UNIX Fourth Research Edition Buffer Overflow Vulnerability in su Command Allows Privilege Escalation

A buffer overflow vulnerability has been identified in the 'su' command of UNIX Fourth Research Edition (v4). This vulnerability arises because the 'password' variable is fixed at 100 bytes, allowing local users to overflow the buffer and potentially gain root privileges. Although this version of UNIX is rarely used outside of specific lab environments, the vulnerability itself is significant as it reflects a common issue that can lead to unauthorized privilege escalation.

Impact

Exploitation of this vulnerability allows local users to gain root privileges on the system.

Reproduction

The vulnerability can be reproduced by entering a password longer than 100 characters when prompted by the 'su' command. This input will overflow the 'password' buffer, corrupting adjacent memory and causing the program to crash, which can be exploited to execute arbitrary code.

Remediation

The vulnerability can be fixed by patching the 'su' source code to include a bounds check on the password input, preventing the buffer overflow. After applying the patch, the modified 'su' can be recompiled and installed with the appropriate setuid permissions.