COMMAND
super
SYSTEMS AFFECTED
Debian Linux (others?) running super version 3.9.6 through version 3.11.6
PROBLEM
Internet Security Systems has discovered a vulnerability in the
system administration utility, "Super". Super is used by
administrators to allow certain users to execute commands with
root privileges. The vulnerability is distributed with Debian
Linux. It may allow local attackers to compromise root access.
Super is a GNU copylefted package that is distributed with recent
Debian Linux distributions, but it can be installed and configured
for many Unix variants. It is intended to be an alternate to
setuid scripts, which are inherently dangerous. A buffer overflow
exists in Super that may allow attackers to take advantage of its
setuid configuration to gain root access.
According to William Deich, super v3.9.6 - v3.11.6 contains two
known buffer overflow problems. The specific problem demonstrated
by ISS to gain local root access was not introduced until _after_
3.9.6, but all versions in that range had one problem or the
other. (In the usual manner of buffer overflows, the exploit is
almost trivial if you know what to attack).
SOLUTION
Super 3.11.9 is available at:
ftp.ucolick.org:/pub/users/will/super-3.11.9.tar.gz
The new version of Super will be available soon on the mirror:
ftp.onshore.com:/pub/mirror/software/super
Please refer to these locations for fixes which are included in
Super version 3.11.7. In mean time:
# chmod 755 /usr/bin/super
Also, for pure Debian users:
ftp://ftp.debian.org/debian/dists/potato/main/source/admin/super_3.11.7-1.diff.gz
ftp://ftp.debian.org/debian/dists/potato/main/source/admin/super_3.11.7-1.dsc
ftp://ftp.debian.org/debian/dists/potato/main/source/admin/super_3.11.6.orig.tar.gz
ftp://ftp.debian.org/debian/dists/potato/main/binary-i386/admin/super_3.11.7-1.deb
ftp://ftp.debian.org/debian/dists/potato/main/binary-m68k/admin/super_3.11.7-1.deb
ftp://ftp.debian.org/debian/dists/potato/main/binary-powerpc/admin/super_3.11.7-1.deb