> -----Original Message----- > From: CIAC Mail User [SMTP:[EMAIL PROTECTED]] > Sent: Friday, February 19, 1999 4:13 PM > To: [EMAIL PROTECTED] > Subject: CIAC Bulletin J-031: Debian Linux "Super" package Buffer > Overflow > > [ For Public Release ] > -----BEGIN PGP SIGNED MESSAGE----- > > __________________________________________________________ > > The U.S. Department of Energy > Computer Incident Advisory Capability > ___ __ __ _ ___ > / | /_\ / > \___ __|__ / \ \___ > __________________________________________________________ > > INFORMATION BULLETIN > > Debian Linux "Super" package Buffer Overflow > > February 16, 1999 19:00 GMT Number > J-031 > __________________________________________________________________________ > ____ > PROBLEM: Internet Security Systems (ISS) X-Force has discovered a > vulnerability in the system administration utility, > "Super". > PLATFORM: All versions of Super distributed with Debian Linux. Can be > > installed and configured for many Unix variants. > DAMAGE: If exploited, this vulnerability could lead to a root > compromise. > SOLUTION: Until Super version 3.11.7 is available, apply the fix > listed > below. > __________________________________________________________________________ > ____ > VULNERABILITY Risk is high since this vulnerability could lead to a root > ASSESSMENT: compromise. > __________________________________________________________________________ > ____ > > [ Start ISS Security Advisory ] > > ISS Security Advisory > February 15, 1999 > > Buffer Overflow in "Super" package in Debian Linux > > > Synopsis: > > Internet Security Systems (ISS) X-Force has discovered a vulnerability in > the system administration utility, "Super". Super is used by > administrators to allow certain users to execute commands with root > privileges. The vulnerability is distributed with Debian Linux. It may > allow local attackers to compromise root access. Super is a GNU > copylefted package that is distributed with recent Debian Linux > distributions, but it can be installed and configured for many Unix > variants. > > > Affected versions: > > ISS X-Force has determined that version 3.9.6 through version 3.11.6 are > vulnerable. All versions of Super distributed with Debian Linux are > vulnerable. Execute the following command to determine version > information: > > # /usr/bin/super -V > > > Fix Information: > > The main distribution point for the Super package: > ftp.ucolick.org:/pub/users/will/ > > Mirror: > ftp.onshore.com:/pub/mirror/software/super > > super-3.11.7.tar.gz full source code for 3.11.7 > super-3.11.6.patch1 patches overflow in 3.11.6 > super-3.11.6-3.11.7 patch to change 3.11.6 to 3.11.7 > > Please refer to these locations for fixes which will be included in > Super version 3.11.7. > > Description: > > Super is a utility that allows authorized users to execute commands with > root privileges. It is intended to be an alternate to setuid scripts, > which are inherently dangerous. A buffer overflow exists in Super that > may allow attackers to take advantage of its setuid configuration to gain > root access. > > > Recommended Action: > > Version 3.11.7 should be installed as soon as it is available. > Administrators should take care to disable setuid root utilities that are > not used by regular users. To disable Super permanently, execute the > following command as root to disable the setuid bit: > > # chmod 755 /usr/bin/super > > __________ > > Copyright (c) 1999 by Internet Security Systems, Inc. > > Permission is hereby granted for the redistribution of this alert > electronically. It is not to be edited in any way without express > consent of X-Force. If you wish to reprint the whole or any part of this > alert in any other medium excluding electronic medium, please e-mail > [EMAIL PROTECTED] for permission. > > Disclaimer: > > The information within this paper may change without notice. Use of this > information constitutes acceptance for use in an AS IS condition. There > are NO warranties with regard to this information. In no event shall the > author be liable for any damages whatsoever arising out of or in > connection with the use or spread of this information. Any use of this > information is at the user's own risk. > > X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html, > as well as on MIT's PGP key server and PGP.com's key server. > > X-Force Vulnerability and Threat Database: http://www.iss.net/xforce > > Please send suggestions, updates, and comments to: X-Force > <[EMAIL PROTECTED]> of Internet Security Systems, Inc. > > > [ End ISS Security Advisory ] > __________________________________________________________________________ > ____ > > CIAC wishes to acknowledge the contributions of Internet Security Systems > for > the information contained in this bulletin. > __________________________________________________________________________ > ____ > > > CIAC, the Computer Incident Advisory Capability, is the computer > security incident response team for the U.S. Department of Energy > (DOE) and the emergency backup response team for