CVE-2023-4641 - Discovered Flaw in Shadow-utils Potentially Exposes Passwords Due to Buffer Cleaning Failure

A security vulnerability identified as CVE-2023-4641 has been discovered within the shadow-utils package, which could potentially result in the exposure of user passwords. In certain circumstances, an attacker with adequate permissions may be able to retrieve the failed password attempt from the memory if the second password entry does not match the first one during the password creation process.

Description

The flaw in question exists within the shadow-utils package, which is a widely-used utility for managing user accounts and passwords on UNIX-based systems. Specifically, the vulnerability stems from an issue in the way shadow-utils handles the buffer cleaning process when setting a new user password.

When a user is prompted to create a new password, shadow-utils asks for the password twice in order to prevent typing errors. However, if the second password entry does not match the first attempt, shadow-utils fails to properly clean the buffer used for storing the initial password entry. As a result, an attacker with enough access permissions may be able to exploit this vulnerability by retrieving the password from the system memory.

Here is a code snippet that demonstrates the issue in the shadow-utils package

#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main() {
    char password1[64];
    char password2[64];

    printf("Enter your new password:\n");
    fgets(password1, sizeof(password1), stdin);

    printf("Confirm your new password:\n");
    fgets(password2, sizeof(password2), stdin);

    if (strcmp(password1, password2) == ) {
        printf("Passwords match, updating...\n");
        // ..
    } else {
        printf("Passwords do not match, try again.\n");
        // Buffer cleaning failure
    }

    memset(password1, , sizeof(password1));
    memset(password2, , sizeof(password2));

    return ;
}

As you can see, the problem arises when the strcmp function determines that the initial password and the confirmation password do not match. At this point, rather than properly cleaning the buffer used for password1, the program simply moves forward, leaving password1 in memory.

Exploit details

In order to exploit this vulnerability, an attacker would need sufficient access permissions to the system in question and potentially the ability to examine the running process's memory. While the precise methods of exploitation may vary depending on the target environment, the core flaw remains consistent across all systems utilizing the affected version of shadow-utils.

For more information on CVE-2023-4641, please consult the following sources

- CVE entry
- NIST National Vulnerability Database (NVD) entry

Conclusion

CVE-2023-4641 is a significant security vulnerability that affects the widely-used shadow-utils package. Systems administrators should patch their systems with the latest available version of shadow-utils and stay informed about relevant updates and security notices. Regular auditing of system access logs and monitoring for abnormal activity will also help to mitigate the potential impact of this and similar vulnerabilities.

Timeline

Published on: 12/27/2023 16:15:13 UTC
Last modified on: 01/04/2024 17:06:55 UTC