![[LWN Logo]](/images/lwn.banner.gif)
Date: Fri, 26 Feb 1999 01:34:56 -0800
From: William Deich <will@UCOLICK.ORG>
Subject: Buffer Overflow in Super (new)
To: BUGTRAQ@NETSPACE.ORG
Sekure SDI (http://www.sekure.org) has either just announced or is about
to announce a new local root exploit, via a buffer overflow in super. This
note is to announce that a fixed version (super v3.12.1) is now available at
ftp.ucolick.org:/pub/users/will/super-3.12.1.tar.gz
This is the second buffer overflow problem in as many weeks, so I took
a hard look at what's gone wrong, and here's what I've done about it.
Clearly, it was a great mistake when super was "enhanced" to allow users to
o pass command-line options to super (to help people verify and debug
their super.tab files),
o specify super.tab files (also for testing).
Either of these allow users to make data-driven attacks on super.
The weakness created by these features has been fixed with
the following changes:
i) super now limits the length of each option passed to it (note that
this is not the same as the ordinary limits super puts on arguments
that it passes through to the commands invoked by super for the user);
ii) super now limits the total length of all options passed to it
(again, this is separate from limiting the total length of arguments
passed to commands invoked by super for the user);
iii) super ensures that all its option characters are from a limited set.
iv) When super is running in debug mode, it won't execute any commands, but
it will process user-supplied super.tab files. This makes potential
security holes, because it might be possible that nasty data can be
passed through a user-supplied super.tab file, just like there were
buffer-overruns from command-line arguments. Therefore, super no longer
remains as root when checking a user-supplied super.tab file; instead,
it reverts to the caller's real uid, and prints a large explanatory message.
(This does mean that certain checks cannot be done without being root.
The tradeoff for increased security is obviously worthwhile.)
In sum, items (i) and (ii) ensure that users can't create buffer overflows
from the command line. Item (iii) is insurance that users can't
pass strings that might be confusing to super in some other, unanticipated
manner. Item (iv) avoids buffer overflows from user-supplied super.tab
files.
With apologies for the inconvenience to all,
-Will
--
William Deich
UCO / Lick Observatory | Internet: will@ucolick.org
University of California | Phone: (831) 459-3913
Santa Cruz, CA 95064 | Fax: (831) 426-3115