the National > Institutes of Health (NIH). CIAC is located at the Lawrence Livermore > National Laboratory in Livermore, California. CIAC is also a founding > member of FIRST, the Forum of Incident Response and Security Teams, a > global organization established to foster cooperation and coordination > among computer security teams worldwide. > > CIAC services are available to DOE, DOE contractors, and the NIH. CIAC > can be contacted at: > Voice: +1 925-422-8193 > FAX: +1 925-423-8002 > STU-III: +1 925-423-2604 > E-mail: [EMAIL PROTECTED] > > For emergencies and off-hour assistance, DOE, DOE contractor sites, > and the NIH may contact CIAC 24-hours a day. During off hours (5PM - > 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, > or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two > Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC > duty person, and the secondary PIN number, 8550074 is for the CIAC > Project Leader. > > Previous CIAC notices, anti-virus software, and other information are > available from the CIAC Computer Security Archive. > > World Wide Web: http://www.ciac.org/ > (or http://ciac.llnl.gov -- they're the same > machine) > Anonymous FTP: ftp.ciac.org > (or ciac.llnl.gov -- they're the same machine) > Modem access: +1 (925) 423-4753 (28.8K baud) > +1 (925) 423-3331 (28.8K baud) > > CIAC has several self-subscribing mailing lists for electronic > publications: > 1. CIAC-BULLETIN for Advisories, highest priority - time critical > information and Bulletins, important computer security information; > 2. SPI-ANNOUNCE for official news about Security Profile Inspector > (SPI) software updates, new features, distribution and > availability; > 3. SPI-NOTES, for discussion of problems and solutions regarding the > use of SPI products. > > Our mailing lists are managed by a public domain software package > called Majordomo, which ignores E-mail header subject lines. To > subscribe (add yourself) to one of our mailing lists, send the > following request as the E-mail message body, substituting > ciac-bulletin, spi-announce OR spi-notes for list-name: > > E-mail to [EMAIL PROTECTED] or [EMAIL PROTECTED]: > subscribe list-name > e.g., subscribe ciac-bulletin > > You will receive an acknowledgment email immediately with a confirmation > that you will need to mail back to the addresses above, as per the > instructions in the email. This is a partial protection to make sure > you are really the one who asked to be signed up for the list in question. > > If you include the word 'help' in the body of an email to the above > address, > it will also send back an information file on how to > subscribe/unsubscribe, > get past issues of CIAC bulletins via email, etc. > > PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing > communities receive CIAC bulletins. If you are not part of these > communities, please contact your agency's response team to report > incidents. Your agency's team will coordinate with CIAC. The Forum of > Incident Response and Security Teams (FIRST) is a world-wide > organization. A list of FIRST member organizations and their > constituencies can be obtained via WWW at http://www.first.org/. > > This document was prepared as an account of work sponsored by an > agency of the United States Government. Neither the United States > Government nor the University of California nor any of their > employees, makes any warranty, express or implied, or assumes any > legal liability or responsibility for the accuracy, completeness, or > usefulness of any information, apparatus, product, or process > disclosed, or represents that its use would not infringe privately > owned rights. Reference herein to any specific commercial products, > process, or service by trade name, trademark, manufacturer, or > otherwise, does not necessarily constitute or imply its endorsement, > recommendation or favoring by the United States Government or the > University of California. The views and opinions of authors expressed > herein do not necessarily state or reflect those of the United States > Government or the University of California, and shall not be used for > advertising or product endorsement purposes. > > LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) > > J-021: Sun Solaris Vulnerabilities ( dtmail, passwd ) > J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command ) > J-023: Cisco IOS Syslog Denial-of-Service Vulnerability > J-024: Windows NT Remote Explorer > J-025: W97M.Footprint Macro Virus Detected > J-026: HP-UX rpc.pcnfsd Vulnerability > J-027: Digital Unix Vulnerabilities ( at , inc ) > J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE) > J-029: Buffer Overflows in Various FTP Servers > J-030: Microsoft BackOffice Vulnerability > > > > > > -----BEGIN PGP SIGNATURE----- > Version: 4.0 Business Edition > > iQCVAwUBNsntYrnzJzdsy3QZAQFpmwP/VdWn2slPA3Xiuz32Ffu7/KXA1jNpzui3 > U4OdE90gcD1LokgUXCjOKwzqenDeupCSl+AFvGZ+MArN21uzrAyvU6/HchBptFHu > u4g8VCOO15wCdzVl+TF3LL8W3CHW4NKBbdvHydmnxqYfKbR90SWTZh6a5qBuDM9K > tYQGqH0Wgdc= > =rqBs > -----END PGP SIGNATURE-----
