Date: Fri, 26 Feb 1999 01:34:56 -0800 From: William Deich <will@UCOLICK.ORG> Subject: Buffer Overflow in Super (new) To: BUGTRAQ@NETSPACE.ORG Sekure SDI (http://www.sekure.org) has either just announced or is about to announce a new local root exploit, via a buffer overflow in super. This note is to announce that a fixed version (super v3.12.1) is now available at ftp.ucolick.org:/pub/users/will/super-3.12.1.tar.gz This is the second buffer overflow problem in as many weeks, so I took a hard look at what's gone wrong, and here's what I've done about it. Clearly, it was a great mistake when super was "enhanced" to allow users to o pass command-line options to super (to help people verify and debug their super.tab files), o specify super.tab files (also for testing). Either of these allow users to make data-driven attacks on super. The weakness created by these features has been fixed with the following changes: i) super now limits the length of each option passed to it (note that this is not the same as the ordinary limits super puts on arguments that it passes through to the commands invoked by super for the user); ii) super now limits the total length of all options passed to it (again, this is separate from limiting the total length of arguments passed to commands invoked by super for the user); iii) super ensures that all its option characters are from a limited set. iv) When super is running in debug mode, it won't execute any commands, but it will process user-supplied super.tab files. This makes potential security holes, because it might be possible that nasty data can be passed through a user-supplied super.tab file, just like there were buffer-overruns from command-line arguments. Therefore, super no longer remains as root when checking a user-supplied super.tab file; instead, it reverts to the caller's real uid, and prints a large explanatory message. (This does mean that certain checks cannot be done without being root. The tradeoff for increased security is obviously worthwhile.) In sum, items (i) and (ii) ensure that users can't create buffer overflows from the command line. Item (iii) is insurance that users can't pass strings that might be confusing to super in some other, unanticipated manner. Item (iv) avoids buffer overflows from user-supplied super.tab files. With apologies for the inconvenience to all, -Will -- William Deich UCO / Lick Observatory | Internet: will@ucolick.org University of California | Phone: (831) 459-3913 Santa Cruz, CA 95064 | Fax: (831) 426-3115