-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Jan Meijer Index : S-99-07 Distribution : World Page : 1 Classification: External Version: 1 Subject : Debian Linux "Super" package Buffer OverflowDate : 23-Feb-99 =============================================================================== By courtesy of The U.S. Department of Energy Computer Incident Advisory Capability we received information on a vulnerability in the system administration utility, "Super", distributed with Debian Linux. Can be installed and configured for many Unix variants. If exploited, this vulnerability could lead to a root compromise. CERT-NL recommends to apply the fix listed below, until Super version 3.11.7 is available. ============================================================================== [ Start ISS Security Advisory ] ISS Security Advisory February 15, 1999 Buffer Overflow in "Super" package in Debian Linux Synopsis: Internet Security Systems (ISS) X-Force has discovered a vulnerability in the system administration utility, "Super". Super is used by administrators to allow certain users to execute commands with root privileges. The vulnerability is distributed with Debian Linux. It may allow local attackers to compromise root access. Super is a GNU copylefted package that is distributed with recent Debian Linux distributions, but it can be installed and configured for many Unix variants. Affected versions: ISS X-Force has determined that version 3.9.6 through version 3.11.6 are vulnerable. All versions of Super distributed with Debian Linux are vulnerable. Execute the following command to determine version information: # /usr/bin/super -V Fix Information: The main distribution point for the Super package: ftp.ucolick.org:/pub/users/will/ Mirror: ftp.onshore.com:/pub/mirror/software/super super-3.11.7.tar.gz full source code for 3.11.7 super-3.11.6.patch1 patches overflow in 3.11.6 super-3.11.6-3.11.7 patch to change 3.11.6 to 3.11.7 Please refer to these locations for fixes which will be included in Super version 3.11.7. Description: Super is a utility that allows authorized users to execute commands with root privileges. It is intended to be an alternate to setuid scripts, which are inherently dangerous. A buffer overflow exists in Super that may allow attackers to take advantage of its setuid configuration to gain root access. Recommended Action: Version 3.11.7 should be installed as soon as it is available. Administrators should take care to disable setuid root utilities that are not used by regular users. To disable Super permanently, execute the following command as root to disable the setuid bit: # chmod 755 /usr/bin/super __________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, as well as on MIT's PGP key server and PGP.com's key server. X-Force Vulnerability and Threat Database: http://www.iss.net/xforce Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. [ End ISS Security Advisory ] ================================================================================= CERT-NL wishes to thank The U.S. Department of Energy Computer Incident Advisory Capability for bringing this information to our attention ================================================================================= CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBNtO/OfE6s6q7Tf4RAQGGKwP/T2wYMcVS26NBgJR4MgdgvJFQYYCW6m1Y h5T4pgikGevllnIj19bsVvQNEwpCZ6qaTk7gZYTSFCyty78bfUVc+T3dwYD2PRKT vMa9rWfSfP7GK0xYBuFkos/r50LU+doAI86aSaX833YZYUejEHfrVp2XANvmuDea vuIOsiCJlZA= =3i2v -----END PGP SIGNATURE-----