CVE-2023-29383 Overview
CVE-2023-29383 is a control character injection vulnerability in the Shadow password suite version 4.13. The vulnerability exists in the SUID program chfn (change finger), which allows local users to inject control characters into GECOS fields. While direct exploitation for privilege escalation is blocked (e.g., newline characters are in the block list), an attacker can use carriage return (\r) manipulations and Unicode characters to bypass blocking of the colon (:) character. This creates a scenario where viewing /etc/passwd with standard utilities like cat displays misleading content suggesting that rogue user accounts have been added to the system.
Critical Impact
An adversary can manipulate how /etc/passwd appears when viewed, potentially convincing system administrators that the system has been compromised with rogue user accounts, leading to an indirect, social-engineered denial of service through unnecessary system downtime.
Affected Products
- Shadow 4.13
- shadow_project shadow
Discovery Timeline
- 2023-04-14 - CVE CVE-2023-29383 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2023-29383
Vulnerability Analysis
This vulnerability represents an input validation error that allows injection of control characters into the GECOS field of /etc/passwd through the chfn SUID utility. The chfn command is designed to allow users to modify their finger information (full name, office number, phone numbers) stored in the system password file. While the implementation includes a block list to prevent certain dangerous characters like newline (\n) and colon (:), it fails to adequately filter carriage return (\r) and certain Unicode characters.
The attack leverages the way terminal emulators interpret control characters. By injecting \r (carriage return) characters, an attacker can cause the terminal to return to the beginning of the line when displaying the file, effectively overwriting the visual representation of the legitimate entry with arbitrary content. Combined with Unicode character tricks to represent blocked characters, this allows an attacker to craft GECOS field content that, when viewed with commands like cat /etc/passwd, appears to show additional malicious user accounts.
Root Cause
The root cause lies in insufficient input validation within the valid_field() function in lib/fields.c. The original implementation checked for illegal characters and non-printable characters but did not explicitly block all control characters, particularly the carriage return character. The security patch updated the function to explicitly reject control characters, not just the previously blocked illegal characters.
Attack Vector
This vulnerability requires local access to the system. An attacker with a valid user account can execute the chfn command and provide specially crafted input containing control characters and Unicode sequences. The attack flow involves:
- The attacker uses chfn to modify their GECOS field with crafted content containing \r sequences
- The malicious content is written to /etc/passwd since the characters weren't properly filtered
- When an administrator views /etc/passwd using standard terminal utilities, the control characters manipulate the display
- The administrator sees what appears to be unauthorized user accounts in the system
*
* The supplied field is scanned for non-printable and other illegal
* characters.
- * + -1 is returned if an illegal character is present.
- * + 1 is returned if no illegal characters are present, but the field
- * contains a non-printable character.
+ * + -1 is returned if an illegal or control character is present.
+ * + 1 is returned if no illegal or control characters are present,
+ * but the field contains a non-printable character.
* + 0 is returned otherwise.
*/
int valid_field (const char *field, const char *illegal)
Source: GitHub Commit Update
Detection Methods for CVE-2023-29383
Indicators of Compromise
- Unusual or non-printable characters present in GECOS fields within /etc/passwd
- Discrepancies between the output of cat /etc/passwd and hexdump -C /etc/passwd indicating embedded control characters
- Recent chfn command executions by non-administrative users visible in system logs
Detection Strategies
- Compare the visual output of /etc/passwd with a hexadecimal dump to identify hidden control characters
- Implement file integrity monitoring on /etc/passwd to detect unauthorized modifications
- Monitor audit logs for chfn command usage, particularly with unusual input patterns
- Use tools that display raw bytes rather than interpreting control characters when reviewing sensitive system files
Monitoring Recommendations
- Configure auditd rules to log all modifications to /etc/passwd and executions of the chfn binary
- Establish baseline GECOS field values and alert on changes containing non-standard characters
- Regularly verify /etc/passwd integrity using checksums against known-good copies
How to Mitigate CVE-2023-29383
Immediate Actions Required
- Update the Shadow package to a version containing the security patch (commit e5905c4b84d4fb90aefcd96ee618411ebfac663d)
- Review /etc/passwd for any existing entries with suspicious control characters
- Consider restricting access to the chfn utility if not required in your environment
- Educate system administrators about this attack vector to prevent social engineering success
Patch Information
The Shadow project has released a patch that updates the valid_field() function in lib/fields.c to explicitly check for and reject control characters in addition to previously blocked illegal characters. The fix is available in the GitHub Commit Update. The patch modifies the field validation logic to return -1 when any control character is detected, preventing them from being written to /etc/passwd.
For Debian-based systems, refer to the Debian LTS Announcement for package update information.
Workarounds
- Remove the SUID bit from the chfn binary using chmod u-s /usr/bin/chfn if the functionality is not required
- Use PAM configuration to restrict which users can execute chfn
- When verifying /etc/passwd integrity, use cat -v /etc/passwd or hexdump to reveal hidden control characters rather than relying on standard cat output
# Remove SUID bit from chfn if functionality is not needed
chmod u-s /usr/bin/chfn
# Verify /etc/passwd for hidden control characters
cat -v /etc/passwd
# Alternative verification using hexdump
hexdump -C /etc/passwd | grep -v "00 00"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
