Patching UNIX v4’s su Buffer Overflow the 1973 Way, Rebuilt in 2025

TL;DR

A preserved copy of UNIX v4 was recovered and run on a PDP-11 simulator in 2025. While inspecting the system's su program, an unchecked password input allowed a buffer overflow; the author patched the source with ed, rebuilt the binary on the system, and restored a setuid su.

What happened

Enthusiasts recovered the only known copy of UNIX v4 from magnetic tape and executed it in a PDP-11 emulator. While auditing included source code, the author examined the su(1) utility and found a classic buffer overflow: password input is read into a fixed 100-byte array with no boundary check. Long input strings caused crashes (sometimes a core dump, sometimes exit), and because su disables TTY echo, a crash can leave the terminal unreadable until echo is manually restored. The author edited su.c using ed — the line editor available on the system — added a simple integer counter and a check to abort when input reaches the buffer size, recompiled with the system's cc, moved the new binary to /bin/su and set the setuid bit so su runs as root. The post also notes getpw() behavior that continues on read failure, a separate potential security concern.

Why it matters

• It demonstrates how distributing complete source and an on-system compiler enabled direct fixes on historical systems.
• A bounds-checking omission in a setuid-root program is a latent privilege-escalation risk even on very old Unix releases.
• The incident highlights differences in 1970s development assumptions versus modern security expectations.
• Preserving and running historical software can expose real, actionable vulnerabilities that require careful handling.

Key facts

• The only known UNIX v4 copy surfaced on magnetic tape in 2025 and was run on a PDP-11 simulator.
• The su.c source is under 50 lines; its password buffer is declared as char password[100].
• The input loop reads characters into the buffer without checking bounds, allowing overflow with long input.
• Testing with long input reproduced crashes and occasional core dumps; terminal echo can remain disabled after a crash.
• The author edited the source using ed, added a register int i counter and a boundary check, then wrote the file back.
• The patched program was compiled with cc to produce a.out, moved to /bin/su, and had its setuid bit set with chmod 4755.
• getpw() in this implementation continues execution on read failure or malformed lines, which the author cites as a security issue.
• The writeup recommends restoring TTY echo on error as an additional improvement.

What to watch next

• Add code to restore TTY echo when the program detects overflow or error — this was suggested as a follow-up exercise in the source (confirmed in the source).
• A broader audit of other core utilities for similar unchecked inputs — not confirmed in the source.
• Whether the getpw() behavior is addressed in subsequent patches or distributions — not confirmed in the source.

Quick glossary

• Buffer overflow: A condition where a program writes more data into a fixed-size memory region than it can hold, potentially overwriting adjacent memory.
• setuid: A Unix file permission that causes a program to run with the file owner's privileges, commonly used to let ordinary users run programs with elevated rights.
• getpw(): A legacy library call that retrieves a passwd entry for a given user ID from the system password file.
• ed: A line-oriented text editor used on early Unix systems, designed for terminals without full-screen display capabilities.
• crypt(): A library function used to hash passwords for comparison against stored password hashes.

Reader FAQ

Was the overflow used to gain root access in tests?
Not confirmed in the source.

How was the bug fixed?
The author added an integer counter and a check against sizeof(password) in the input loop, then recompiled and installed the updated binary.

Did the author deploy the patched su as setuid?
Yes. The compiled binary was moved to /bin/su and permissions were changed (chmod 4755) so it runs with root privileges.

How can you recover a terminal left with echo disabled after a crash?
Type 'stty echo' blindly and press Enter to restore terminal echo (as noted in the source).

TRAININGS CUSTOMIZED TRAININGS ABOUT BLOG DE SECURITY | 31.12.2025 Fixing a Buffer Overflow in UNIX v4 Like It’s 1973 Introduction In 2025, the only known copy of UNIX v4 surfaced…

Sources

• Fixing a Buffer Overflow in Unix v4 Like It's 1973
• Unix v4 (1973) – Live Terminal
• Fixing a Buffer Overflow in UNIX v4 Like It's 1973
• Buffer overflow in /bin/su from UNIX v4 – oss-sec

Related posts

• Cisco patches ISE flaw after public proof-of-concept exploit surfaced
• IBM Bob AI Vulnerability Lets CLI Download and Execute Malware Remotely
• How to Protest Safely in the Age of Surveillance: Digital Privacy Tips