle.

Past examples include an APatch flaw that allowed any app to run privileged operations and Magisk's CVE-2024-48336, which let local apps impersonate Google Mobile Services to silently gain root access.

Timing constraints limit the attack, but it remains practical under realistic conditions. Users are advised to exercise caution when using rooting frameworks and to keep their systems updated to minimize the risk of exploitation.