Buffer Overflow in Super (new)

From: William Deich (willat_private)
Date: Fri Feb 26 1999 - 01:34:56 PST

Next message: John Fraizer: "Re: Cobalt root exploit"

Previous message: c0nd0r: "SUPER buffer overflow"
Next in thread: Ryan Russell: "Re: Buffer Overflow in Super (new)"
Reply: Ryan Russell: "Re: Buffer Overflow in Super (new)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sekure SDI (http://www.sekure.org) has either just announced or is about
to announce a new local root exploit, via a buffer overflow in super.  This
note is to announce that a fixed version (super v3.12.1) is now available at
	ftp.ucolick.org:/pub/users/will/super-3.12.1.tar.gz

This is the second buffer overflow problem in as many weeks, so I took
a hard look at what's gone wrong, and here's what I've done about it.

Clearly, it was a great mistake when super was "enhanced" to allow users to
    o  pass command-line options to super (to help people verify and debug
	their super.tab files),
    o  specify super.tab files (also for testing).
Either of these allow users to make data-driven attacks on super.

The weakness created by these features has been fixed with
the following changes:

i) super now limits the length of each option passed to it (note that
    this is not the same as the ordinary limits super puts on arguments
    that it passes through to the commands invoked by super for the user);

ii) super now limits the total length of all options passed to it
    (again, this is separate from limiting the total length of arguments
    passed to commands invoked by super for the user);

iii) super ensures that all its option characters are from a limited set.

iv) When super is running in debug mode, it won't execute any commands, but
    it will process user-supplied super.tab files.  This makes potential
    security holes, because it might be possible that nasty data can be
    passed through a user-supplied super.tab file, just like there were
    buffer-overruns from command-line arguments.  Therefore, super no longer
    remains as root when checking a user-supplied super.tab file; instead,
    it reverts to the caller's real uid, and prints a large explanatory message.
    (This does mean that certain checks cannot be done without being root.
    The tradeoff for increased security is obviously worthwhile.)

In sum, items (i) and (ii) ensure that users can't create buffer overflows
from the command line.  Item (iii) is insurance that users can't
pass strings that might be confusing to super in some other, unanticipated
manner.  Item (iv) avoids buffer overflows from user-supplied super.tab
files.

With apologies for the inconvenience to all,

-Will
--
William Deich
UCO / Lick Observatory     |  Internet: willat_private
University of California   |  Phone: (831) 459-3913
Santa Cruz, CA  95064      |  Fax:   (831) 426-3115

Next message: John Fraizer: "Re: Cobalt root exploit"
Previous message: c0nd0r: "SUPER buffer overflow"
Next in thread: Ryan Russell: "Re: Buffer Overflow in Super (new)"
Reply: Ryan Russell: "Re: Buffer Overflow in Super (new)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:37:43 PDT