Headline
CVE-2023-29383: Added control character check · shadow-maint/shadow@e5905c4
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that “cat /etc/passwd” shows a rogue user account.
@@ -21,9 +21,9 @@ * * The supplied field is scanned for non-printable and other illegal * characters. * + -1 is returned if an illegal character is present. * + 1 is returned if no illegal characters are present, but the field * contains a non-printable character. * + -1 is returned if an illegal or control character is present. * + 1 is returned if no illegal or control characters are present, * but the field contains a non-printable character. * + 0 is returned otherwise. */ int valid_field (const char *field, const char *illegal) @@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal) }
if (0 == err) { /* Search if there are some non-printable characters */ /* Search if there are non-printable or control characters */ for (cp = field; ‘\0’ != *cp; cp++) { if (!isprint (*cp)) { err = 1; } if (!iscntrl (*cp)) { err = -1; break; } }