[TUHS] Buffer overflow found/fixed in v4 tape ;)
Craig B Agricola via TUHS
tuhs at tuhs.org
Tue Jan 13 14:49:09 AEST 2026
On Mon, Jan 05, 2026 at 12:08:14PM -0500, Paul Winalski via TUHS wrote:
> The problem with that philosophy is that a buffer overflow doesn't
> necessarily lead to a program crash. A program crash is the lucky
> outcome. If you're unlucky you will silently get the wrong answer, or
> other misbehavior.
In fact, in this case, far from just a program crash, you have a trivial
privilege escalation. I'll repeat what I posted on the Metzdowd
Cryptography list[1].
Since the buffer that you're comparing the crypt() of the input against
is immediately after the buffer for the input, all you have to do is pad
out the input to overwrite the hash that was read from /etc/passwd to
the known hash of the beginning of your password input. crypt() of that
era only takes into account the first 8 characters of the password. So,
for instance, from an unprivileged user account, providing the following
password to su gives you a root shell.
abcdefghxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5WWWWWWW:
It's pretty quick to spin up a fresh simulator with the UNIX v4 tape
install, create a user account, and then try to su with that password.
-Craig
1. https://www.metzdowd.com/pipermail/cryptography/2026-January/039233.html
More information about the TUHS
mailing list