In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that cat /etc/passwd shows a rogue user account.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Shadow | Shadow_project | 4.13 (including) | 4.13 (including) |
| Shadow | Ubuntu | bionic | * |
| Shadow | Ubuntu | esm-infra-legacy/trusty | * |
| Shadow | Ubuntu | esm-infra/bionic | * |
| Shadow | Ubuntu | esm-infra/xenial | * |
| Shadow | Ubuntu | focal | * |
| Shadow | Ubuntu | jammy | * |
| Shadow | Ubuntu | kinetic | * |
| Shadow | Ubuntu | lunar | * |
| Shadow | Ubuntu | mantic | * |
| Shadow | Ubuntu | trusty | * |
| Shadow | Ubuntu | trusty/esm | * |
| Shadow | Ubuntu | upstream | * |
| Shadow | Ubuntu | xenial | * |