Trustwave SpiderLabs Security Advisory TWSL2023-004: Improper input validation in shadow-utils package utility chfn Published: 04/12/2023 Version: 1.0 Vendor: shadow-utils (https://github.com/shadow-maint/shadow/) Product: chfn Version affected: shadow-4.5 Product description: chfn (change finger) - change a user's finger information (stored in the /etc/passwd file). Finding 1: Improper input validation in shadow-utils package utility chfn *****Credit: Tom Neaves of Trustwave SpiderLabs CVE: CVE-2023-29383 CWE: CWE-20 It is possible to inject control characters into fields provided to chfn. Although not possible to exploit directly (e.g. add a new user due to \n being in the block list), it is however possible to use this to misrepresent the /etc/passwd file when viewed. By using the carriage return control character \r to start the line again and the Unicode character (U+A789) to get around the colon being blocked, it is possible to give the impression that a new root user (called "hacked" in the proof of concept below) has been added, when updating GECOS fields, e.g. adding a room number in this example. This could be used to support a pretext by an attacker looking to convince an administrator that they already have root access when prompting them to view the /etc/passwd file to demonstrate this. Note: Full name (-f), home phone (-h) and work phone (-w) parameters could also be targeted in the same way, roomno (-r) used as an example. Example injection: chfn -r "`echo -e '\rhacked\ua789x\ua7890\ua7890\ua789root user'`" Viewing /etc/passwd with 'cat' afterwards: hacked:x:0:0:root user,,:/home/tom:/bin/bash Tested on Ubuntu 22.04.02 (5.19.0-32 generic) which uses chfn from the shadow package, and not util-linux’s version. This issue was found to affect other Debian based Linux operating systems which also use chfn from the shadow package. It was recommended that control characters are blocked (using "iscntrl") as implemented in util-linux's implementation of chfn as per lines 444-448 at https://github.com/util-linux/util-linux/blob/ae7054723b39eb0c5388fb8acfe26c5fd5a98f02/login-utils/chfn.c. Affected code: /shadow-4.5/src/chfn.c: check_fields, on lines 585 to 592: ... err = valid_field (roomno, ":,=\n"); if (err > 0) { fprintf (stderr, _("%s: room number with non-ASCII characters: '%s'\n"), Prog, roomno); } else if (err < 0) { fprintf (stderr, _("%s: invalid room number: '%s'\n"), Prog, roomno); fail_exit (E_NOPERM); } ... /shadow-4.5/lib/fields.c: valid_field, on lines 52 to 81: ... int valid_field (const char *field, const char *illegal) { const char *cp; int err = 0; if (NULL == field) { return -1; } /* For each character of field, search if it appears in the list * of illegal characters. */ for (cp = field; '\\0' != *cp; cp++) { if (strchr (illegal, *cp) != NULL) { err = -1; break; } } if (0 == err) { /* Search if there are some non-printable characters */ for (cp = field; '\\0' != *cp; cp++) { if (!isprint (*cp)) { err = 1; break; } } } return err; } ... Pull request submitted and commit merged to detect control characters (using "iscntrl") and to exit out of chfn if present. Vendor Response: Accepted and remediated Remediation Steps: Check with the maintainer of your linux distribution to make sure they've applied the latest fixes. Revision History: 03/08/2023 - Initial email to vendor 03/20/2023 - Vulnerability disclosed to vendor 03/23/2023 - Pull request submitted 03/30/2023 - Pull request approved and merged 04/12/2023 - Advisory published References 1. https://github.com/shadow-maint/shadow/pull/687 2. https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.