logoalt Hacker News

Fixing a Buffer Overflow in Unix v4 Like It's 1973

138 pointsby vzalivayesterday at 6:29 PM36 commentsview on HN

Comments

asveikautoday at 2:13 AM

A bit of a code review (some details from the patch removed for clarity):

   +       register int i;
           q = password;
   -       while((*q = getchar()) != '\n')
   +       i = 0;
   +       while((*q = getchar()) != '\n') {
   +               if (++i >= sizeof(password))
   +                       goto error;
You don't actually need i here. i is the same as (q - password). It would be idiomatic C to simply rewrite the loop condition as: while (q < password+sizeof(password) && (*q = getchar()) != '\n'). To preserve your "goto error;" part, maybe you could do the overflow check when null terminating outside the loop.
show 1 reply
WalterBrighttoday at 3:32 AM

Back in the 80s, when I was writing a C compiler, C compilers typically had a maximum size for string literals. The behavior was to detect overflow, issue an error message, and fail compilation.

I took a different tack. The buffer was allocated with malloc. When a string was larger, it was realloced to a larger size. This worked until memory was exhausted, and then the program quit.

It was actually less code to implement than having a fixed size buffer.

Ditto for the other compilation limits, such as length of a line. The only limit was running out of memory.

mgerdtsyesterday at 7:51 PM

What is up with fin? Is it really just writing an int 0 in the memory right after some variable present in libc or similar?

        extern fin;

        if(getpw(0, pwbuf))
                goto badpw;
        (&fin)[1] = 0;
show 3 replies
SoftTalkeryesterday at 9:45 PM

I had to use ed once in a very limited recovery situation. I don't remember the details but even vi was not an option. It's not terrible if you just need to change a few lines. Using it on a teletype to write code all day would get tedious quickly. Full-screen editors had to have been an amazing productivity boost.

show 2 replies
nineteen999yesterday at 8:15 PM

Already patched this on my x86_64 v4 UNIX port. Hehe.

w-myesterday at 11:33 PM

The password and pwbuf arrays are declared one right after the other. Will they appear consecutive in memory, i.e. will you overwrite pwbuf when writing past password?

If so, could you type the same password that’s exactly 100 bytes twice and then hit enter to gain root? With only clobbering one additional byte, of ttybuf?

Edit: no, silly, password is overwritten with its hash before the comparison.

show 1 reply
b-kuiperyesterday at 7:54 PM

so, is there already somebody that wrote the exploit for it? are there any special things to consider exploiting such architecture back in the day or do the same basic principles apply?

show 2 replies
WalterBrighttoday at 3:28 AM

Having a buffer with a fixed size is always a red flag for further checking.

ChrisArchitectyesterday at 7:58 PM

Related:

An initial analysis of the discovered Unix V4 tape

https://news.ycombinator.com/item?id=46367744

Unix v4 (1973) – Live Terminal

https://news.ycombinator.com/item?id=46468283

emilfihlmantoday at 10:41 AM

The source has

ttybuf[2] =& ~010;

Which is another bug.

show 1 reply
kazinatoryesterday at 11:11 PM

Remotely exploiting a buffer overflow in Unix like it's 1973.

# ... sound of crickets ...

Wanna see me do it again?